// project

SOC Alert Triage Lab

A Python-based L2 SOC analyst simulation that ingests multi-source telemetry, applies detection rules, enriches observables with IOC data, maps findings to MITRE ATT&CK, and produces analyst-ready triage reports with escalation notes.

Python SOC Threat Detection MITRE ATT&CK IOC Enrichment L2 Analyst
View on GitHub
What It Does

This lab simulates the work of an L2 SOC analyst receiving escalated alerts from L1. It ingests synthetic telemetry across authentication, endpoint, web, firewall, and network sources, applies detection rules with grouping and thresholds, enriches source IPs and URLs against a local IOC database, and maps every detection to MITRE ATT&CK with tactic and technique context.

The output is a full Markdown triage report with alert severity, affected hosts, IOC matches, triage questions, escalation criteria, and recommended dispositions. This is the written handoff product an L2 analyst would produce before escalating to L3 or incident response.

Most beginner security projects stop at detection. This one goes further: it shows how an analyst investigates the alert, explains the evidence, and documents the reasoning behind each triage decision.

Detection Rules
HIGH
SOC-001
SSH Brute Force Followed by Successful Login
Credential Access / T1110. Multiple failed SSH attempts from the same source, followed by a successful authentication.
CRIT
SOC-002
Suspicious PowerShell Download Cradle
Execution / T1059.001. PowerShell invocation pattern consistent with downloading and executing a remote payload.
HIGH
SOC-003
Potential Web Shell Access
Persistence / T1505.003. HTTP requests to paths consistent with web shell file names, with suspicious parameter patterns.
CRIT
SOC-004
Known Malicious IOC Communication
Command and Control / T1071. Source or destination IP matches a known-bad entry in the local IOC database.
MED
SOC-005
Internal Port Scanning Behaviour
Discovery / T1046. Internal host contacting a high number of unique destination ports, consistent with lateral movement reconnaissance.
Analyst Workflow
1. Load telemetry auth, endpoint, web, firewall, network sources
2. Evaluate rules grouping and threshold logic across all events
3. Enrich IOCs check IPs and URLs against local IOC database
4. Map ATT&CK add technique, tactic, data source context
5. Generate report Markdown triage report + JSON alert output
6. Apply playbooks monitor / tune / contain / escalate decision
Report Output

Running the lab produces three files under reports/. The Markdown triage report is the main deliverable, structured the same way a real SOC analyst would write a case handoff note.

Loaded 22 events
Evaluated 5 rules
Generated 6 alerts
Wrote reports/triage-report.md
Wrote reports/alerts.json
Wrote reports/mitre-coverage.json
triage-report.md
Full analyst case notes. Severity, timestamps, affected hosts, IOC matches, triage questions, escalation criteria, evidence excerpts.
alerts.json
Structured alert data for programmatic consumption or integration with other tooling.
mitre-coverage.json
ATT&CK technique coverage map showing which tactics and techniques were triggered.
Project Structure
soc-alert-triage-lab/
├── data/
│ ├── iocs.csv # local IOC threat intel store
│ └── sample_logs/
├── playbooks/ # triage decision playbooks
├── reports/ # generated output files
├── rules/
│ └── detection_rules.json # all detection logic
└── src/soc_triage_lab/
├── attack.py # MITRE ATT&CK mapper
├── enrichment.py # IOC lookup logic
├── triage.py # alert scoring and disposition
└── cli.py # entry point
Why I Built It

There is a gap between knowing how to write detection rules and knowing how to investigate an alert. This project closes that gap. Building it required thinking through what an L2 analyst actually does: how they validate whether an escalated alert is real, what evidence they need before recommending containment, and how they document findings clearly enough for L3 or incident response to act on without having to re-investigate from scratch.

The MITRE ATT&CK integration is not decorative. Every rule maps to a specific technique with tactic context and data source notes, which is exactly how detection engineering works in production environments. Knowing T1059.001 is a PowerShell execution technique is less useful than knowing what data sources you need to detect it and what analyst questions to ask when it fires.

This project sits on top of everything else in the portfolio. The IOC database feeds the enrichment step. The detection patterns build on what I learned writing the SIEM. The triage methodology reflects what actually matters when working an incident under time pressure.