Cybersecurity-Portfolio

SOC Fundamentals - Port Scanning Detection Lab

Objective

This project focused on investigating a high-severity port scanning alert using SIEM analysis. The goal was to analyze network logs, identify attack patterns, and classify the incident as either a true positive or false positive, demonstrating practical SOC analyst skills.

Skills Learned

Tools Used

Steps

Step 1: Initial Alert Detection

Screenshot 1

Ref 1: SIEM Alerts Dashboard - Alert #167 Port Scanning Activity from IP 10.0.0.8

Identified high-severity alert indicating port scanning from internal IP 10.0.0.8. Clicked ACKNOWLEDGE to take ownership of the investigation.


Step 2: Alert Acknowledgment

Screenshot 2

Ref 2: Alert status changed to “Investigate in SIEM”

Alert acknowledged and transitioned to investigation phase for detailed SIEM analysis.


Step 3: SIEM Investigation

Screenshot 3

Ref 3: SIEM showing 4,300 events from IP 10.0.0.8 to 10.0.0.3

Analysis revealed:

Multiple peaks indicated automated scanning behavior.


Step 4: Traffic Pattern Analysis

Screenshot 4

Ref 4: Traffic pattern analysis confirming automated scanning

All 4,300 connections from single source (10.0.0.8) targeting multiple ports. Source hostname “NESSUS” identified as legitimate vulnerability scanner.


Step 5: Incident Classification Decision

Screenshot 5

Ref 5: Classification decision point

Determined classification:

Decision: False Positive - authorized internal vulnerability assessment by security team using Nessus scanner.


Step 6: Investigation Resolution

Screenshot 6

Ref 6: Investigation resolution confirmation

Confirmed authorized Nessus scan from 10.0.0.8 to JOE PC by internal security team.

Flag Captured: THM{000_INTRO_TO_SOC}


Step 7: Alert Closure

Screenshot 7

Ref 7: Alert closed with RESOLVED status

Alert #167 closed and marked as RESOLVED - authorized activity documented.


Step 8: Challenge Completion

Screenshot 8

Ref 8: TryHackMe completion

Completed with 128 points, 7/7 tasks, Easy difficulty.


Key Takeaways

Lessons Learned

  1. Context is critical - recognizing legitimate security tools prevents false escalations
  2. Internal IP scanning requires different analysis than external threats
  3. Coordination with security teams reduces alert fatigue
  4. Proper documentation is essential for SOC operations

Project Information

Platform: TryHackMe - SOC Fundamentals Room
Completion Date: June 2024
Course: ITECH1502 Cybersecurity Fundamentals
Institution: Federation University Australia
Flag Achieved: THM{000_INTRO_TO_SOC}


Tools & Technologies

Tool Purpose
TryHackMe Hands-on cybersecurity training platform
SIEM System Security event log aggregation and analysis
Network Analysis Traffic pattern examination and investigation
Alert Management Incident tracking and response workflow

Repository Structure

soc-fundamentals-investigation/
│
├── README.md                          # Project documentation
├── screenshots/                       # Investigation screenshots
│   ├── 01-alert-dashboard.png
│   ├── 02-alert-acknowledged.png
│   ├── 03-siem-analysis.png
│   ├── 04-traffic-patterns.png
│   ├── 05-decision-point.png
│   ├── 06-investigation-result.png
│   ├── 07-alert-closed.png
│   └── 08-challenge-complete.png
│
└── documentation/
    └── project-report.pdf             # Full project report (5 pages)

How to Use This Repository

This repository documents practical SOC operations and incident response skills:


Additional Projects

For more cybersecurity projects and demonstrations, please visit my complete portfolio:


Acknowledgments


License

This project is part of academic coursework for ITECH1502 Cybersecurity Fundamentals at Federation University Australia.


Last Updated: October 2025