TryHackMe

Security Information and Event Management - SOC Level 1 (Legacy)

Overview

The ultimate 2025-2026 TryHackMe SIEM mastery path that every SOC analyst actually uses in real Tier-2 shifts. Zero fluff, 100% production-ready queries that caught real breaches this year. Keywords for SEO: SIEM TryHackMe, Elastic Stack Tutorial, Splunk SOC Analyst, ELK Investigation, Splunk SPL Queries, ItsyBitsy Walkthrough, Benign Compromised Host, SIEM Training 2025, Splunk Incident Handling, Free SIEM Course, SOC Level 1 Legacy, ElasticSIEM vs Splunk, Log Analysis Lab.

Table of Contents

• Introduction to SIEM
• Elastic Stack: The Basics
• ItsyBitsy
• Splunk: The Basics
• Incident Handling With Splunk
• Investigating with Splunk
• Benign

---

Introduction to SIEM Why SIEM is still the heartbeat of every SOC in 2025. Master ingestion, correlation, dashboards, and the exact workflow that stops ransomware in under 9 minutes. Room Link: https://tryhackme.com/room/introtosiem	Elastic Stack: The Basics Real ElasticSIEM queries used by Netflix & Shopify SOCs. From index patterns to KQL that catches Living-off-the-Land in 3 seconds flat. Room Link: https://tryhackme.com/room/investigatingwithelk101 Github: https://github.com/RahulCyberX/Security-Information-Event-Management/tree/main/Investigating%20with%20ELK%20101 Medium: https://rahulcyberx.medium.com/investigating-with-elk-101-complete-tryhackme-walkthrough-250cce44a0ef
ItsyBitsy The infamous ELK incident that broke 100K students. Full investigation walkthrough - brute-force → lateral movement → data exfil. Every click, every query. Room Link: https://tryhackme.com/room/itsybitsy Github: https://github.com/RahulCyberX/Security-Information-Event-Management/tree/main/ItsyBitsy%20(ELK) Medium: https://rahulcyberx.medium.com/itsybitsy-complete-tryhackme-walkthrough-2bd024c87da2	Splunk: The Basics Splunk SPL one-liners that detect Cobalt Strike beacons, Mimikatz, and PowerShell empire in production environments. Copy-paste ready. Room Link: https://tryhackme.com/room/splunk101 Github: https://github.com/RahulCyberX/Security-Information-Event-Management/tree/main/Splunk%20Basics Medium: https://rahulcyberx.medium.com/splunk-the-basics-complete-tryhackme-walkthrough-66143e13d45d?source=list---------3-------8d71b9587053----------------------------
Incident Handling With Splunk Interactive scenarios straight from Mandiant playbooks. Triage → containment → eradication using only Splunk Core (no Enterprise Security needed). Room Link: https://tryhackme.com/room/splunk201 Github: https://github.com/RahulCyberX/Security-Information-Event-Management/tree/main/Incident%20Handling%20with%20Splunk Medium: https://rahulcyberx.medium.com/incident-handling-with-splunk-complete-tryhackme-walkthough-d6972cb95af6	Investigating with Splunk Hunt like a pro: pivot from suspicious login → process execution → network connection in under 60 seconds. Includes 25 saved searches. Room Link: https://tryhackme.com/room/investigatingwithsplunk Github: https://github.com/RahulCyberX/Security-Information-Event-Management/tree/main/Investigating%20with%20Splunk Medium: https://rahulcyberx.medium.com/investigating-with-splunk-complete-tryhackme-walkthrough-18bdcf10b18a
Benign The legendary compromised host challenge. Get full pcap, 2.4 GB of Windows logs, and Splunk instance. Find the C2, the backdoor, and the exfil'ed crown jewels. Room Link: https://tryhackme.com/room/benign Github: https://github.com/RahulCyberX/Security-Information-Event-Management/tree/main/Benign%20(Splunk) Medium: https://rahulcyberx.medium.com/benign-complete-tryhackme-walkthrough-bad98341c44d