Event Log Cleared Alert on Legit PowerShell Binary — False Positive Triage | LetsDefend Alert Triage

Day 64 of Becoming a SOC Analyst — SOC130 Event Log Cleared (False Positive)
Exchange Server at 172.16.20.3 triggered a high-concern alert when powershell.exe (hash 7353f60b1739074eb17c5f4dddefe239) was detected — a hash that maps directly to a legitimate Microsoft PowerShell binary. No wevtutil.exe, no Clear-EventLog commands, no suspicious scripts, no malicious child processes — nothing to actually support the event log clearing hypothesis. The detection rule fired on PowerShell presence alone without any corroborating evidence of log tampering. Good example of why hash verification and command-line analysis matter before escalating — the alert name was alarming, the evidence wasn't. Walked through the full triage: hash verification, process activity review, log clearing command hunting, and classifying as false positive.

SOC130 - Event Log Cleared
Scenario sourced from LetsDefend.io — one of the best hands-on SOC analyst training platforms out there.
Highly recommend if you're on the same path. I'm documenting every day of my journey to landing a Level 1 SOC Analyst role — the wins, the grinds, and everything in between.

00:00 Day 64 intro
00:19 Alert Details
00:58 Investigation
03:19 Playbook Answers
04:48 5w Log
08:14 Result

🔵 What I Cover
Threat Detection · Alert Triage · SIEM Analysis · Log Analysis · Incident Response · Blue Team Tools
🚨 Open to Work — Seeking a Level 1 SOC Analyst role in Melbourne or Remote (AU)
📂 Portfolio → inksec.io
💼 LinkedIn → linkedin.com/in/tate-pannam-8b64b23a3
If you chose the red pill... 0x74617465.sh
#SOCAnalyst #BlueTeam #Cybersecurity #EventLogCleared #PowerShell #FalsePositive #AlertTriage #IncidentResponse #SIEM #Day64 #CyberSecurityJourney #Melbourne #LetsDefend #LetsDefendSOC #ThreatHunting #InfoSec #BlueTeamSecurity

Видео Event Log Cleared Alert on Legit PowerShell Binary — False Positive Triage | LetsDefend Alert Triage канала InkSec