#soc-sim-help

https://tryhackme.com/r/soc-sim

https://tryhackme.com/r/resources/blog/soc-simulator-competition-2025

Before asking here, please check out our Reddit thread:)

I was doing SOC simulator the initial drift. While I was able to determine that a fake driver was downloaded and installed, which created SharpUp.exe for privilege escalation, I couldn't establish how the attacker created the network share \ITServe\Installers\CapItAll-Sales-
Installer.exe .
Additionally, I couldn't figure out how the attacker placed installUpdates.ps1 in the Documents folder of another user's device, or how they got the users to run the script. There were no emails luring the users to execute it, making it unlikely that they would run it on their own.
I understand that once the script is executed, it pulls down an installer from a network share.
However, after the process started with capitall-sales-installer.exe, there were no further logs indicating any other activity on the device, except for a connection to 178.92.220.140. There was no additional context provided.
I might have missed something, the lab might have bugged out and didn't pull all the logs, or this could be a poorly designed lab that expects us to use our "imagination."
Is there any guide or report I can refer to for completing this lab? I'm left unsure of what went wrong.

hi, I'm part of a team that participates in the SOC sim competition, is it expected that we all have our individual SOC dashboard?

and if we dont collaborate on a single dashboard, how are the points calculated proportionally to the number of members in a team? also, is there somewhere displayed the leaderboard with all the teams?

Hey,

You will need to:

• Create a Team Dashboard using a paid domain
• Others with same domain can join your team Dashboard
• Individually, complete SOC Sim scenarios to get points
• You need to complete the scenario for points to save, find all True Positive alerts to complete the scenario.
• You're scored on your best attempt (in terms of points) per scenario
• On Team Dashboard, there is a card that shows your total poiints for your team, and your current rank amongst all other Teams on THM

To create the workspace, you can learn more from here:
https://help.tryhackme.com/en/articles/6495976-integrating-collaboration-and-competition-in-the-workspaces

thanks

is the soc simulator only for business plans? why?

Premium subs get access to two scenarios but B2B get all the scenarios

yes Dear friend but my wish is that it will eventually open up for us regular people who come to study in order to get a job i the field, imgine what you can do for the competitors if you start eating their cake. i mean, THM Almost Perfect, sincerly Love THM.

I understand but some of it will be closed off for B2B due to certain reasons but i’m sure more scenarios will come out soon for some free/premium users

Thank you and i wish you to double or even triple your share market THM deserve it. All of the best.

Any answer to my question?

i think its an intentional exclusion, but there are some indicators as to how it most likely got there

Is the team thinking about adding an EDR simulator to the SOC platform, too?

can you show me the hints you are referring to

im not fully sure they are hints either, its just a lot of guesswork and some previous experience

Hi there, I wanted to try out the SOC Simulator but I'm receiving an error when trying to launch Upload and Conquer, it just says "not allowed to run the selected scenario"

If you're not on B2B or if your on B2B but your company doesn't have SOC SIM enabled, you won't be able to access it

What is B2B?

Business-to-Business. 🙂

AH ok. I'm not sure. I have a company paying for premium but unsure if the SOC simulator is included in that.

the soc siem, especially the initial drift is by far the worst one i had ever seen, it just guess work, barely any logs to correlate the behavior we are seeing. it poor

@lost lily

+1

+1

Sysinternals in this when i run \live.sysinternals.com\tools\procmon.exe its not runing my webclient service is runing

but its not connect y: drive

Live in the scenario right now, can't access the VM to see attachments

Hi guys, I would like you to guide me regarding the SOC Simulator please. It mentions that it lasts two hours, that is, do I have to be online for two hours solving tickets to get a rating? I've seen a lot of tickets come up, I've been there for less than two hours and all my progress has been lost
Oh and one more thing, will it be free forever or just in January? 😅 👉🏻👈🏻
P.S.: I'm not part of a team, I just want to do the challenge

hi, we are part of the team that competes in soc-sim, would any other team want to share their score? (if is not against the rules, of course)

Hello:)

do I have to be online for two hours solving tickets to get a rating? I've seen a lot of tickets come up, I've been there for less than two hours and all my progress has been lost
as far as my understanding, you only complete the scensario when you triage all of the true/false positive, so if you quit halfway - it won't count. However, we're adding "checkpoints" to alleviate this hopefully in the near future but I can't give an exact promise as to when

Oh and one more thing, will it be free forever or just in January?
As far as I understand, we will keep one/two scenarios free but the rest will be kept for B2B for the most part

Can this be streamed?

Jayy asked in another channel

🫡

streamed?

Hi, I have a question regarding the SOC Simulator Contest end date and time. The rules page clearly states that "you will have until 23:59 (UTC) on January 31, 2025 to complete both scenarios", but the contest itself ended, judging by the timer on the workspace page, at 4:00AM on February 1. Which is correct? Will submissions be accepted after 23:59 (UTC) on January 31, 2025?

Hello, am working on SOC simulation lab - Phishing Unfolding and when i try to access to the analyst VM they asked me to type a username and password, did any one know the creds?

Hi I would like to ask about the soc simulator understand that it operates similarly to the their competitor from letsdefend unfortunately I dont get my gradings am I doing anything wrong after closing the report as True positive and there are no attachments for me to investigate from the email as well ?

I don't get this either. How do i supposed to write the report when i can't inspect the mail, open the link in it, etc.

hello can i get help with the SOC simulation

this is what im realizing

this ones the first one on the que???

when are new soc simulators coming?

I mean. they were only just released, so..

A new one just dropped yesterday 👀

I just tried out the SOC Simulator, upon receiving a phishing alert from an email, are we supposed to analyze the whole alert via Splunk using the event ID data?
This is a but disturbing when you visually cannot see how the email looks like, plus no access to headers and a lot more different information, I thought the VM attached to the simulator would automatically download the email file on the VM the moment I assign the case to myself but there was none.
Despite Splunk giving some information which can be checked online and on VirusTotal for any IoC's and not finding any, I still have my doubts without being able to fully analyze the headers of the emails and while my guts tells me it's a phishing email, I have no power to check it and have to rely entirely on Splunk, pretty disturbing.

^^ @frozen kelp

Hello

Which scenario was this for?

Is this for Phishing Unfolding?

As per the documentation, the analyst VM has the attachment from the email for analysis.

There is also the TryDetectThis tool

Often time in a SOC, you won’t always be given everything that you need. That’s where the challenge comes in. Using your skills to analyze what is malicious and what isn’t

If not mistaken, I believe it was Introduction to Phishing though the very first alert we receieve in the simulator says something along the lines of "Free Hat" or something which IMO is too good to be true but since I could not check the email headers (it also wasn't in the VM since there was no attachment?), I wrote as my conclusion that it's a phishing while the results came up as non-phishing email, that disturbed me a bit.

Ah okay that’s very helpful

Thank you, I will look into this

So I just checked, the attachment for the malicious email is there.

A couple of things to consider as per the documentation and alerts.

1. The alerts and Splunk instance both mention that the contents of the email are not shown as per the company policy. Therefore the email wouldn't be provided. In a real-world setting, you won't always get what you need, whether is emails, logs, etc.
2. The documentation does mention that the attachment for any malicious email is on the VM, which it is, just confirmed it. The attachment comes from the true positive email, which we have to find.
3. Some emails may be spam, and spam is bad, but a spam email does not make it a true positive.

Hmm, I don't think we're referring to the same thing.

In the attachment you'll see which "email" I'm referring to which doesn't come with an attachment:

• Subject of the email is already suspicious You've Won a Free Trip to Hat Wonderland - Click Here to Claim enough to claim it as a phishing one.
• It's not an internal email which is why I though it's a phishing one indeed.
• The domain from the sender is also not whitelisted/mentioned in the Documentation.

Basically I'm using common sense, you know those emails that say "You have won free BTC" or "You have won free trip", those are always either scam or phishing, the confusion comes from the domain not being listed in the documentation and not enough information to conclude that it's a legit email, not having access to headers is the reason why I said it's a bit confusing, I was wondering whether it's a legit one or not but at the end, the title seemed suspicious which is why I flagged it as a phishing one.

Okay I see the confusion,

We are looking into implementing a feature where you can identify a domain as malicious or not on the analyst VM
But you are right in fact that this can be considered a phishing email. I did notice that what is a true positive is not clearly defined which can cause confusion, so I have reported this.

Thank you.

Gave +1 Rep to @frozen kelp (current: #46 - 185)

hey it is asking me username and password for vm what would that be

If that happens

Just restart the scenario

Something that happens when the VM fails to connect

It happens randomly but we are working on a fix

Yea done that worked thanks

Gave +1 Rep to @frozen kelp (current: #47 - 186)

Any easy filter to find the type of CMS in the logs on Splunk(SOC Level 1)?

SOC Simulator phishing scenario I do not get how they are all False positives, with all emails have subjects of win, click etc

One is a true positive. A hint for you is looking at the alert(s), that contain an attachment

I am not referring to attachment email, my point regarding all the rest which are false positive including one regarding process, in them you can write anything in report and answer will correct and have no feedback, only true positive one (attachment email) you get feedback

Hello

i need support urgently

!!!!

You can reach out to support on the email below 🙂

Hello, is anyone available to DM? I had done the SAL1 cert today and an hour into the first SOC room the screen went white and reset all of my progress leaving me no time to make up for it.

Try to reach out to support on the email above

Seems many users have problem with SAL1. For me I cannot click the "Start section" to proceed with Section 1 of the certification 🫤

Was this with check in?

Yes.

To be more specific, I successfully checked in once then stuck on the start section.

But I gave it a try later and now I'm stuck at the check-in as you said.

Yeah, the domain used by the check in service was expired, it's recently been fixed, however this may take a few days, it's out of THM's control.

Acknowledged. Thanks for the info. But I guess I have used up my voucher, no?

I don't think so, and if this is the case, I'm sure THM will help you.

Yeah I submitted a ticket and am waiting for the response from support.

Does it matter if I enroll in the SAL1 cert or have a premium sub in terms of soc sim access? TIA

Kinda piggy backing off of Lampinio's question. Do you get full access with the scenarios to the SOC Simulator when you purchase a SAL1 voucher?

Does anyone know what tools are available in the SAL1 exam environment?

Try and free scenario and see what is there. There are differences but the tools I think are the same.

Interesting idea, but the SAL1 doesn't give you access to any more SOC Sim scenario.

Thanks for the answer! Fingers crossed that can change in the future!

Gave +1 Rep to @polar tangle (current: #492 - 12)

I really do not get this "Some emails may be spam, and spam is bad, but a spam email does not make it a true positive." the soc simulation for all emails as false positive, is this mean just let phishing emails with dangerous link to just keep coming

what's the reason behind escalation? meaning when should you escalate an alert and when you should not?

Generally, true positive are malicious activity, escalation is when remediation is required. False positives are suspected malicious activity that was found not to be malicious, these are often candidates to improve the detection rule. We have some feedback about these scenarios and we will be going back tuning the alerts and clarifying the documentation, some alert are found to be sitting in the grey zone and we’ll be looking to remove or adjust those.

To be honest both phishing scenario need to be redone, it just confuse anyone , "suspicious top domain message" etc, basically these 2 tryhackme scenario just saying trust phishing and scam emails and click all links when you get email with prize you won. and the tool on phishing scenario 2 that suppose to tell you of URL is trusted, you can type anything, answer always is trusted , clean

Support has been dead silent for the past few days. No update, no response... 🤣

Support have alot of E-mails to handle, there is usually a 3-4 day wait, although this could be delayed further, if 1% of the website was to E-mail with concerns, that would be alot of E-mails.

They will have an a fair chunk of E-mails to go through regarding

• Sal1 Promotion
• Hackfinity CTF
• General THM support

Yeah I figure. Was just expecting some form of communication like "you will get a response within 5 business days" or something like that so I know how long I have to wait.

IMO, regarding SAL1, they should have a dedicated support team just for the exam. I believe a lot of people plan to take their exam on weekends -- and that means if there is a problem, there will be absolutely no support from THM.

Regaridng Sal1, can you please use the bot, and select Sal1.

This will get a faster response from Support.

Yes I used that to create a ticket on Saturday 😆

Yeah. they won't work weekends. 😄

Nice, thanks

Gave +1 Rep to @polar tangle (current: #460 - 13)

hi is SOC sim not available for permium users?

i got the two phishing scenarios only

I think that one scenario is available for premium users

so only business got the whole thing?

Yeah , I think so

is it enough for the SA1 exam? i completed the soc1 and got cysa+

For a cert. advice I would recommend you to ask guys in #cyber-and-careers channel , they can give you some great advice 🙂

aright thx

Gave +1 Rep to @errant ether (current: #1 - 3933)

I don't quite understand on how I should decide to write "case reports". For example, I have 10 redundant alert regarding exfilitration. They all are practically the same, so I group them and write a case report for all 10. However, as I look at the results. some have the AI giving it 25/75 points and others are 50/75 points. Should I just do them each individually?

Hi, I was doing the SOC Simulator and I encountered a problem with the Analyst VM - instead of the Windows desktop as before, there was only a white screen and a "TryHackMe Remote" login window. I tried the standard passwords and nothing worked. Only restarting the simulation helped, which meant starting the scenario from the beginning... What should I do in this situation? I want to take the SAL1 exam soon and I wouldn't want to fail because of this.

That was my question as well, I can't find any examples for a true positive, have I missed it in the course content somewhere?

Tryhackme you failed with your fucking shit exam. Thats the worst i have ever seen in my life. No SOC except a SOC which has no idea what they are doing is working like this. I canceled my Subscription and hopefullly many other will do this.

Your AI sucks fully.

remove this exam sit down and create a better one which is competitive

Anyone have tried soc sim phishing unfolding? I have try it, and can classifies an alert TP/FP (10 point) and also some of the escallation criteria (10 poin), but in the analysis section mostly I got 0 poin or small point out of 75/45/25 with a red information: Incorrect classification. The feedback from AI is too general, for example: You've done a commendable job in detailing the progress and elements of this incident. Your report includes a thorough 5Ws analysis covering the Who, What, When, Where, and Why of the incident comprehensively. From identifying the domain used in the phishing attempt to detailing the attack vector and the technical breakdown of the incident, your analysis was clear and informative. However, I noticed that your report does not mention related activity or alerts on host systems like win-3450, which would provide additional context on the scope of the issue. Furthermore, consideration of domain characteristics, such as potential misspellings or the use of non-standard domain extensions, can be important. Including such observations would enhance your overall threat assessment and provide deeper insights into the possible intent behind the attack. Keeping an eye on these details can significantly boost your investigative findings.

Is there someone have the same experience? Can you share how to improve the point?

Also regarding the escallation criteria, I still confuse wether the alert should be escallated or not. For example some alert is the continuation of the threat actor activity. Maybe there are 5 alert / more that related each other with diferent severity (lets say from low to high severity). Which alert should be classified as need escallation or no? From the very begining of the alert (ex: download malicious executable) or in later alert ?

Hello I was in the SOC simulator and got stuck once I assigned the ticket to myself and moved to the tools. I used information from the ticket to search. Now what? Is there a room I can learn the process?

Is there step by step instructions or a you tube video?

Hello?👋

Hey @limber compass the ticket is an alert, a suspected malicious activity. The job of a Soc analyst is to investigate. So look at the SIEM/splunk and try and investigate what has happened from the logs that are available. Then to close your alert with a report write up of your findings.
False positive - not malicious
True Positive- malicious activity
Escalate - when remediation or additional investigation is required by a higher tier in the soc.

Yes understand all of that. I copy and paste a part of the ticket in the search bar of splunk to find the entry that corresponds to ticket. The ticket is considered a low threat but it appears to be a phishing email. So what do I do with it? Do I just acknowledge that’s it’s phishing and make a write up? The other tool is wireshark to analyze network packets. Will that tool be used for different tickets?

Using splunk and then knowing the next step is where I am stuck.

What tool is available in the simulator that will allow me to check the domain of the phishing email?

Is Anyrun available in the tool box? The way I can deem the phishing emails false positives if the senders domain is whitelisted

I used Virus Total

how do I view the attachment in splunk

Hey @limber compass

1. The ticket you describe is an alert that triggered. In a SOC the alert comes from detection rules that are built and its up to the SOC team, starting with L1 usually to triage this alert. Depending on SOC setups, sometimes there isn't access to the endpoint or other tools or artifacts, especially for a L1. The main data is whatever logs are in the SIEM. In the case of a suspected phishing email, was it phishing, spam or just an email, did the user click on the link, was there any execution, sensitive information disclosures.
2. I think your looking at the free Phishing Unfolding scenario, this was an very early scenario, we have changed a lot with how to build scenarios since that. In this scenario there isn't a tool to check domain for maliciousness, in later scenarios we built a TryDetectThis app for this purpose. However, just because an domain comes up as not known to be malicious, does not mean its not malicious,.
3. Anyrun or simulator is not in this simulation, it wouldn't be typical for a SOC L1 role. We building onto this simulator however and a lot more to come for other roles in a SOC.
4. For attachments I don't think its in splunk but I think in this scenario the attachments were saved on the Analyst VM. A bit unusual for a real SOC but it was part of how we built this early scenario.

We will be going back and updating this early scenario with improvements.

I completed it and won the challenge

It was pretty obvious which was the true positive

Once you go to it

Well done @limber compass 👏

🦾 🦾

Hi, I'd like to reply to your fourth point on this.

The attachments are, yes, saved on the Analyst VM. However, those same attachments seem to also be saved across all the SOC Analyst VM instances I've seen so far.

Ah, noted, thanks. 🙏

Gave +1 Rep to @true shore (current: #589 - 10)

🔇 Muted ulvulvulv for 1 day

@lost lily

Done!

Did I just overlook something or in the Intro to Phishing SOC Simulation Scenario do you not get any host information? In the Soc SIM overview it showed host info in the splunk data, but I did not see any host info related to any of the alerts that fired. Kind of difficult for me to pivot onto things if I can't target a host to investigate.

To clarify, the only host info I found was the actual splunk host that was ingesting the logs.

hostnames are apparently in company information...

Not sure if this is the right place to put it but i made a pdf to help me with the soc sims and though i share it. Any inprovments? https://pdflink.to/7ad42fd8/

🔇 Muted ___younes1_43858 for 1 day

You can upload an image here by using /verify.

Hello all - hope you're well. Just a few questions if you do't mind please:

A) is the assumption when writing reports that the alert information is not also available to the recipient of the report? I suppose the analysts job is to take the details and make it more 'human-readable' anyway?

B) Is there an expectation to bundle similiar alerts together or not? The reason I ask this is that I put 10 alerts into one report on 'Phishing unfolding' and gave the same report for all since they're connected and yet the marks I received for each report seemed to vary despite the content being the same? Some got 0, some got 15 and some got 45 which is a little strange but I could be missing something obvious!

Sorry, I should have scrolled up, seems that the variance in marks awarded on alert is something others have mentioned!

am I the only one having trouble getting the soc sim started?

tried on firefox + chromium on two different machines

seems to be fixed right now!

Hey, sorry about that. Platform had a blip, upgrades in progress.

Just gave Phishing unfolded another go. For the part where there's a number of alerts together to achieve a certain thing... I used the analysis from last time and my range went from 0-45 to 25-65 so tweaking the report will improve it generally but there's still variance even though the similar tickets were grouped and the same report given for all.

I guess that's just the nature of the AI insights interpreting the report?

Equally if this is not the right avenue to ask such questions then my apologies

Has there been any mention of the newly upgraded "Introduction to Phishing" scenario Analyst VM bug / error?

I posted in the #1333993673381253162 section in this discord.

Thanks. Ack. Checking it out.

Gave +1 Rep to @warm mirage (current: #2873 - 1)

Hey, there. Thanks for reporting! We've worked on a fix and @polar tangle just recently released it.

Gave +1 Rep to @warm mirage (current: #1882 - 2)

The scoring AI basically just determines if specific criteria/facts we define when the scenario is created is in the report, that is the scoring aspect, the scoring criteria is per alert. There is then a second tutor AI that then attempts to give constructive feedback on how to improve. The scoring is quite good and consistent (you seem to have a wider range that I've noticed) but the Phishing Unfolding scenario was our first scenario and we are planning to go back and update it with all the best practices we have learnt since.

Thanks - I think in the conversational nature of LLMs they kinda have it in-built to vary answers a bit to aid in comprehension so I guess there's a bit of that at play. Didn't want to be too specific as to not spoil the scenario for anyone 🙂

Gave +1 Rep to @polar tangle (current: #384 - 17)

Same for me? Any solutions you got?

Can you explain what the issue is? I am not sure I understand. Don’t think any of the sysinternals tools are needed for SocSim. All investigations are in the siem.

Done!

🔨 Banned sigma72skibidi indefinitely

Done!

I don't know if this is exactly support or if it's just how the soc sim is, but is there a reason as to why the TryDetectMe app on the soc sim was sorta useless

Or was it intentionally made like that so you trust your instincts over the app for the malicious domain?

Just wanted to thank everyone on answering questions etc love this room because of everyone helping out and helping each other!

I'm in Friday Overtime room, task 1, last question What is the SHA1 hash of the spyagent family spyware hosted on the same IP targeting Android devices in Jun 2025? I'm entering the SHA1 1c1fe906e822012f6235fcc53f601d006d15d7be but I'm getting an error. Could someone help me? Please!

seems like there is an error in the question, submit the md5

thats not the sha i have as an answer 🤔

i guess they change overtime?

seems like you had to submit the md5 value

need hel

p

tell me what's up?

there is a bug on my side

cannt follow rooms

what is the bug

check dm

I hope issue is solved?

thanks for the time

@weary mica

you can reply me by reply the message

thanks

Gave +1 Rep to @weary mica (current: #497 - 13)

very helpful

ouuuuu

hhhh

Hello guys

hello welcome here

how do i copy and pastew from my machine and into a vm

i cant copy url into the vm

you mean attackbox right?

copy, on the attackbox on the left most side there is an arrow, click it
the third option is of clipboard, paste your content there
then you can paste that content which is in the clipboard on the VM

On sim soc the vm doesn't have thoses options and it doesn't even allow me to detach the vm

oh my bad, i dont know what soc is

i thought it was the normal thing?

It is a sim that allows u to go through scenarios for blueteam

ohh didn't know that

but the instructions might be written somewhere

Its unfortunate they're locked behind an additional paywall

someone can @ me if y'all know the answer

Yes does scenarios require a business account

You can use a clipboard 🙂
https://cdn.discordapp.com/attachments/522158539129618453/1336120736753913977/clipboard.gif?ex=6878e2a7&is=68779127&hm=fad8fd9116ba271bb39b44ddc8200f38faba88b83ec175de8a1450d87cc888c6&

Thx do you know if it'll prevent people from getting their certificate?

Gave +1 Rep to @errant ether (current: #1 - 5686)

@errant ether ^^^

Use Google Chrome and allow browser clipboard permission access when you are prompted to do so , you'll be able to use classic Ctrl+C and Ctrl+V afterwards

Done!

Can I get some guidance how to investigae soc sim ?

no emails for me to investigate ?

Use SIEM solution

hey

im at the Careers in " Cyber Learn about the different careers in cyber security. " in the introduction page theirs a question that has no answer can someone help and heres the question ----------------------> Answer the questions below
Let's start exploring the different roles in cyber security!

It doesn't need an answer , just click on the check answer box 🙂

thx 👍

anything wrong with the website every time I click on the alert queue the webpage just cannot be load ?

How is the SOC tier 1 anaylst?

Wdym ?

yo

I’m trying to do my first ever SOC simulation the first phishing one to be exact. I found a true positive and I’m trying to see if the user clicked the link or not and if I need to escalate but when I click SIEM and it loads up Splunk this is all I see. There’s NOTHING. I’ve even closed and reopened the simulation but I seriously can’t get logs to show up in here… is there another way to view logs or fix this issue?

I didn’t see any mention of this on the pinned Reddit so posting here to see if anyone knows.

I have this same problem right now...Im doing this sim first time and I dont know what to do....I tried to import some datasets but we shouldn't do it....I cant go forward...:/
What I have noticed in splunk messages was this:

Yeha I just had to suck it up and take the barely passing score

I wasnt super bothered bc the other SOC sims are blocked behind a paywall anyways

So just do what you can and groove along bro

Is working now, I have checked !! So let's smash it !! I also emailed THM support and they been awared about this bug!

Huge! Thanks dude.

Gave +1 Rep to @ancient raven (current: #3092 - 1)

No probs, good luck !

Has anyone had trouble getting the SOC simulator to load because I can't I am just stuck on the main loading page and when I try to get it to load by changing the URL it just doesn't load any alerts. I have been sitting here for what is basically an hour at this point. Does this have anything to do with the VM loading poorly on the modules?

Apologies for this, we are having some issues with the SOCSIM at the moment. 😬

I am also stuck

And luckily it has just randomly been fixed?

It should be back now. A bit of a complex one but its back stable. Apologies for the problems 🙏

👍

Hello! It doesn't work for me either. I've tried the keyboard shortcuts (also ctrl+insert/shift+insert), the copy-paste option done with a mouse has the same result. Just cannot copy-paste in/out the Analyst VM. I've tested it in Mozilla, Google Chrome (browser clipboard permissions allowed), but no success... 😕
SIEM, Dashboard and Alert Queue are okay, but the Analyst VM seems to be isolated even for this purpose.

It makes the TryDetectThis tool etc. inconvenient - or rather more difficult to use - as I have to type everything by hand 🙂

Done - ctrl+shift+alt works. Sorry for the spam 🙂

Everything good now 🙂 ?

Yep, with the clipboard provided by the mentioned combination it works well 🙂

Hey anyone that could Help me Here ?

Hello anyone ON its important

Anyone ON that could Help me

What's the issue ?

For folks trying to copy/paste into the Analyst VM -- use [Ctrl + Shift + Option] for Macs and select the Text input radio button. The setting isn't sticky, so you have to enable it each time you start a simulation

Hello
The VM on Phishing SOC Sim is not working

Always going black

On any of the free soc rooms sim the VM is not working

The Analyst VM? Just tested it now and I don't see any issue. What do you see, just going black? Did it ever work for you?

Yes, it did work yesterday. Today is really buggy. It trys to load but starts to refreshing and going black

Hmm, let me check more. Is it just socsim or do you see the same with any VM inside rooms etc?

Just for SOCSIM

On the two free labs

Hey guys

I am new to SOC Simulator and currently doing SOC L1 Path in the SIEM module the last section deals with Introduction to Phishing via SOC Simulator

How can I access TryDetectThis

TryDetectThis is an web application you can access from the "Analyst VM" inside most SOC Simulatator scenarios. There is a shortcut on the desktop to start it.

Thanks

Gave +1 Rep to @polar tangle (current: #356 - 21)

I keep having issues with the machines and echo. When I try to type, I get a ding sound and not text appears. Also, the same thing happens when I try to get help form Echo. I honestly have spent more time getting help with things than actually working the course. Maybe this is the nature of the course? Thanks everyone. So I was able to get A response from customer server regarding this issue. Here is what they recommend: " 1. Clear Cache and Cookies:

• Open your browser settings.

• Locate the option to clear browsing data.

• Select "Cached images and files" and "Cookies and other site data."

• Click on "Clear data" or equivalent.

2. Disable Browser Extensions:

• Open your browser's extension or add-ons menu.

• Disable all extensions.

• Restart your browser.

3. Try Incognito/Private Mode:

• Open a new incognito/private window.

• Check if the issue persists. This step helps identify if extensions are causing the problem.

4. Update Your Browser:

• Ensure your browser is up to date with the latest version.

• Check for updates in your browser settings.

5. Switch to Another Browser:

• If possible, try accessing the website using a different browser."

Disable browser extensions / ad-blockers if you're using some

.

I did this. I’m not sure if it worked or not because it disabled my Wi-Fi network adapter.

Still not resolved 🙂

Do you have browser extensions / ad-blockers ? Which browser are you using ?

brave

but I tried it with GChrome with no extension and still the same result

When I submit the 4th case it goes white screen of death

Avoid using Brave , it tends to block some of the required scripts

the same issue persists in chrome and firefox

https://tenor.com/view/i-don't-know-idk-idk-about-that-gif-7336250873949261946

same problem with any soc sim, GCrome, no adblock

did you have issues with Unfolding Phishing sim

While resolving alerts - no issues, only the VM did not start. After resolving high alerts, “.../soc-sim/summary/...” tried to load, but I only got a white screen.
Unfortunately, I don't know if I solved this simulator correctly, but I hope I did.

is sim siem?

check out if you got the completion in soc sim tab

I did that, thank you, but I would like to see more detailed results and analyze my mistakes

Gave +1 Rep to @outer valley (current: #2090 - 2)

I'm unable to answer task 3 (search engines) and task 5 (vulnerabilities and exploits) in the search skills section, its telling me "Uh-oh! The answer you provided may not be in English. Please review it and try again." when clearly my answer is correct.

Can u send a screenshot bro

it wont allow me to paste anything

Verify urself first

Hi people I need help with Microsoft sentinel

I need to export workbooks to my local machine.

You need to verify first , follow instructions from the link below

Can you provide a room link please ?

Hello

Analyst VM is having issues

Phishing Email ANalysis playbook doesn't have a working Step 5

For Phishing Unfolding

Hi folks, trying to use Sentinel as SIEM tool in SOC sim, but I am having trouble. I need to register a new MFA for every room, and there does not seem to be any alerts. Is the Sentinel option working ATM?

Hey, mfa was a recent Microsoft requirement and we don’t yet have a way around it for our simulators unfortunately. Alerts are still in shown in the SocSim interface as it is when using other siems.

Hi guys

I can't access the soc-sim… Can you help me please ?

Hi there. What error is appearing for you?

Thank you for reporting, this is now fixed!

Gave +1 Rep to @sturdy fulcrum (current: #152 - 62)

Hey there. Regarding the logs (The one that you refer to as "same entries as the one in Splunk"), they can be found under Microsoft Sentinel > General > Logs as seen in the screenshot below.

The table that contains the logs for this scenario is "tbl101388091_CL".

As for the alerts, these are only shown in the SOC Sim Dashboard.

And yes, to confirm, MFA is now mandatory since October 1st, 2025. https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication?tabs=dotnet

In an actual SOC, you'll be dealing with MFA a lot, so in a way, think of it as training for it. 🤣

Hi i need to talk to support

Is there anyone here in support of tryhackme?

Technical support

support@tryhackme.com

Already sent my concern.

Awesome, gotta wait for an answer now.

Hi guys, please I'm new and i need help with finding the rooms and in order for me to start the second module of the course, i need to join a room despite clicking the "Join a room" instruction. I'll appreciate if someone helps me navigate it.

Hey, welcome. If your looking for a order to complete paths, modules, rooms then you can look at the roadmap we have on the platform. https://tryhackme.com/hacktivities?tab=roadmap

I have used Google and firefox. I keep having this issue, please help. I am able to type until I get to the password. Thanks

Gave +1 Rep to @errant ether (current: #1 - 5990)

Password is supposed to stay invisible while you type . This is normal behavior

hi

im having this erros on splunk , im doing the phishing unfolding scenario

i also cant find any information from the alerts inside splunk

For real nobody helped

Hey, I don’t think those errors have any impact on functionality. The alerts are not in splunk just the logs. The alerts are in the main SocSim interface.

You can safely ignore these error messages. Thank you for bringing this up, will have them fixed soon.

Do you mean you can't find the logs? Should be in the Discover tab. You'd have to use a query to get the relevant events to show up.

If you mean the alerts, thosr are only found in the SOC Sim dashboard.

But when i search for a email or something on splunk, i cant find anything, and i filter it to all time , still cant find anything that im getting from the alerts

@wheat zephyr @polar tangle

I can only see other logs not related to the alerts

Hmm. Weird. Can you attach a screenshot of your query including the results?

Oh, I see what you mean! The events for the email sources are different, but the events for everything else are fine. Thank you for reporting this. I'll push a fix ASAP.

Gave +1 Rep to @foggy condor (current: #620 - 11)

This should now be fixed. Just exit the simulation and then rerun it.

Thank you, ill try it later

Yes that was the problem , i couldnt find anything about the alerts , i searched by email, by process name , and got 0 results

is this for a specific room?

This is the support of soc simulator

is it free or in premium? or an extra thing?

The soc simulator is free to use , u can choose 2 scenarios

The other ones are for business plan

oh great, I didnt see this before. I need all the help I can get to land a soc job

Do the soc1 learning path , it is premium, and practice with blue machines in challanges

Hi i need help i dont know if the website is an error or i am .. the question is the detection strategy ID in mitre sector

My answer is DET0879

I already research the answer but didnt work

Was starting to look at this yesterday after a bug report https://discord.com/channels/521382216299839518/1434983190610710578

It seems there maybe two ways to answer the question. Team are working to clarity it.

(Note this channel is for soc simulator discussions, so not the right place for room bugs or help)

Hello guys, can somebody help with the critical error "TypeError: Cannot read properties of undefined (reading 'title')" in SOC Simulator (Phishing). It occurs every time when I reach 4/5 notes for alerts written. I tried multiple time to do this sim, but it happens again and again + my progress is unsaved every time

Let me check with the team on this. Is this the first time you're using the simulator, or did it work in the past?

I used it for the first time today

Never before, I mean

Thanks!

The team found a issue with badges and have made a fix. Hopefully that should fix it for you. Sorry for the bug.

I can’t paste screenshots in this channel " is this happening only to me

And I am in this room ...In SOC level 1 path -- Log Analysis with SIEM -- Lab Access: I can't access the Given URL of splunk web interface: I started the machine: tried to access from both my own VM via vpn and on tryhackme attack machine: getting same results: "502 Bad Gateway"

To access Splunk, please follow this link: https://ip.reverse-proxy-us-east-1.tryhackme.com.

That's rather #site-support. There you might get an answer. Currenty having the same/similar issue

Hi, I need support, I'm taking the Cybersecurity 101 course and I can only open the Linux machine, but not the Windows one.

Hi, I've connected to the VPN and I still can't use the machine.

#room-help and what room exactly

How long does the sim take to start? it's been loading for over an hour

Hey there. Sim should take only a few minutes at most. What SIEM did you pick?

Typo snare

It started after restarting a few times

Let us know if this continues for you. Thanks

Gave +1 Rep to @sour glade (current: #1610 - 3)

Sry guys but if anyone can help me pls . i was using Wreath room in tryhackme, but suddenly IP of victem1 on internalNETWORK is gone like if its wasn t there ? [root@prod-serv tmp]# ls
ghostjerker nc-iimmaadd scan-iimmaadd-2 systemd-private-0428e9fbe6b640af8396d9dd28364c05-httpd.service-b6bj64
hop-ghostjerker nmap-iimmaadd scan-target-3 systemd-private-0428e9fbe6b640af8396d9dd28364c05-mariadb.service-FRmOG8
hop-jsp0511 scan-iimmaadd socat-kb systemd-private-0428e9fbe6b640af8396d9dd28364c05-php-fpm.service-vaemiP
[root@prod-serv tmp]# ./nmap-iimmaadd -sn 10.200.180.0/24

Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2025-11-18 10:20 GMT
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for ip-10-200-180-1.eu-west-1.compute.internal (10.200.180.1)
Cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performed
Host is up (-0.18s latency).
MAC Address: 06:4B:B1:8F:69:93 (Unknown)
Nmap scan report for ip-10-200-180-100.eu-west-1.compute.internal (10.200.180.100)
Host is up (0.00016s latency).
MAC Address: 06:3B:9A:F2:7C:01 (Unknown)
Nmap scan report for ip-10-200-180-250.eu-west-1.compute.internal (10.200.180.250)
Host is up (0.00013s latency).
MAC Address: 06:4B:C0:B7:01:91 (Unknown)
Nmap scan report for ip-10-200-180-200.eu-west-1.compute.internal (10.200.180.200)
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 4.94 seconds
[root@prod-serv tmp]#

Hello TryHackMe team / moderators,
I am having an issue with the "IP and Domain Threat Intel" room, Task 4.
The SHA256 TLS certificate fingerprint for the IP 85.188.1.133, taken from Censys, is:
5ea8e6046bdabaa8e23a1a012c01d1be5ccd42c66ef2577a59f3b3f0f056d12e
However, TryHackMe keeps rejecting it with the message:
"The answer you provided may not be in English."
I tried typing it manually, ensuring no spaces or extra characters, but it still fails.
Could you please check and fix this task?
Thank you very much!

This one is broken I guess - https://tryhackme.com/soc-sim/scenarios?scenario=phishing-unfolding-v2

I spawned the scenario and waited for almost 15 mins but there wasn't any event under relevant fields, I was using Sentinel.

SOC-SIM scenarios should be FREE for all premium users !

I mean what if I’m not a business that means I cannot have access to other scenarios?

How am I getting value for my money then?

The windows VM`s in all the rooms are not loading , they shut down instantly , tried to access it on website and RDP as well .

Hi everyone, I’d like to ask something.

I’m trying to upgrade my TryHackMe account using PayPal, and I have enough balance in my PayPal. However, every time I try to check out, PayPal keeps asking me to add a credit/debit card. There is no option to pay directly using my PayPal balance.

Does anyone know how to pay for TryHackMe without adding a card?
Or does TryHackMe require a card for subscriptions?

If anyone has experience or a solution, please let me know. Thank you!

This channel is focused on the SOC Similator product on TryHackMe. I think your looking for the #site-support channel. I'm looking at your issue, though, and I'm not really sure of the answer. Do you think this is a TryHackMe issue, or is it a PayPal thing?

I know some people had issues due to different VPNs, but I didn't see anything major across the site in the recent days. Also, I think this message is probably best suited in the #site-support or #room-help channels

The SOCSIM product was originally built for B2B customers and we have released some scenarios wider and are looking if we can release more this way. The cost to build and grow this product is built around a B2B-type pricing. This probably means that if you're on premium and the reason you're on premium is to get SOCSIM or threat hunting simulators, then premium is probably not the right option for you as you won't get the value you're expecting. I think you get an amazing amount of value with Premium relative to the cost, but this is probably an individual decision.

As a matter of interest, if there was an option, would you consider paying an additional just to have access to all of the simulator products and scenarios?

I honestly do not mind paying an additional fee to have access to all scenarios. it’s for my own benefit after all. But it has to be at a fair price - businesses should not enjoy this alone 😔

Here's my proposal 😉

[...] would you consider paying an additional just to have access to all of the simulator products and scenarios?
Yes, maybe not all would be required but a core set of must-have-scenarios, like THM's modules. I'd pay if it's reasonable and can get some sort of recognition (e.g. badge of completion) that I can show on job posting sites, which IMHO is a valid purpose.

@quaint cloak @void creek Thanks for this. Good ideas that I'll pass on to the product team. I hope we can find a way to balance the B2B and the premium side so that everyone is happy.

Gave +1 Rep to @void creek (current: #1314 - 4)

Gave +1 Rep to @quaint cloak (current: #369 - 21)

hello, i was wondering how this one is considered a false positive when the mail was sent from a domain called m1crosoft
in ID 8818 in the phishing SOC simulator

Hi. Which scenario is this? Is this Phishing Unfolding?

yes

I'm wondering how to approach the SOC simulator. I am having a bit of trouble with the Phishing Unfolding scenario. Once the alerts involving the suspicious processes start coming in, I'm not sure what is expected. It's seems clear that there is an ongoing attack, and there are many alerts that are essentially the same. Would I try to assign all of the related alerts to myself and write a single report on them? Is this how things would be handled in a real SOC?

Having worked short term in as a Soc analyst generally we handled each alert individually because they are usually alert for individual events. These may all be related in the grand scheme of things but it’s important to go through every alert, remember to check domains and the splunk logs to get a better sense of the traffic those alerts are referencing

Scenario: Phishing Unfolding (Updated)

The malicious attachment that's part of a True Positive alert on Analyst VM shows Clean with TryDetectMe, so, I'm just curious to know if it's a bug or a feature... I remember it previously being Malicious.

It's also totally realistic for it showing clean - but we're also kinda making an assumption based on a typo in the filename, and not truly verifying it...

You can only assign 10 alerts (something I don't like, I'd like more) in a group and write a single report... It feels a lot cleaner and easier to manage...

I did group the alerts in the exam, and in the practice scenarios...

Copying and pasting the same report over and over feels weird and annoying... and I've seen a lot of people who took the exam say the same thing...

Just my 2 cents...

I am facing a problem in SOC Simulator, specifically in Analyst VM. It keeps reconnecting and doesn't run at all. Does anybody have an idea of the problem?
Thanks.

I tested myself and it took a little logging intk the windows VM that usual but ti still logged in. Are you still seeing an issue?

There is also the Reconnect VM button that may help?

Still facing the problem, it keeps reconnecting but no log in at all.

Hello guys,
am stucked in SOCL1 Alert reporting The question is What flag did you receive after correctly escalating the alert from the previous task to L2? Note:If you correctly escalated the alert earlierjust edit the elart and click "save" again
MY ANSWER IS
THM{nice_attempt_faking_microsoft_support} But it says incorrect answer search on internet and medium.com website blog also show this answer. CAN ANYONE PLEASE HELP ME IN THIS QUESTION

That may need more investigation. Can you log a ticket with support? I haven’t been able to reproduce. There is a reconnect logic that does cause a reconnect when you click away and click back but it does finish. I assume you only have this issue with the SocSim vm and not others in rooms (it’s a similar code and logic though not exactly).

HI @polar tangle , regarding THM "Alpha" / "Beta" badges for completing a SOC-SIM scenario in those stages, is there a way to be notified about these early scenario releases to try to earn these badges? And when will we likely see the next scenarios released with those statuses?
BTW, would they even be available for premium users or only B2B? If so, I give a +1 to the idea of a modest additional fee on top of my premium fee to access these and the other B2B-only scenarios.

Hey @sharp beacon I'll check internally about these badges, I'm not that familiar with their logic.

Technically regarding the B2B scenarios, it is possible to self service purchase a single seat/user as a B2B and get access to everything B2B.

Thanks for the reply @polar tangle. There's a few badges that are a bit vague in their meaning and method to achieve them actually. 😄

Regarding the single seat B2B licence, yes I understand that. It is for me (and I believe many others) too much outlay on top of already paying the premium sub fee. IMHO, THM should consider a new tier in between premium and business/cloud plans for those who aren't part of an enterprise but still wish to access this content. I'd suggest a "Premium+" or single-seat "B2B-lite" type of structure perhaps. Price it accordingly while keeping in mind that the more affordable the price-point, it could attract much more sales from everyday users who are interested but don't have the ability to afford these corporate plans. Please forward this feedback/suggestion to the team or @silver stag /@Ashu if it's useful.

Gave +1 Rep to @polar tangle (current: #263 - 38)

Gave +1 Rep to @silver stag (current: #127 - 79)

You're right it is unclear for some badges how to achieve them. I'll loop that feedback to the right team.

For these two badges you mentioned the alpha and beta it seems they were part of badges for when SOCSIM was first released or even prior to its release. So apparently they're not achievable anymore. We might remove them or hide them as it's a bit unfair to include them now.

Yeah definitely see your point there regarding a premium part or a B2B lite and that a full B2B sub is too high. What do you think should be the price range if I say it included the SOCSIM, the Threat Hunting sim, I suppose cloud content?

Thanks for the feedback/suggestion. I've passed this onto the team - we're already looking at something like this!

Gave +1 Rep to @sharp beacon (current: #2310 - 2)

Hi @polar tangle thanks for getting back to me. I agree, makes sense to hide/remove any badges that are no longer attainable. A review of all would be a good idea. I believe the "League Locked" badge is also no longer achievable - a badge related to the issues when the leagues were first introduced I believe?

Regarding price point for a non-corporate plan for the SIMS + Cloud rooms, I'd suggest somewhere well under $100/month including premium. Perhaps double the current premium monthly cost? Pricing is always tricky when looking at business outlays and balancing with ROI, and I of course have no idea how much Ben/Ashu/etc invest in these features (a lot I'm sure!), but as I said above, it would surely be beneficial overall due to further sales from regular users.

Gave +1 Rep to @polar tangle (current: #260 - 39)

@silver stag Hi Ben, thanks for the reply and great to hear it's actively being considered and potentially introduced! As mentioned, if it's not too much more on top of my premium fee, I'm willing to purchase it. (Perhaps a student discount can apply like for premium for us poor uni students lol.) PS. thanks to you & Ashu for creating THM, I've enjoyed my time on it and have learnt a much wider scope of cybersecurity knowledge than in my uni course!

Gave +1 Rep to @silver stag (current: #127 - 80)

I agree with you Sir everytime I want to access this but i dont have any qualification of the requirements said. Even me I work as an Pizza Maker but I dont have any position in higher working with SOC Job nor i dont have any connection there hope your suggestion will be granted.

Hello TryHackMe Support Team,

I hope you are doing well.

I am currently enrolled in the SOC Level 1 learning path with an active Individual Premium subscription. While progressing through the path, I encountered the “Upload and Conquer – SOC Simulation” room, which appears to require a Business subscription to access.

This has caused some confusion and interruption in my learning, as the SOC Level 1 path is promoted for individual learners, yet this simulation is inaccessible to Individual Premium users.

I would like to understand:

Why a Business-only simulation is included in the SOC Level 1 learning path

Whether there is an alternative room or simulation available for Individual Premium users

Or if access to this room can be granted for learners following the SOC Level 1 path

I am very motivated to complete the SOC Level 1 path as intended, and I would appreciate your clarification or guidance on how to proceed.

Thank you for your time and support.

Hey Snorla, sorry for this confusion, you’re not the only one, I understand it. The path is used by our Business customers also, these simulations supplement the path for them as practice challenges. As you don’t have business, no problem, these simulations are not actually required to complete the path and all the teaching rooms are the same . You’ll get immense learning from working your way through the path. Good luck on your journey.

Not sure if this question is allowed, but does anyone know if the SOC simulator consider Spam emails as "True Positive" for Phishing? nevermind, the answer is: it depends ( ). If it contains words like "click here and become rich" then yes, if it's just generic spam (promos, ads, etc.) then no.

Hello, please help me. I can't find the correct answer in the phishing emails room to the question: "What phrase does the gibberish sender email start with?”

guys somme one help me i cnat play the king of the hille Uh-oh! Only intermediate and advanced experienced leveled users can play King of the Hill + my lelv accon is 12
[0xC][GURU]

Hey guys!
Let's follow each other.
https://tryhackme.com/p/0xAmrEid

Hi, I’m working on the SOC L1 Alert Reporting room.
The question asks: “According to the SOC dashboard, which user email leaked the sensitive document?”

The dashboard clearly shows: e.huffman@tryhackme.thm

However, the answer field rejects the input due to format restrictions and marks it as not English. I’ve tried multiple valid formats (email, username, full name), but none are accepted.

Could you please check the answer validation for this question?

Hi.. that's not the answer, make sure to double check. Initially I entered that as well :)

is there any way to get a free license if your learning?

omg the analyst vm keeps breaking up

The remote desktop server has closed the connection because it conflicts with another connection. Please try again later.

Hi everyone,

I’m currently testing a small DFIR scenario and ran into a performance issue.

I deployed the EICAR test file on a Windows test system and then collected artifacts using the Velociraptor Offline Collector.

After that, I created a Plaso database with log2timeline and uploaded it into Timesketch. Everything is running locally on my machine.

Here’s the problem:
• log2timeline took about 4 hours to complete.
• The resulting Plaso file is around 4GB.
• Indexing the file in Timesketch has already been running for more than 3 hours and is still not finished.

Is this normal behavior for a Plaso file of that size?

Does anyone know what might be causing this kind of delay?

Also, what would be a more efficient workflow in a real-world DFIR scenario? Waiting this long for timeline generation and indexing doesn’t seem very practical.

Are there better approaches or alternative tools you would recommend?

Thanks in advance!

Ye for a 4 GB Plaso file created from a full Velociraptor scan , it is actually to be expected that log2timeline takes several hours to run and that Timesketch indexing is very slow on the local machine. The reasons for this are disk I/O , RAM or CPU constraints, and the fact that many Plaso parsers are single threaded. In an optimized process , you would ideally only gather the artifacts that are of interest to your investigation and not the entire system , and you could also consider splitting up large Plaso files into smaller pieces for indexing in Timesketch . Other solutions such as ELK stack with Winlogbeat, GRR Rapid Response, or Autopsy timeline view may also offer faster timeline analysis for local DFIR analysis.

I need a complete imeline. I've only saved relevant artifacts so far; now I want a quick overview of what happened on the system during a security incident.

Process your saved artifacts with log2timeline using multiple cores , then export via psort to CSV or split by date or artifact for faster Time sketch indexing this gives a complete timeline without re parsing the whole system

And where do I view this timeline? I also need to filter here.

View and filter your timeline in Time sketch , where you can search, slice by time , and filter by event type. Alternatively , open the CSV in Excel or similar to sort and filter columns

how to start at the soc

Start with the SOC Level 1 Path on TryHackMe Make sure you know about networking and Linux basics first Focus on log analysis , SIEM tools and incident response

Hello everybody. I am doing SOC L1, and after the Linux Security Monitoring rooms, there is a SOC Simulator Scenario named "BlackCat", to which I don't have access, or I don't know how to access it. I am a premium user with a monthly subscription.

nvm, I just noticed that is available only for B2B. Why am I seeing it in my path if it's not available for premium members 🙁

Advertising.

yeah ....

Can anyone help me..I’m finally building my first log monitoring lab!..I thought about using splunk but it's paid and then i came to know about wazuh but I’m definitely confused by all the different tools out there.
If you were starting from scratch today to learn the basics, which tool would you pick? (My aim is to become a soc analyst)

I do recommend starting with Wazuh It is open source , flexible and integrates well with the Elastic Stack

Ok thanks

Gave +1 Rep to @desert hollow (current: #123 - 84)

The soc sim keeps crashing for me after reviewing the 4th alert does anyone else have a similar issue?

Try refreshing the page and restarting the lab or Attack box if it still crashes switch browser or relaunch the SOC Sim it is usually a temporary lab bug

SOC Simulator crashes out after completing all objectives to the main SOC Simulator screen without providing a report of your session, in order to view the details I have to go back in to progress/stats to see what happened. This only started about 1 week ago, happens on multiple computers.

Sounds like a platform side issue

#1333993673381253162

Hello everyone, I got stuck on learning Defensive security at final task, where it is about Defend FakeBank. So I want someone to help me!

Click View Site
Open Web Discovery Attack
Find suspicious IP in alerts
Click Block IP
Enable Rate limit
Apply security rule
Flag appears at top

Hey, in "Phising Unfolding" soc simulation scenario, there are some FPs that can be TP-s. Sure there is one saying that the target should "click here" without the link(and its clearly a failed attack/ spam), but the one with "send all bank details"? Shouldnt it cause a response to block any outgoing email targeting that address?
Sure its about a scaming a single user and not company systems, but shouldnt it be cared for?

@desert hollow
I tried it as you recommended me , but it doesn't work again. Indeed i found a white page with an emoji in center. Else I wonder if i put wrong info or input for Rate limit and security rule.

hi
I’m experiencing a recurring issue with the lab machines across multiple rooms.

The problem is:

The machine expires immediately after I click “Start Machine”
Sometimes I get redirected to a “Page not found” error
This issue is happening in multiple labs, not just a single room

What I’ve already tried:

Restarting machines (Terminate → Start)
Reconnecting the VPN
Logging out and back in
Refreshing the browser and clearing cache
Trying a different browser

I also noticed that when I access TryHackMe from Kali Linux, everything works normally. The issue only happens on my main system.

My VPN connection is working correctly, so I believe this may be a platform-side issue or related to my environment.

This issue is preventing me from continuing my learning progress.

Could you please check and assist?
(Expires 0m 0s)
Thank you.

Hello 👋
I am having difficulties running Volatility3 on my windows OS, please anyone that has an idea on how to go about it, I am open to learning it.

Hey! I can help you out with that. Running Volatility3 on Windows can be a bit tricky with the environment setup.

iam an INTERMEDIATE in DEFENSE and OFFENSE iam applying for SOC and INCIDENT RESPONSE role can anyone suggest me a rooms for me to test my skills and improve

Look at the Paths

where do i ask for help w/challenges?