June 16, 2026
TryHackMe Walkthrough — Post-Incident Activity (Task 6: Post-Incident Review Practical)
This post details the procedures to find the answer to the question mentioned in Task 6 of the “Post-Incident Activity” TryHackMe room.
Fuad Khan
2 min read
The incident started with a SIEM alert that was raised by Marcus Webb, Nexus Financial's L1 Security Analyst. Below is the alert and the escalation ticket Marcus raised after triage.
Alert Details:
- Alert Name: Anomalous Sign-in Detected
- Time: 2026–03–30 16:41:30
- Affected Account: l.chen@nexusfinancial.thm
- Corporate IP: 197.32.45.112
After triaging the alert, Marcus marked it as a true positive and raised the following escalation ticket.
A SIEM alert triggered on a successful sign-in to a Nexus Financial user account from an IP address that was never observed in the environment before. All Nexus Financial employees work from the London office (IP: 197.32.45.112) and are expected to sign in from the corporate network. This sign-in came from outside the United Kingdom. Laura Chen (Finance Manager) has confirmed she did not initiate this sign-in. Initial triage indicates this is a true positive requiring full IR investigation.
Escalation Details:
- Ticket ID: NXF-SOC-2026–0312
- Raised by: Marcus Webb, Security Analyst (L1)
- Assigned to: IR Analyst (L2)
- Severity: High
- Affected Account: l.chen@nexusfinancial.thm
Current IOC Tracker
Available Log Sources
The table below summarises all IOCs confirmed across the investigation. If you completed the Detection and Analysis room and the Response and Recovery room, you should already have these values. If you are starting from this room, hints are provided to help you find each IOC in Splunk before proceeding to the practical questions.
Task 6: Post-Incident Review Practical
Question 1: What was the initial attack vector used to compromise Laura Chen's account?
"l.chen@nexusfinancial.thm" account received credential-harvesting phishing email.
_Reference In Detection And Analysis R_oom (Task 6, Question 4): https://medium.com/@fuad.khan713/tryhackme-walkthrough-incident-response-detection-and-analysis-task-6-detection-practical-bcb93565a454
Answer: Phishing
Question 2: Even after the victim entered their credentials on the phishing page, what security control would have prevented the attacker from gaining access? (Please input the abbreviation of the term)
No multi-factor authentication was configured for "l.chen@nexusfinancial.thm" account.
Reference In Response And Recovery Room (Task 7, Question 5): https://medium.com/@fuad.khan713/tryhackme-walkthrough-response-and-recovery-task-6-containment-practical-and-task-7-ad304bd219bb
Answer: MFA
Question 3: How many employees were put at risk by the internal phishing email?
Reference In Response And Recovery Room (Task 6, Question 5): https://medium.com/@fuad.khan713/tryhackme-walkthrough-response-and-recovery-task-6-containment-practical-and-task-7-ad304bd219bb
Answer: 3
Question 4: What was the first log source that identified the suspicious activity?
Answer: Entra ID Sign-in Logs
sourcetype="azure:aad:signin" , check "Available Log Sources"
Reference In Detection and Analysis Room (Task 6, Question 1): https://medium.com/@fuad.khan713/tryhackme-walkthrough-incident-response-detection-and-analysis-task-6-detection-practical-bcb93565a454
Question 5: Which file downloaded by the attacker contains personally identifiable information of Nexus Financial employees?
Splunk Query:
index=ir sourcetype="o365:management:activity" ClientIP="223.123.4.50" Operation="FileDownloaded"
| table _time SourceFileNameindex=ir sourcetype="o365:management:activity" ClientIP="223.123.4.50" Operation="FileDownloaded"
| table _time SourceFileName
Answer: Full_Employee_PII_Data.xlsx
Question 6: For improving future detections, which
Operationis relevant to highlight for detecting suspicious Inbox Rule Creations?
Answer: New-InboxRule
Reference In Detection and Analysis Room (Task 7, Question 3): https://medium.com/@fuad.khan713/tryhackme-walkthrough-incident-response-detection-and-analysis-task-6-detection-practical-bcb93565a454
Question 7: For improving the future detections, which field in Entra ID logs can be used to detect authentications coming from unusual countries?
Answer: location.countryOrRegion
Reference In Detection and Analysis Room (Task 6, question 1): https://medium.com/@fuad.khan713/tryhackme-walkthrough-incident-response-detection-and-analysis-task-6-detection-practical-bcb93565a454