Go to The DFIR Report . Pick the most recent "Ransomware" write-up. Copy the first IP address listed. Put it into VirusTotal (Relations tab). Find the associated domain. Put that domain into URLhaus . See the malware sample. Ask yourself: How did the initial analyst spot this?
For a Security Operations Center (SOC) Analyst, the alert queue is the heartbeat of the operation. But triage is not investigation. Clicking "False Positive" on a phishing alert or blocking an IP address is the easy part. The hard part—the effective part—is the deep-dive investigation that answers: How did this happen? What is the blast radius? Is the host still compromised?
While SANS courses and vendor certifications can cost thousands of dollars, the core principles of are available right now for free. You just need to know where to look.
Mastering the art of the "Deep Dive" without spending a dime.
Do that once a day, and you will out-perform 90% of paid training graduates within three months.