Skip to main content

Lab 9 — SOC Investigation

Lab 9⏱ ~35 minEnterprise Tenant · Read-Only👤 Priya
SOC Incident Investigation & Response
Kevin's actions in Module 2 generated three policy violations: a blocked upload to personal Google Drive (Lab 6), a blocked USB file copy (Lab 7), and a blocked browser submission to ChatGPT (Lab 8). As Priya, investigate each incident, assess evidence, update metadata, notify Kevin, escalate where necessary, and configure automated workflows.
🔍
Priya — SOC Analyst · Tier-1
Enterprise Tenant (Read-Only)
You are now Priya. You have just started your shift. Three unresolved incidents are in the queue — all attributed to Kevin, all generated in the last session. Time to investigate.

🎯Investigate the three incidents Kevin generated, perform triage, notify the user, test escalation, and configure automated workflows for future incidents.

1. Access ZWA and Review the Incident List

Administration → Data Loss Prevention → Workflow Automation

This opens the Zscaler Workflow Automation (ZWA) portal in a new tab. Click the Data Protection tab once it loads. Then click Incidents in the main menu.

You should see three incidents attributed to kevin@dataparity.com. Identify them:

Incident #Policy TriggeredChannelFile / ContentStatus
Web UploadPayroll_2025.xlsx
USB DevicePayroll_2025.xlsx
Browser / AIPII text (SSN, Salary)
If incidents are not visible immediately, filter by user: kevin@dataparity.com. Incidents are typically available within 60 seconds of the policy violation.

2. Review Incident Details and Evidence

Click the Transaction ID for the web upload incident (Incident 1) to open the Incident Details view.

Review the Overview and Violation Details sections. Record what you observe:

AttributeObserved Value
Policy name triggered
User identity
Destination URL
Detection engine
Action taken

Scroll down to the Violation Content card. Expand View Trigger Data to see the actual content from the file that triggered the violation.

Confirm this matches the Payroll_2025.xlsx file first identified in Lab 3 (DSPM) and reappearing in Lab 4.

Payroll_2025.xlsx — Final appearance. At-rest risk → AI risk → motion risk → enforcement → investigation. Loop closed.

3. Modify Incident Metadata — Triage All Three

On the Incident Details page, use the Actions menu to update Incident 1:

  • Set Status to Investigating · Add note: "Reviewing for policy violation — appears accidental"
  • Set Priority to High
  • Refresh and verify fields reflect your changes
  • Check the State Changes section for the audit trail

Repeat for the USB and browser incidents. Record your assessment:

IncidentTrue or False Positive?SeverityInitial Determination
Web Upload (Lab 6)
USB Device (Lab 7)
Browser / AI (Lab 8)

4. Notify and Coach Kevin

From the Incident Details page for Incident 1, click Actions → Notify User.

  • Select the notification language
  • Enter a coaching message. Example:
Kevin, a policy violation was triggered when you attempted to upload Payroll_2025.xlsx to personal Google Drive. This file contains sensitive financial data and cannot be transferred to personal cloud storage. Please review Dataparity's data handling policy and contact the security team if you require access from home.
  • Click Submit
  • Reload Incident Details → scroll to State Changes → confirm notification is logged
The notification creates an auditable record that coaching was provided. In production, ZWA can also send notifications via Slack and Microsoft Teams.

5. Escalate for Manager Approval

Step 1 — Add an Approver

Setup → Approvers → + Add More

Add your own name and email address as a test approver for this lab exercise.

In production, ZWA integrates with your IdP via SAML and SCIM to automatically populate the approver list based on organizational hierarchy.

Step 2 — Escalate the Incident

  • From the Actions menu, select Escalate
  • Select your ID from the Select Approver dropdown → Click Save
  • Check your email for the DLP Incident Notification (check spam)
  • Click the link in the email to open the approval page

Step 3 — Approve

  • Select Approved in the Justification Type field
  • Enter a reason → Click Submit
  • Return to ZWA → reload the incident → verify escalation approval is in State Changes
Clean Up: After completing the escalation exercise, navigate to Setup → Approvers and delete the approver entry you created.

6. Configure and Explore Automated Workflows

Step 1 — View Workflow Templates

Workflows → Workflow Templates

Review predefined templates and their available actions:

  • Auto-notify user
  • Auto-escalate to manager
  • Auto-close low-risk incidents
  • Auto-assign by department or policy type

Step 2 — Explore the Auto Escalate Template

Click View Workflow Template for the Auto Escalate template. Review the graphical workflow diagram. Observe: when an incident is created, the workflow automatically sends an email notification to the user's manager — the automated version of the manual escalation you just performed.

Step 3 — Review Workflow Mappings

Workflows → Workflow Mapping

Expand the first workflow mapping. Review triggering attributes, matching criteria, and which template is applied when conditions are met.

After exploring, click Reset to restore the original configuration. Do not save changes to shared workflow mappings.
💬 Discussion
  • Does the incident record contain enough information for Priya to determine intent — malicious or accidental?
  • Which of the three incidents represents the highest risk to Dataparity? Why?
  • The USB incident was generated off-network. How does that change Priya's assessment of intent?
  • Priya sees three incidents from one user in one session. What does that pattern suggest?
  • What attributes would distinguish a high-risk incident requiring human review from one that can be auto-closed?
  • What governance controls should exist around workflow automation — who can create or modify templates?
💡 Key Insight

ZWA transforms incident response from reactive to systematic. Every incident gets consistent handling, an auditable trail, and appropriate escalation — whether handled manually or automatically.

The three incidents Priya investigated today trace directly back to the data Alex discovered in Lab 1. Visibility (Module 1) → Protection (Module 2) → Investigation (Module 3) is a complete, connected loop — not three separate products.

💡 Facilitator Notes

Draw the explicit connection: the Payroll file appeared in DSPM (Lab 3), Copilot Readiness (Lab 4), as a blocked incident (Lab 6), and now as Priya's triage case. Ask: "What would have happened without any of these layers?"

The escalation email exercise is the most memorable part — attendees actually receive an email, which makes the workflow tangible and real.

Strong closing line: "Alex mapped the risk. Kevin tested the controls. Priya closed the loop. That's the complete data security lifecycle in one session."

🏁 Lab Complete — The Data Security Lifecycle
ModulePersonaWhat Was DemonstratedLabs
Module 1 — VisibilityAlexMapped sensitive data at rest, in motion, in posture, and in AI exposure1–4
Module 2 — ProtectionAlex + KevinBuilt detection logic, applied inline, endpoint, and browser DLP, tested enforcement5–8
Module 3 — InvestigationPriyaInvestigated incidents, notified the user, escalated, and automated response workflows9
💡 The Payroll Thread — Complete

The same file — Payroll_2025.xlsx — appeared in five labs across three modules. That is not a coincidence. It is the point.

Data security is not a product. It is a lifecycle. Visibility without protection is awareness without action. Protection without investigation is enforcement without accountability. Alex, Kevin, and Priya are not three separate users — they are three perspectives on the same organization.

🎓
Lab Assistant
Zenith Live 2026 · Dataparity
Lab 9 — Investigation
Browse all topics