🎯 Goal
Develop the mindset and skills to defend networks, detect intrusions, and respond to threats. Understand how Security Operations Centers (SOCs) work, how to use SIEM platforms, and how to triage security alerts effectively.
🔑 Key Skills to Learn
- SOC Operations & Workflow: Triage, escalation, incident categories, ticketing (TheHive), shift handovers.
- Security Information & Event Management (SIEM): Log ingestion, correlation rules, alerting, dashboard creation, query languages (SPL, KQL).
- Log Analysis: Windows Event Logs (Event ID 4624, 4625, 4688, Sysmon logs), Linux syslog, web server logs, firewall logs. Recognize patterns of attacks.
- Endpoint Detection & Response (EDR): Basic concepts of endpoint telemetry, process trees, and anomaly detection.
- Network Security Monitoring (NSM): Intrusion Detection/Prevention Systems (Snort/Suricata), Zeek, full packet capture analysis.
- Threat Intelligence Basics: IOCs (IPs, hashes, domains), TTPs, threat feeds (MISP), the Pyramid of Pain.
- Incident Handling Phases: Preparation, identification, containment, eradication, recovery, lessons learned (NIST/SANS model).
- Phishing Analysis: Header inspection, SPF/DKIM/DMARC checks, URL/attachment analysis (sandboxing).
- MITRE ATT&CK for Defense: Map alerts to techniques, improve detection coverage, understand adversary behaviors.
🛠️ Essential Tools & Technologies
| Tool | Purpose |
|---|---|
| Splunk Free / Splunk Enterprise Trial | Industry-standard SIEM for log analysis and alerting. |
| Wazuh (Open Source) | XDR/SIEM platform combining host-based IDS, log analysis, and file integrity monitoring. |
| Elastic Stack (ELK) | Log collection (Beats), storage (Elasticsearch), and visualization (Kibana) for custom monitoring. |
| Sysmon + SwiftOnSecurity Config | Enhanced Windows event logging for detailed endpoint visibility. |
| Snort / Suricata | Network IDS/IPS for real-time traffic analysis. |
| Zeek (formerly Bro) | Network security monitor; extracts protocol metadata for threat hunting. |
| Wireshark / Tcpdump | Deep packet inspection for incident investigation. |
| TheHive | Open-source incident response case management. |
| MISP | Threat intelligence platform to share and consume IOCs. |
| CyberChef | "The Cyber Swiss Army Knife" for data decoding, analysis, and transformation. |
📖 Free Learning Resources
- TryHackMe – SOC Level 1 Path – Rooms: "Cyber Defense Frameworks", "Phishing Analysis", "SIEM Basics", "Incident Response". Link
- Blue Team Labs Online (BTLO) – Free tier challenges for security operations and threat hunting. Link
- Security Blue Team (YouTube) – Free introductory videos on blue team concepts and tools. Link
- Splunk Fundamentals Free Courses – Splunk offers free introductory training. Link
- SOC Analyst (LetsDefend) – Free tier with simulated alerts and investigation walkthroughs. Link
- Wazuh Documentation & Labs – Free, comprehensive docs with example monitoring scenarios. Link
- Chris Sanders’ Blog & "Applied Network Security Monitoring" – Foundational NSM concepts (some free blog posts). Link
- SANS DFIR Posters – Free visual reference for Windows Event IDs, file system timelines, and more. Link
🔗 Roadmap Placement
- Prerequisites: Core Security Concepts, Linux, Networking. These give you the technical context to understand what you're defending and how attacks manifest in logs and traffic.
- Directly Enables: Incident Response, Threat Hunting, DFIR, and Purple Teaming. Blue team skills are the foundation for all defensive and hybrid roles.
- Next Steps: After SOC fundamentals, dive deeper with Digital Forensics & Incident Response (DFIR), Threat Hunting, or Cloud Security Monitoring.