Unit 8: Security Operations Center (SOC) Fundamentals

Lesson at a glance

| Item | Detail | | --------------------- | --------------------------------------------------------------------------------------- | | Suggested length | 6 × 60 minutes | | Recommended placement | Weeks 12–13 | | Prerequisite | Units 1–7 | | Materials | Wazuh or Security Onion VM, sample log sets, ticketing template, MITRE ATT&CK Navigator |

Safety: All SOC labs use canned logs and the lab range. Real incidents stay with real responders.

Standards & credential alignment

• OffSec SOC-100 alignment.
• NIST SP 800-61r2 (Computer Security Incident Handling Guide).
• MITRE ATT&CK as common language.

Learning objectives

By the end of this unit, students can:

1. Articulate Tier 1 / Tier 2 / Tier 3 SOC roles.
2. Use a SIEM (Wazuh or Security Onion) to search, filter, and pivot on events.
3. Triage an alert: validate, classify, escalate or close, with documented rationale.
4. Map observed activity to MITRE ATT&CK tactics and techniques.
5. Write a clear, factual incident ticket.

Vocabulary

• SIEM - Security Information & Event Management; aggregates logs.
• EDR - Endpoint Detection & Response.
• SOAR - Security Orchestration, Automation & Response.
• TTPs - Tactics, Techniques, Procedures (MITRE ATT&CK).
• IOC - Indicator of Compromise (hash, IP, domain, registry key).
• MTTD / MTTR - Mean Time to Detect / Respond.
• Triage - Initial assessment to determine severity and next action.
• Playbook / runbook - Documented response procedure.

Pacing

| Day | Focus | Deliverable | | --- | ----------------------------- | ---------------------------------- | | 1 | SOC roles + SIEM intro | Wazuh dashboard tour | | 2 | Log sources + writing queries | Three saved queries | | 3 | MITRE ATT&CK mapping | Map a sample alert chain to ATT&CK | | 4 | Triage workflow | Triage 5 alerts with decisions | | 5 | Ticket writing + handoff | 3 high-quality tickets | | 6 | Tabletop SOC shift simulation | Shift report |

Day 1 - SOC structure

Tier 1 (alert triage, ~$55–75K). Tier 2 (deeper investigation, $75–100K). Tier 3 (threat hunting, advanced IR, $100–150K). SOC manager / lead. Detection engineer (writes the rules). Threat intel analyst.

Tour the SIEM:

• Dashboards
• Discover / search
• Rules / detections
• Alerts feed
• Agent fleet

Day 2 - Queries

Common log sources to land:

• Windows Security (4624, 4625, 4720, 4732, 4688)
• Sysmon (1, 3, 7, 11, 13, 22)
• Linux auth.log, audit.log
• Web server access logs
• Firewall / proxy
• DNS

Sample queries (Wazuh / Elasticsearch DSL flavor):

data.win.system.eventID: "4625" and data.win.eventdata.targetUserName: "administrator"

data.win.eventdata.commandLine: "*powershell* -enc *"

rule.groups: "authentication_failed" and source.ip: "192.168.56.0/24"

Day 3 - MITRE ATT&CK

Open the ATT&CK Navigator. Walk through tactics: Initial Access → Execution → Persistence → Privilege Escalation → Defense Evasion → Credential Access → Discovery → Lateral Movement → Collection → Exfiltration → Impact.

Take a 5-event sample chain (login failures → success from new IP → suspicious PowerShell → scheduled task created → outbound traffic to unusual destination) and map each event to a specific technique.

Day 4 - Triage

Decision tree for a Tier 1 analyst:

Alert in.
1. Is the source legit? (alert noise / known false positive?)
   - Yes (false positive)  → tune rule, close.
   - No → continue.
2. Is the activity expected? (known maintenance window? authorized user?)
   - Yes → close with note.
   - No → continue.
3. Severity?
   - Low → ticket, monitor.
   - Medium → ticket, escalate to T2 within SLA.
   - High/Critical → page T2/T3 immediately.
4. Document rationale either way.

Students triage 5 prepared alerts, write the decision and rationale.

Day 5 - Ticket writing

Good ticket has:

Title: Concise + searchable
Severity: Low/Medium/High/Critical (with rationale)
Affected assets: hostname, IP, user
Timeline: ISO 8601 timestamps
Observations: facts only, no speculation in this section
Analysis: hypothesis with confidence level
Recommended action: what should T2 do next
Evidence: log snippets, screenshots, query links

Students rewrite a bad ticket (provided) into a good ticket.

Day 6 - Shift simulation

90-minute simulated shift:

• Alerts drip in (teacher-paced or scripted timer).
• Two-person teams: analyst + recorder.
• At end of shift, write a 1-page shift handoff report.

Debrief 30 min: what was hard, what got missed, how would the runbook change?

Common misconceptions

• "More alerts = better detection." - Alert fatigue is the #1 SOC killer. Quality over quantity.
• "The SIEM tells you the answer." - The SIEM tells you what happened. You tell the story.

Assessment

• Day 4 triage rationales (5).
• Day 5 ticket rewrite + 3 tickets from Day 6.
• Day 6 shift handoff report.

Career connection

Tier 1 SOC analyst is one of the most accessible entry points in cyber. Strong pipeline to Tier 2/3 within 18–24 months. SOC manager $130K–$180K.

Homework

Read CISA Alert AA22-* (one provided). Map at least 5 reported behaviors to ATT&CK techniques.