Aspiring SOC Analyst’s Handbook by Tyler Wall, MSc, CISSP, CCSK

By /

Listen to this Post

Download the ebook here:

https://lnkd.in/dM_2s92f

You Should Know:

Essential SOC Tools & Commands

A SOC analyst relies on various tools and commands for monitoring, detection, and incident response. Below are key commands and techniques:

Linux Commands for SOC Analysts

1. Network Analysis

– `tcpdump -i eth0 -w capture.pcap` (Capture network traffic)
– `tshark -r capture.pcap -Y “http.request”` (Filter HTTP requests in Wireshark)
– `netstat -tulnp` (Check active connections and listening ports)

2. Log Inspection

– `grep “Failed password” /var/log/auth.log` (Find failed SSH attempts)
– `journalctl -u sshd –since “1 hour ago”` (Check SSH logs in systemd)

3. Malware Analysis

– `strings suspicious_file` (Extract readable strings from a binary)
– `strace ./malware` (Trace system calls of an executable)

Windows Commands for Incident Response

1. Process & Network Checks

– `tasklist /svc` (List running processes with services)
– `netstat -ano` (Display active connections with PIDs)

2. Event Logs

– `wevtutil qe Security /f:text /q:”[System[(EventID=4624)]]”` (Extract successful logins)
– `Get-WinEvent -FilterHashtable @{LogName=’Security’;ID=4688}` (PowerShell: New process creation)

3. Forensic Data Collection

– `autoruns.exe` (Check auto-start programs)
– `volatility -f memory.dump –profile=Win10 pslist` (Analyze memory dump)

SIEM & Threat Hunting

  • Elasticsearch Query for Suspicious Logins: 
    {
"query": {
"bool": {
"must": [
{"match": {"event.type": "authentication_failure"}},
{"range": {"@timestamp": {"gte": "now-1h"}}}
]
}
}
}
  • Splunk Query for Brute-Force Detection: 
    index=security sourcetype=linux_secure "Failed password" | stats count by src_ip | where count > 5

What Undercode Say:

Aspiring SOC analysts must master log analysis, network forensics, and endpoint detection. Automation with scripting (Python/Bash) enhances efficiency. Regular threat intelligence updates and hands-on practice in labs (like Hack The Box or TryHackMe) are crucial.

Expected Output:

  • Detected brute-force attempts via grep "Failed password".
  • Memory analysis reveals malicious process `PID 1337` via Volatility.
  • SIEM alerts triggered on unusual login patterns.

(Note: Removed non-cyber content and kept only the relevant IT/cyber URL.)

References:

Reported By: Obafemi Agbi – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: