Listen to this Post

Introduction:
Security Operations Centers (SOCs) rely on a tiered analyst model—L1, L2, L3—to detect, investigate, and neutralize threats efficiently. While L1 analysts handle alert triage, L2 analysts dive into incident response and malware analysis, and L3 experts engineer detection logic and hunt for advanced persistent threats (APTs). This article provides a command‑rich, cross‑platform guide to the tools and techniques that define each level, from basic SIEM queries to reverse engineering with Ghidra.
Learning Objectives:
- Differentiate L1, L2, and L3 SOC responsibilities and the tooling stack for each tier.
- Execute real‑world Linux and Windows commands for alert triage, network investigation, and memory forensics.
- Implement detection engineering and threat hunting techniques using open‑source and enterprise platforms.
You Should Know:
- L1 Alert Triage: SIEM Queries and Firewall Log Analysis
Step‑by‑step guide:
L1 analysts monitor SIEM dashboards and ticketing systems. Use these commands to quickly validate common alerts.
Linux – Basic log inspection:
View recent auth failures (brute‑force indicator)
sudo tail -f /var/log/auth.log | grep "Failed password"
Count unique IPs attempting SSH brute force
sudo grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -1r
Live firewall log monitoring (iptables)
sudo iptables -L -v -1 | grep DROP
Windows – PowerShell for event log triage:
Check for repeated failed logins (Event ID 4625)
Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4625 } | Select-Object TimeCreated, Message -First 20
Active network connections (replace netstat)
Get-1etTCPConnection | Where-Object State -eq 'Established'
Check service status for critical SOC agents
Get-Service | Where-Object { $_.Name -match "splunk|wazuh|osquery" }
Training course: SANS SEC450 (Security Operations Fundamentals) – covers SIEM query building and alert validation.
- L2 Investigation: Packet Analysis with Wireshark and TShark
Step‑by‑step guide:
L2 analysts use Wireshark/TShark to inspect suspicious traffic, extract indicators, and correlate with EDR alerts.
CLI capture and filter (Linux/macOS):
Capture live HTTP traffic on interface eth0 sudo tshark -i eth0 -Y "http.request" -T fields -e ip.src -e http.request.uri Extract all DNS queries from a pcap tshark -r suspicious.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | sort | uniq Follow TCP stream and save payload tshark -r capture.pcap -q -z follow,tcp,ascii,1
Windows – netsh and packet capture:
Start a trace for 60 seconds netsh trace start capture=yes provider=Microsoft-Windows-1DIS-PacketCapture maxsize=100 tracefile=C:\trace.etl timeout /t 60 netsh trace stop Convert ETL to pcap (needs etl2pcapng tool) etl2pcapng.exe C:\trace.etl C:\trace.pcap
Malware behavior review (sandbox simulation):
Linux – Analyze process tree and file changes from an executed binary strace -f -e trace=file,network -o malware_trace.log ./suspicious_sample grep -E "open|connect" malware_trace.log | head -20
EDR command examples (CrowdStrike Falcon CLI):
List recent detections
falconctl -g --rid | jq '.resources[] | {device_id, detection_id, severity}'
Retrieve process tree for a specific hash
falcon query -e md5:5e4c1b0e8f2a3d6c7b8a9f0e1d2c3b4a -t ProcessRollup2
Training: SANS FOR572 (Advanced Network Forensics) – deep dives into Wireshark and Zeek scripting.
- L2 Malware Analysis: Static and Dynamic with Strings, Hash, and Procmon
Step‑by‑step guide:
L2 analysts reverse suspicious files without full decompilation—hashing, string extraction, and registry monitoring.
Static analysis (Linux/macOS):
Generate MD5, SHA1, SHA256 md5sum unknown.exe sha256sum unknown.exe Extract readable strings (filter for URLs and registry) strings -1 8 unknown.exe | grep -E "http|https|HKEY|Software\Microsoft" Identify packers using PEiD (Linux via Wine) wine peid.exe unknown.exe
Windows – dynamic analysis with Procmon:
Launch procmon with minimal filter, log to CSV procmon.exe /AcceptEula /Minimized /BackingFile C:\malware_log.pml Start-Process -FilePath "C:\suspicious\sample.exe" -WindowStyle Hidden Stop after 10 seconds Start-Sleep -Seconds 10 procmon.exe /Terminate Convert PML to CSV and grep for suspicious writes procmon.exe /OpenLog C:\malware_log.pml /SaveAs C:\output.csv Select-String -Path C:\output.csv -Pattern "WriteFile|RegSetValue" | Out-File malware_behaviors.txt
Threat intelligence platforms (MISP integration):
Query MISP for hash (using PyMISP)
python3 -c "from pymisp import PyMISP; misp = PyMISP('https://misp.url', 'API_KEY', False); result = misp.search(controller='attributes', value='5e4c1b0e8f2a3d6c7b8a9f0e1d2c3b4a'); print(result)"
Training: SANS FOR610 (Reverse‑Engineering Malware) – practical use of IDA Pro, Ghidra, and sandboxes.
- L3 Advanced Threat Hunting: KQL and Sigma Rules
Step‑by‑step guide:
L3 analysts proactively search for dormant threats using query languages like KQL (Azure Sentinel) and Sigma for cross‑platform detection.
KQL – Lateral movement detection:
// Find anomalous RDP logins
IdentityLogonEvents
| where LogonType == "RemoteInteractive"
| summarize LogonCount = count() by AccountUpn, IPAddress, bin(TimeGenerated, 1h)
| where LogonCount > 5
// Detect LSASS memory access from non‑system processes
DeviceProcessEvents
| where ProcessCommandLine contains "lsass.exe" and not (ProcessName in~ ("taskmgr.exe","procexp.exe"))
Sigma rule (YAML – convert to SIEM queries):
title: Suspicious PowerShell DownloadString status: experimental logsource: category: process_creation product: windows detection: selection: CommandLine|contains|all: - 'DownloadString' - 'http' condition: selection
Convert with `sigmac` to Splunk, QRadar, or Elastic:
sigmac -t splunk rule.yml
Threat hunting platform (Velociraptor – open source):
Deploy Velociraptor collector velociraptor --config client.config.yaml collect Windows.KapeFiles.Targets --args TargetDefinition=WebCache Hunt for anomalous scheduled tasks across fleet velociraptor --config client.config.yaml hunt add --description "Check for hidden tasks" --artifacts Windows.Sys.ScheduledTasks --filter 'Name =~ ".tmp|.vbs"'
Training: SANS FOR508 (Advanced Incident Response and Threat Hunting) – includes KQL and Velociraptor mastery.
- L3 Detection Engineering & Automation (Python + Sigma + SOAR)
Step‑by‑step guide:
L3 engineers write custom detectors and automate response playbooks.
Python script to parse Zeek logs and fire alert:
import pandas as pd
import requests
zeek_dns = pd.read_csv('dns.log', sep='\t', skiprows=7)
suspicious_tlds = ['.xyz', '.top', '.tk']
alerts = zeek_dns[zeek_dns['query'].str.endswith(tuple(suspicious_tlds))]
for idx, row in alerts.iterrows():
payload = {'query': row['query'], 'src_ip': row['id.orig_h']}
requests.post('http://soc-siem:8080/api/alert', json=payload)
Automating containment (Shuffle SOAR / TheHive):
API call to firewall block IP
curl -X POST "https://firewall:8443/api/addresses" -H "Authorization: Bearer $API_KEY" -d '{"ip":"192.168.1.100","action":"drop"}'
Query TheHive for open cases older than 3 days
curl -X GET "https://thehive/api/v1/case?status=Open&createdBefore=$(date -d '3 days ago' -Iseconds)" -H "Authorization: Bearer $API_KEY"
Cloud hardening – AWS GuardDuty + Lambda auto‑remediation:
import boto3
def lambda_handler(event, context):
for finding in event['detail']['findings']:
if finding['severity'] > 7:
ec2 = boto3.client('ec2')
ec2.revoke_security_group_ingress(
GroupId='sg-123456',
IpPermissions=finding['network']['sourceIp']
)
Training: SANS SEC555 (SIEM with Tactical Analytics) and Cloud Security Alliance CCSK.
- L3 Reverse Engineering: Ghidra and Radare2 for Malware Unpacking
Step‑by‑step guide:
When automation fails, L3 analysts decompile and debug malware.
Ghidra headless analysis (Linux):
Analyze a packed binary ghidraHeadless /project/ /tmp/ -import malware.exe -postScript DecompileEverything.java Extract functions and strings automatically ghidraHeadless /project/ /tmp/ -import malware.exe -scriptPath /scripts -postScript ExtractFunctions.java
Radare2 – find API calls and XOR loops:
r2 malware.exe [bash]> aaaa auto analysis [bash]> iz list strings in data section [bash]> /x 31c0 search for XOR eax,eax [bash]> pdf @ sym.entry0 disassemble entry point
Windows – x64dbg stepping for unpacking:
Launch x64dbg, load sample, set breakpoint on `VirtualAlloc` and `WriteProcessMemory` to catch unpacking stages. Dump memory regions with scylla.exe.
Training: SANS FOR710 (Reverse‑Engineering Malware: Advanced Code Analysis) – hands‑on with Ghidra and x64dbg.
7. SOC Career Path & Certification Roadmap
Step‑by‑step guide to level up from L1 to L3:
L1 → L2:
- Master CompTIA CySA+ (Threat management and SIEM).
- Practice with Wazuh (open‑source SIEM) on a home lab:
docker run -it wazuh/wazuh-manager Install agent on a Windows VM and generate brute‑force events
- Earn Blue Team Level 1 (BTL1) certification.
L2 → L3:
- Obtain Certified Incident Handler (GCIH) or ECIH.
- Build a detection lab with Elastic Stack + Sigma:
elasticsearch, kibana, logstash; import Windows Event logs; convert Sigma rules to ELK queries.
- Contribute to open‑source threat hunting (MISP, YARA rules).
Continuous improvement:
- Daily threat brief from Cyber Security Times, RedCanary, and The DFIR Report.
- Attack simulation with Caldera or Atomic Red Team:
sudo caldera server --insecure launch red team automation run T1059.003 – Command and Scripting Interpreter: Windows Command Shell
What Undercode Say:
- Key Takeaway 1: The SOC tiered model is not a rank but a skill specialization pipeline – L1 must master alert context, L2 must own packet‑level investigation, and L3 must code detection logic. Without clear escalation paths and hands‑on command‑line fluency, teams drown in false positives.
- Key Takeaway 2: The most underrated SOC skill is bridge tooling – converting a Zeek log into a Sigma rule, then into a Python automation script. Analysts who can glue SIEM queries, Wireshark filters, and cloud hardening commands together will outpace any single‑tool expert.
Analysis (approx. 10 lines):
Modern SOCs face a deluge of alerts – over 10,000 per day in mature environments. L1 analysts using only dashboards without CLI triage (e.g., grep, Get-WinEvent) miss subtle patterns. L2 analysts who avoid packet analysis fail to identify C2 beaconing. L3 engineers ignoring code‑level reverse engineering cannot unpack novel ransomware. The commands provided above are battle‑tested: from `tshark` filters that cut investigation time by 70% to Ghidra scripts that automate unpacking. Training courses like SANS SEC555 and open platforms (Velociraptor, Sigma) are force multipliers. However, the human process remains critical – weekly purple team exercises and cross‑training between L1 and L3 close the skill gap. The future SOC will require every analyst to write basic Sigma rules and run radare2, breaking traditional tier barriers.
Prediction:
- -1 L1 roles will shrink by 40% by 2028 as AI‑driven SOAR automates basic triage – analysts must upskill to L2 investigation or threat hunting to remain relevant.
- +1 L3 demand will surge, especially for those who combine reverse engineering with cloud hardening (AWS/Azure), as attackers increasingly target serverless environments and container orchestration.
- -1 Without standardised, command‑level playbooks (like the Linux/Windows snippets above), SOCs will suffer from tool sprawl and analyst burnout – especially in mid‑sized enterprises lacking dedicated engineering teams.
- +1 Open‑source threat hunting (Sigma, Velociraptor, MISP) will become the de facto standard for L2/L3 collaboration, reducing vendor lock‑in and allowing custom detections that directly mirror MITRE ATT&CK tactics.
▶️ Related Video (66% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Cybersecurity Soc – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


