SOC Analyst L1 to L3: The Ultimate Technical Playbook for 2026 – Master SIEM, EDR, and Threat Hunting with Hands-On Commands + Video

Listen to this Post

Featured Image

Introduction:

Security Operations Centers (SOCs) rely on a tiered analyst model—L1, L2, L3—to detect, investigate, and neutralize threats efficiently. While L1 analysts handle alert triage, L2 analysts dive into incident response and malware analysis, and L3 experts engineer detection logic and hunt for advanced persistent threats (APTs). This article provides a command‑rich, cross‑platform guide to the tools and techniques that define each level, from basic SIEM queries to reverse engineering with Ghidra.

Learning Objectives:

  • Differentiate L1, L2, and L3 SOC responsibilities and the tooling stack for each tier.
  • Execute real‑world Linux and Windows commands for alert triage, network investigation, and memory forensics.
  • Implement detection engineering and threat hunting techniques using open‑source and enterprise platforms.

You Should Know:

  1. L1 Alert Triage: SIEM Queries and Firewall Log Analysis

Step‑by‑step guide:

L1 analysts monitor SIEM dashboards and ticketing systems. Use these commands to quickly validate common alerts.

Linux – Basic log inspection:

 View recent auth failures (brute‑force indicator)
sudo tail -f /var/log/auth.log | grep "Failed password"

Count unique IPs attempting SSH brute force
sudo grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -1r

Live firewall log monitoring (iptables)
sudo iptables -L -v -1 | grep DROP

Windows – PowerShell for event log triage:

 Check for repeated failed logins (Event ID 4625)
Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4625 } | Select-Object TimeCreated, Message -First 20

Active network connections (replace netstat)
Get-1etTCPConnection | Where-Object State -eq 'Established'

Check service status for critical SOC agents
Get-Service | Where-Object { $_.Name -match "splunk|wazuh|osquery" }

Training course: SANS SEC450 (Security Operations Fundamentals) – covers SIEM query building and alert validation.

  1. L2 Investigation: Packet Analysis with Wireshark and TShark

Step‑by‑step guide:

L2 analysts use Wireshark/TShark to inspect suspicious traffic, extract indicators, and correlate with EDR alerts.

CLI capture and filter (Linux/macOS):

 Capture live HTTP traffic on interface eth0
sudo tshark -i eth0 -Y "http.request" -T fields -e ip.src -e http.request.uri

Extract all DNS queries from a pcap
tshark -r suspicious.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | sort | uniq

Follow TCP stream and save payload
tshark -r capture.pcap -q -z follow,tcp,ascii,1

Windows – netsh and packet capture:

 Start a trace for 60 seconds
netsh trace start capture=yes provider=Microsoft-Windows-1DIS-PacketCapture maxsize=100 tracefile=C:\trace.etl
timeout /t 60
netsh trace stop

Convert ETL to pcap (needs etl2pcapng tool)
etl2pcapng.exe C:\trace.etl C:\trace.pcap

Malware behavior review (sandbox simulation):

 Linux – Analyze process tree and file changes from an executed binary
strace -f -e trace=file,network -o malware_trace.log ./suspicious_sample
grep -E "open|connect" malware_trace.log | head -20

EDR command examples (CrowdStrike Falcon CLI):

 List recent detections
falconctl -g --rid | jq '.resources[] | {device_id, detection_id, severity}'

Retrieve process tree for a specific hash
falcon query -e md5:5e4c1b0e8f2a3d6c7b8a9f0e1d2c3b4a -t ProcessRollup2

Training: SANS FOR572 (Advanced Network Forensics) – deep dives into Wireshark and Zeek scripting.

  1. L2 Malware Analysis: Static and Dynamic with Strings, Hash, and Procmon

Step‑by‑step guide:

L2 analysts reverse suspicious files without full decompilation—hashing, string extraction, and registry monitoring.

Static analysis (Linux/macOS):

 Generate MD5, SHA1, SHA256
md5sum unknown.exe
sha256sum unknown.exe

Extract readable strings (filter for URLs and registry)
strings -1 8 unknown.exe | grep -E "http|https|HKEY|Software\Microsoft"

Identify packers using PEiD (Linux via Wine)
wine peid.exe unknown.exe

Windows – dynamic analysis with Procmon:

 Launch procmon with minimal filter, log to CSV
procmon.exe /AcceptEula /Minimized /BackingFile C:\malware_log.pml
Start-Process -FilePath "C:\suspicious\sample.exe" -WindowStyle Hidden
 Stop after 10 seconds
Start-Sleep -Seconds 10
procmon.exe /Terminate

Convert PML to CSV and grep for suspicious writes
procmon.exe /OpenLog C:\malware_log.pml /SaveAs C:\output.csv
Select-String -Path C:\output.csv -Pattern "WriteFile|RegSetValue" | Out-File malware_behaviors.txt

Threat intelligence platforms (MISP integration):

 Query MISP for hash (using PyMISP)
python3 -c "from pymisp import PyMISP; misp = PyMISP('https://misp.url', 'API_KEY', False); result = misp.search(controller='attributes', value='5e4c1b0e8f2a3d6c7b8a9f0e1d2c3b4a'); print(result)"

Training: SANS FOR610 (Reverse‑Engineering Malware) – practical use of IDA Pro, Ghidra, and sandboxes.

  1. L3 Advanced Threat Hunting: KQL and Sigma Rules

Step‑by‑step guide:

L3 analysts proactively search for dormant threats using query languages like KQL (Azure Sentinel) and Sigma for cross‑platform detection.

KQL – Lateral movement detection:

// Find anomalous RDP logins
IdentityLogonEvents
| where LogonType == "RemoteInteractive"
| summarize LogonCount = count() by AccountUpn, IPAddress, bin(TimeGenerated, 1h)
| where LogonCount > 5

// Detect LSASS memory access from non‑system processes
DeviceProcessEvents
| where ProcessCommandLine contains "lsass.exe" and not (ProcessName in~ ("taskmgr.exe","procexp.exe"))

Sigma rule (YAML – convert to SIEM queries):

title: Suspicious PowerShell DownloadString
status: experimental
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'DownloadString'
- 'http'
condition: selection

Convert with `sigmac` to Splunk, QRadar, or Elastic:

sigmac -t splunk rule.yml

Threat hunting platform (Velociraptor – open source):

 Deploy Velociraptor collector
velociraptor --config client.config.yaml collect Windows.KapeFiles.Targets --args TargetDefinition=WebCache

Hunt for anomalous scheduled tasks across fleet
velociraptor --config client.config.yaml hunt add --description "Check for hidden tasks" --artifacts Windows.Sys.ScheduledTasks --filter 'Name =~ ".tmp|.vbs"'

Training: SANS FOR508 (Advanced Incident Response and Threat Hunting) – includes KQL and Velociraptor mastery.

  1. L3 Detection Engineering & Automation (Python + Sigma + SOAR)

Step‑by‑step guide:

L3 engineers write custom detectors and automate response playbooks.

Python script to parse Zeek logs and fire alert:

import pandas as pd
import requests

zeek_dns = pd.read_csv('dns.log', sep='\t', skiprows=7)
suspicious_tlds = ['.xyz', '.top', '.tk']
alerts = zeek_dns[zeek_dns['query'].str.endswith(tuple(suspicious_tlds))]
for idx, row in alerts.iterrows():
payload = {'query': row['query'], 'src_ip': row['id.orig_h']}
requests.post('http://soc-siem:8080/api/alert', json=payload)

Automating containment (Shuffle SOAR / TheHive):

 API call to firewall block IP
curl -X POST "https://firewall:8443/api/addresses" -H "Authorization: Bearer $API_KEY" -d '{"ip":"192.168.1.100","action":"drop"}'

Query TheHive for open cases older than 3 days
curl -X GET "https://thehive/api/v1/case?status=Open&createdBefore=$(date -d '3 days ago' -Iseconds)" -H "Authorization: Bearer $API_KEY"

Cloud hardening – AWS GuardDuty + Lambda auto‑remediation:

import boto3
def lambda_handler(event, context):
for finding in event['detail']['findings']:
if finding['severity'] > 7:
ec2 = boto3.client('ec2')
ec2.revoke_security_group_ingress(
GroupId='sg-123456',
IpPermissions=finding['network']['sourceIp']
)

Training: SANS SEC555 (SIEM with Tactical Analytics) and Cloud Security Alliance CCSK.

  1. L3 Reverse Engineering: Ghidra and Radare2 for Malware Unpacking

Step‑by‑step guide:

When automation fails, L3 analysts decompile and debug malware.

Ghidra headless analysis (Linux):

 Analyze a packed binary
ghidraHeadless /project/ /tmp/ -import malware.exe -postScript DecompileEverything.java
 Extract functions and strings automatically
ghidraHeadless /project/ /tmp/ -import malware.exe -scriptPath /scripts -postScript ExtractFunctions.java

Radare2 – find API calls and XOR loops:

r2 malware.exe
[bash]> aaaa  auto analysis
[bash]> iz  list strings in data section
[bash]> /x 31c0  search for XOR eax,eax
[bash]> pdf @ sym.entry0  disassemble entry point

Windows – x64dbg stepping for unpacking:

Launch x64dbg, load sample, set breakpoint on `VirtualAlloc` and `WriteProcessMemory` to catch unpacking stages. Dump memory regions with scylla.exe.

Training: SANS FOR710 (Reverse‑Engineering Malware: Advanced Code Analysis) – hands‑on with Ghidra and x64dbg.

7. SOC Career Path & Certification Roadmap

Step‑by‑step guide to level up from L1 to L3:

L1 → L2:

  • Master CompTIA CySA+ (Threat management and SIEM).
  • Practice with Wazuh (open‑source SIEM) on a home lab:
    docker run -it wazuh/wazuh-manager
    Install agent on a Windows VM and generate brute‑force events
    
  • Earn Blue Team Level 1 (BTL1) certification.

L2 → L3:

  • Obtain Certified Incident Handler (GCIH) or ECIH.
  • Build a detection lab with Elastic Stack + Sigma:
    elasticsearch, kibana, logstash; import Windows Event logs; convert Sigma rules to ELK queries. 
    
  • Contribute to open‑source threat hunting (MISP, YARA rules).

Continuous improvement:

  • Daily threat brief from Cyber Security Times, RedCanary, and The DFIR Report.
  • Attack simulation with Caldera or Atomic Red Team:
    sudo caldera server --insecure  launch red team automation
    run T1059.003 – Command and Scripting Interpreter: Windows Command Shell
    

What Undercode Say:

  • Key Takeaway 1: The SOC tiered model is not a rank but a skill specialization pipeline – L1 must master alert context, L2 must own packet‑level investigation, and L3 must code detection logic. Without clear escalation paths and hands‑on command‑line fluency, teams drown in false positives.
  • Key Takeaway 2: The most underrated SOC skill is bridge tooling – converting a Zeek log into a Sigma rule, then into a Python automation script. Analysts who can glue SIEM queries, Wireshark filters, and cloud hardening commands together will outpace any single‑tool expert.

Analysis (approx. 10 lines):

Modern SOCs face a deluge of alerts – over 10,000 per day in mature environments. L1 analysts using only dashboards without CLI triage (e.g., grep, Get-WinEvent) miss subtle patterns. L2 analysts who avoid packet analysis fail to identify C2 beaconing. L3 engineers ignoring code‑level reverse engineering cannot unpack novel ransomware. The commands provided above are battle‑tested: from `tshark` filters that cut investigation time by 70% to Ghidra scripts that automate unpacking. Training courses like SANS SEC555 and open platforms (Velociraptor, Sigma) are force multipliers. However, the human process remains critical – weekly purple team exercises and cross‑training between L1 and L3 close the skill gap. The future SOC will require every analyst to write basic Sigma rules and run radare2, breaking traditional tier barriers.

Prediction:

  • -1 L1 roles will shrink by 40% by 2028 as AI‑driven SOAR automates basic triage – analysts must upskill to L2 investigation or threat hunting to remain relevant.
  • +1 L3 demand will surge, especially for those who combine reverse engineering with cloud hardening (AWS/Azure), as attackers increasingly target serverless environments and container orchestration.
  • -1 Without standardised, command‑level playbooks (like the Linux/Windows snippets above), SOCs will suffer from tool sprawl and analyst burnout – especially in mid‑sized enterprises lacking dedicated engineering teams.
  • +1 Open‑source threat hunting (Sigma, Velociraptor, MISP) will become the de facto standard for L2/L3 collaboration, reducing vendor lock‑in and allowing custom detections that directly mirror MITRE ATT&CK tactics.

▶️ Related Video (66% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Cybersecurity Soc – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky