SOC (Security Operation Centre) Analyst Guide: Detection, Response & Tools

A SOC Analyst’s role revolves around rapid detection, response, and continuous learning. Below is a detailed breakdown of key phases, tools, and responsibilities.

Incident Response Phases

1. Preparation – Define policies, procedures, and incident response playbooks.
2. Identification – Detect potential threats using SIEM, EDR, and log analysis.
3. Containment – Isolate affected systems to minimize damage (short-term & long-term containment).
4. Eradication – Remove malware, close vulnerabilities, and eliminate persistence mechanisms.
5. Recovery – Restore systems safely and verify functionality.
6. Lessons Learned – Document findings and improve response strategies.

Must-Know Tools & Commands

Packet Analysis & Network Traffic

• Wireshark:

  wireshark 
  

Filter HTTP traffic:

tcp.port == 80 || tcp.port == 443 

• Tcpdump: Capture traffic on eth0:

  tcpdump -i eth0 -w capture.pcap 
  

Filter DNS queries:

tcpdump -i eth0 port 53 

• Nmap: Full port scan with service detection:

  nmap -sV -p- <target_IP> 
  

Detect OS:

nmap -O <target_IP> 

• Netcat: Listen on a port:

  nc -lvnp 4444 
  

Connect to a remote host:

nc <target_IP> 4444 

Log Analysis & SIEM

• Splunk: Search logs for failed SSH attempts:

  source="/var/log/auth.log" "Failed password" 
  

• Grep (Linux log analysis):

  grep "authentication failure" /var/log/auth.log 
  

Key SOC Responsibilities

• Log Monitoring: Check `/var/log/secure` (Linux) or Event Viewer (Windows) for suspicious activity.
• Threat Intelligence: Use tools like MISP, AlienVault OTX, or IBM X-Force.
• Phishing Analysis:
• VirusTotal: `https://www.virustotal.com`
  – URLScan.io: `https://urlscan.io`
• SIEM Management: Optimize rules in Splunk, Elastic SIEM, or Microsoft Sentinel.
• Continuous Learning: Engage in Hack The Box, TryHackMe, or Blue Team Labs.

You Should Know: Essential Commands & Techniques

Linux Forensics & Incident Response

• Check running processes:

  ps aux | grep -i "suspicious_process" 
  

• List open files by a process:

  lsof -p <PID> 
  

• Check network connections:

  netstat -tulnp 
  

• Analyze memory dumps with Volatility:

  volatility -f memory.dump --profile=LinuxUbuntu_5x pslist 
  

Windows Incident Response

• List all active connections:

  netstat -ano 
  

• Check scheduled tasks:

  schtasks /query /fo LIST /v 
  

• Extract event logs:

  wevtutil qe Security /f:text 
  

What Undercode Say

A SOC Analyst must master both defensive and offensive techniques. Automation (Python/Bash scripting) enhances efficiency, while threat intelligence integration keeps defenses updated. Regular red-blue team exercises improve response readiness.

Expected Output:

• Packet captures (tcpdump, Wireshark)
• SIEM alerts (Splunk, Elastic)
• Incident reports (containment steps, IOCs)
• Forensic artifacts (memory dumps, logs)

Relevant URLs:

• VirusTotal: `https://www.virustotal.com`
  – URLScan.io: `https://urlscan.io`
• MITRE ATT&CK: `https://attack.mitre.org`

References:

Reported By: Michael Morad – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram