SOC (Security Operation Centre) Analyst’s Quick Reference Guide

By /

Listen to this Post

A SOC Analyst’s role revolves around rapid detection, response, and continuous learning. Below is a detailed breakdown of essential phases, tools, commands, and responsibilities to stay sharp in the Security Operations Center (SOC).

πŸ”Ή Incident Response Phases

βœ… Preparation – Define policies, procedures, and playbooks for incident handling.
βœ… Identification – Detect potential threats using SIEM tools, logs, and alerts.
βœ… Containment – Isolate affected systems to minimize damage (short-term & long-term containment).
βœ… Eradication – Remove malware, close vulnerabilities, and eliminate root causes.
βœ… Recovery – Restore systems, validate functionality, and monitor for recurrence.
βœ… Lessons Learned – Conduct a post-incident review to improve future responses.

πŸ”Ή Must-Know Tools & Commands

Packet Analysis & Capture

  • Wireshark: 
    wireshark

Filter HTTP traffic:

tcp.port == 80
  • Tcpdump: 
    tcpdump -i eth0 -w capture.pcap

Filter ICMP packets:

tcpdump -i eth0 icmp

Network Scanning & Enumeration

  • Nmap: 
    nmap -sV -p 1-1000 <target_IP>

OS detection:

nmap -O <target_IP>
  • Netcat (Network Debugging):

Listen on a port:

nc -nvlp 4444

Connect to a remote host:

nc <IP> <port>

Log Analysis & SIEM

  • Splunk Query: 
    source="/var/log/auth.log" | top limit=10 user
  • Grep for Logs (Linux): 
    grep "Failed password" /var/log/auth.log

πŸ”Ή Key SOC Responsibilities

πŸ“Œ Log Monitoring – Analyze authentication logs (/var/log/auth.log), system logs (/var/log/syslog), and firewall logs.
πŸ“Œ Threat Intelligence – Use OSINT tools like VirusTotal, URLScan.io, and MISP.
πŸ“Œ Phishing Analysis – Extract IOCs (Indicators of Compromise) from emails using PhishTool.
πŸ“Œ SIEM Management – Tune detection rules to reduce false positives.
πŸ“Œ Continuous Learning – Engage in CTFs (TryHackMe, HackTheBox), and pursue certifications (CySA+, CISSP).

You Should Know:

Linux Commands for SOC Analysts

  • Check active connections: 
    netstat -tuln
  • Monitor processes: 
    top
  • Check file integrity (Hashing): 
    sha256sum suspicious_file
  • Extract IPs from logs: 
    awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -nr

Windows Commands for Incident Response

  • List all active connections: 
    netstat -ano
  • Check scheduled tasks: 
    schtasks /query /fo LIST
  • Dump process memory: 
    procdump -ma <PID>

What Undercode Say:

A SOC analyst must blend defensive tactics with offensive knowledge. Mastering tools like Wireshark, Nmap, and Splunk is crucial, but understanding attack methodologies (MITRE ATT&CK) enhances detection. Automation (Python scripting for log parsing) and threat hunting (YARA rules) separate good analysts from great ones.

Expected Output:

  • A structured incident report with timeline, IOCs, and remediation steps.
  • Enhanced SIEM rules to prevent future breaches.
  • Regular threat intelligence updates integrated into monitoring.

For further reading, explore:

References:

Reported By: Maaouiaadem Soc – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass βœ…

Join Our Cyber World:

πŸ’¬ Whatsapp | πŸ’¬ TelegramFeatured Image

Related Posts: