The SOC Analyst Blueprint: 11 Weeks to Master Logs, MITRE ATT&CK, and Incident Response (Without Getting Lost in Dashboards) + Video

Listen to this Post

Featured Image

Introduction:

Security Operations Center (SOC) analysts are the frontline defenders who detect, investigate, and respond to cyber threats. The most effective SOC professionals are not built by memorizing SIEM dashboards first; they develop deep expertise in networks, operating systems, log analysis, and attacker behavior. This article provides a structured, hands-on roadmap to transform foundational knowledge into job-ready SOC skills using home labs, open-source tools, and proven detection engineering techniques.

Learning Objectives:

  • Build a fully functional SOC home lab with Wazuh, Suricata, Windows, Linux, and Active Directory to simulate real-world telemetry.
  • Master log analysis commands and SIEM queries to distinguish normal activity from malicious behavior across Windows and Linux environments.
  • Apply MITRE ATT&CK tactics and techniques to create detection rules, investigate alerts, and execute incident response playbooks.

You Should Know:

  1. Building Your SOC Home Lab: Wazuh, Suricata, and Active Directory

A home lab is the cornerstone of SOC readiness. This step-by-step guide sets up a detection and response environment using open-source tools.

Step 1: Deploy Wazuh (SIEM + XDR) on Ubuntu Server

 Update system and install dependencies
sudo apt update && sudo apt upgrade -y
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list
sudo apt update
sudo apt install wazuh-manager -y
sudo systemctl enable wazuh-manager && sudo systemctl start wazuh-manager

Install Wazuh indexer and dashboard
sudo apt install wazuh-indexer wazuh-dashboard -y
sudo systemctl enable wazuh-indexer wazuh-dashboard

Step 2: Install Suricata (IDS/IPS)

sudo add-apt-repository ppa:oisf/suricata-stable -y
sudo apt update
sudo apt install suricata -y
sudo suricata-update
sudo systemctl enable suricata && sudo systemctl start suricata
 Test Suricata rule parsing
sudo suricata -T -c /etc/suricata/suricata.yaml

Step 3: Set Up Windows Agent (Event Log Forwarding)
On Windows endpoint, download Wazuh agent from official repository. Install via PowerShell (admin):

 Download and install Wazuh agent (adjust version and manager IP)
Invoke-WebRequest -Uri "https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.0-1.msi" -OutFile "$env:Temp\wazuh-agent.msi"
msiexec.exe /i "$env:Temp\wazuh-agent.msi" WAZUH_MANAGER="192.168.1.100" WAZUH_REGISTRATION_SERVER="192.168.1.100" /qn

Step 4: Configure Active Directory (Domain Controller)

Install AD DS role on Windows Server and promote to domain controller. Use `DCPROMO` or PowerShell:

Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
Install-ADDSForest -DomainName "soclab.local" -DomainNetbiosName "SOCLAB" -SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) -Force
  1. Mastering Log Analysis: Windows Event Logs and Linux Syslog

Understanding normal vs. abnormal logs is critical. Below are essential commands to extract and filter telemetry.

Windows Event Log Analysis (PowerShell)

 List all available logs
Get-WinEvent -ListLog  | Select-Object LogName, RecordCount

Get recent Security events (4624 = successful logon, 4625 = failed logon)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624,4625; StartTime=(Get-Date).AddHours(-24)} | Format-Table TimeCreated, Id, Message -AutoSize

Find failed RDP logins (Event ID 4625 with logon type 3 or 10)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} | Where-Object {$<em>.Message -match "Logon Type:\s+(3|10)"} | Select-Object TimeCreated, @{n='Account';e={$</em>.Properties[bash].Value}}

Linux Log Analysis (journalctl and syslog)

 View all authentication failures (SSH, sudo)
sudo journalctl -u ssh --since "1 hour ago" | grep "Failed password"
sudo grep "authentication failure" /var/log/auth.log

Track process execution history
ausearch -m execve -ts recent -i | grep -E "comm=|exe="

Monitor real-time network connections (netstat replacement)
ss -tulpn | grep LISTEN
sudo auditctl -w /etc/passwd -p wa -k passwd_changes

Key Questions to Ask:

  • What is normal? (Baseline user logon hours, typical processes)
  • What changed? (New scheduled tasks, unusual parent-child processes)
  1. SIEM Query Building: From Raw Logs to Detection Rules

A SIEM transforms raw logs into actionable alerts. Below are example queries for Splunk and Microsoft Sentinel.

Splunk Query – Brute Force Detection (Windows)

index=windows EventCode=4625 
| stats count by Account_Name, Source_Network_Address, _time 
| where count > 10 
| table _time, Account_Name, Source_Network_Address, count

Microsoft Sentinel KQL – Suspicious PowerShell

DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine contains "-EncodedCommand" 
or ProcessCommandLine contains "-e " 
or ProcessCommandLine contains "IEX"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| take 100

Wazuh Rule Example (custom_local_rules.xml)

<group name="windows,sysmon,">
<rule id="100010" level="10">
<if_sid>92000</if_sid> <!-- Sysmon event ID 1 -->
<field name="win.eventdata.image" type="pcre2">(?i)\(nc|netcat|ncat).exe$</field>
<description>Netcat execution detected - possible reverse shell</description>
</rule>
</group>

4. MITRE ATT&CK for Detection Engineering

Mapping alerts to MITRE ATT&CK tactics (TA) and techniques (T) enables structured threat hunting.

Step 1: Identify common attacker behaviors

| Technique | Tactic | Detection Strategy |

|–|–|–|

| T1059.001 PowerShell | Execution | Log script block (PowerShell 5+), monitor -EncodedCommand |
| T1047 Windows Management Instrumentation | Execution | Enable WMI activity logging, look for wmic.exe /node: |
| T1003.001 LSASS Memory Dump | Credential Access | Detect procdump.exe or comsvcs.dll minidump |

Step 2: Create Sigma rule for LSASS access

title: Suspicious LSASS Access via Procdump
status: experimental
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 10
TargetImage: '\lsass.exe'
Image: '\procdump.exe'
condition: selection
tags:
- attack.t1003.001

Step 3: Test rule with simulated attack

 On attacker Windows VM (authorized lab only)
procdump.exe -ma lsass.exe lsass.dmp
 Check Wazuh or Sysmon logs for EventID 10

5. Incident Response Playbook: Ransomware Outbreak

A structured IR plan reduces dwell time. Below is a 5-step playbook for ransomware detection.

Step 1: Detection and Triage

  • Alert: Multiple file extensions changed to `.encrypted` or ransom note created.
  • Validate: Check file creation times and process tree (use Get-Process -IncludeUserName).

Step 2: Containment (Immediate)

 Isolate infected host via Windows Firewall (run as admin)
New-NetFirewallRule -DisplayName "BLOCK-ALL-OUT" -Direction Outbound -Action Block -RemoteAddress Any
 Disable network adapters
Get-NetAdapter | Where-Object {$_.Status -eq "Up"} | Disable-NetAdapter -Confirm:$false
 Linux containment: block all traffic except management
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP
sudo iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT  Allow management subnet

Step 3: Eradication and Recovery

  • Identify patient zero via log correlation (Event ID 4663 for file writes).
  • Restore from immutable backups (Veeam, BorgBackup).
  • Reset all credentials for affected accounts.

Step 4: Lessons Learned – Document detection gaps (e.g., missing process lineage monitoring) and update SIEM rules.

6. Threat Hunting with YARA and Sigma

Proactive hunting uncovers stealthy threats that bypass automated alerts.

YARA Rule – Detect Cobalt Strike Beacon

rule cobalt_strike_beacon {
meta:
description = "Detects Cobalt Strike Beacon strings"
author = "SOC Lab"
strings:
$s1 = "beacon" wide ascii
$s2 = "msf" wide ascii
$s3 = { 68 74 74 70 3a 2f 2f } // "http://"
condition:
(uint16be(0) == 0x4D5A) and (any of ($s)) // PE file header
}

Run YARA scan on collected artifacts:

yara64.exe cobalt_strike.yar C:\suspicious\folder\ -r

Hunting Query: Unusual Scheduled Tasks (Windows)

Get-ScheduledTask | Where-Object {$<em>.Actions.Execute -like "powershell" -or $</em>.Triggers -like "OnIdle"} | 
Select-Object TaskName, TaskPath, State, @{n='Command';e={$_.Actions.Execute}}

7. Documentation, GitHub Portfolio, and Interview Readiness

Employers value visible proof of learning. Build a SOC analyst portfolio.

GitHub Repository Structure:

SOC-Analyst-Portfolio/
├── detections/
│ ├── sigma_rules/
│ ├── yara_rules/
│ └── splunk_queries/
├── incident_reports/
│ ├── ransomware_case_study.md
│ └── phishing_ir_playbook.md
├── homelab_diagrams/
│ └── wazuh_architecture.png
└── README.md (with lab setup instructions and learning reflections)

Example Documentation for a Case Study:

 Incident: Suspicious LSASS Access (2025-01-15)
 Detection Source: Wazuh rule id 100010 (Sysmon Event 10)
 TTP Mapping: MITRE T1003.001 (Credential Dumping)
 Investigation Steps:
1. Correlated with parent process: procdump.exe launched by svchost.exe (anomalous).
2. Checked network connections: procdump.exe attempted outbound to 185.130.5.253 (malicious indicator).
3. Containment: Isolated host, killed process.
 Remediation: Deployed LSA Protection (RunAsPPL) via registry.

Interview Practice: Be ready to explain a full alert – from raw log to containment – using your portfolio.

What Undercode Say:

  • Key Takeaway 1: A SOC analyst’s true value lies in understanding attacker behavior and log context, not just SIEM buttonology. Master the fundamentals of Windows Event Logs (4624, 4688, 7045) and Linux auditd before memorizing dashboards.
  • Key Takeaway 2: Hands-on repetition with open-source tools (Wazuh, Suricata, Sigma) and documenting every investigation on GitHub creates undeniable proof of job readiness. Theory without a home lab is like studying swimming without water.

The roadmap shared by Yasemin Ağırbaş Yıldız emphasizes a crucial truth: SOC readiness is built through structured progression across networking, OS telemetry, detection logic, and IR. Many aspiring analysts rush to Splunk certifications but cannot distinguish a brute-force from a password spray in raw logs. By following the 11-week learning path, practicing on TryHackMe and LetsDefend, and building a Wazuh+AD lab, you develop the investigative mindset that turns interest into a career. The most successful SOC professionals treat every alert as a story – they ask “what is normal?”, find the change, determine impact, and act decisively. Start your lab today, and in three months, you will speak the language of threats fluently.

Prediction:

By 2026, SOC teams will fully adopt AI-driven co-pilots for log triage, reducing false positives by 60%, but the demand for human analysts who understand underlying system telemetry will skyrocket. Organizations will prioritize candidates who can validate AI suggestions and hunt for novel TTPs not in training data. The roadmap described here – especially hands-on mastery of MITRE ATT&CK and open-source detection engineering – will become the baseline filter for entry-level SOC roles. Expect hiring managers to request GitHub portfolio links and live log analysis tests in interviews. Automation will handle the noise; curiosity and structured thinking will remain irreplaceable human assets.

▶️ Related Video (70% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Yildiz Yasemin – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky