SOC-L1-Analyst-Project

Overview 🛡️

This project demonstrates hands-on experience and practical applications from SOC Level 1 training on Cybrary. It covers key aspects of security operations, including Defensive Security Fundamentals, Log Analysis, Host-Based Detection, and Network-Based Detection. The project utilizes industry-standard tools such as Wazuh, Elastic Stack, Kibana, The Hive, and Linux to analyze security events, detect threats, and respond to incidents. 🖥️

Table of Contents 📑

Overview

Tools Used

Project Structure

Defensive Security Fundamentals

Log Analysis

Host-Based Detection

Network-Based Detection

Installation & Setup

Use Cases

Contributions

License

Tools Used 🛠️

Wazuh - Open-source SIEM and threat detection tool

Elastic Stack (Elasticsearch, Logstash, Kibana) - Log analysis and visualization

Kibana - Data visualization and dashboarding

The Hive - Security incident response platform

Linux - Host-based analysis and security monitoring

Project Structure 📂📁🗄

### SOC_L1_Project/ │── defensive_security_fundamentals/ │── log_analysis/ │── host_based_detection/ │── network_based_detection/ │── setup/ │── use_cases/ │── README.md

Defensive Security Fundamentals 🔒🛡

Covers core functions of defensive security, including:

Security Operations Center (SOC) roles and responsibilities

Cyber risk management and threat modeling

Security ticketing and incident tracking

Log Analysis 📜🔍

Focuses on analyzing logs to detect security events:

Windows Event Logs analysis

SIEM fundamentals and log correlation

Incident response based on log patterns

Host-Based Detection 🖥️🔎🛑

Extends log analysis to detect threats at the endpoint level:

Endpoint Detection and Response (EDR) tools

Persistence mechanisms in Windows environments

Local and domain-based authentication events

Network-Based Detection 🌐📡⚠️

Analyzes network traffic for anomalies and malicious activity:

Identifying network observables and indicators of compromise (IoCs)

Web activity logs and network packet analysis

Detecting and analyzing spearphishing attacks

Installation & Setup ⚙️🔧🖥️

Step-by-step setup for the tools used in this project:

Install Wazuh SIEM and configure log forwarding

Set up Elastic Stack for log processing and visualization

Deploy The Hive for incident management

Configure Linux-based monitoring for endpoint security

Use Cases 🎯🔍🚨

Use Case 1: Suspicious Authentication Event 🏴‍☠️🔓⚠️

Detect failed login attempts in Windows Event Logs

Correlate logs with SIEM to identify brute force attempts

Investigate user behavior and take remediation actions

Use Case 2: Spearphishing Attack Detection 📧🐟🚨

Analyze email headers and attachments for phishing indicators

Identify network traffic anomalies using Elastic Stack

Respond using The Hive for incident tracking and mitigation

Use Case 3: Malware Execution on Endpoint 🦠💻🔍

Monitor process execution logs in Wazuh

Detect persistence mechanisms using Windows security logs

Isolate the affected host and conduct forensic analysis

Contributions 🤝📥🔧

Contributions are welcome! Feel free to submit pull requests or open issues to improve this project.

License 📜⚖️🔓

This project is licensed under the MIT License.###