Online resources for SOC Analysts. Resources related to incident investigation, blogs, newsletters, good reads, books, trainings, podcasts, Twitter/X accounts and a set of online tools for day-to-day investigations. The repo generates a bookmark file for easy import to your browser.
I will mostly include resources that are tailored as much as possible to the role of the SOC Analyst and not the field of cyber security in general.
Contributions are welcome!
- Resources and Reference Material - Various reference materials, frameworks, and guidelines for cyber defense.
- Attack Reference Material - Attack-specific reference materials for understanding tactics, techniques, and procedures.
- Event Log References - Vendor documentation and references for event logs.
- Blogs - Blogs that offer valuable insights and updates in security and incident handling.
- Good Reads - Recommended reading materials for expanding knowledge in cyber defense.
- Newsletters - Newsletters that provide curated content and updates in the cyber security space.
- Podcasts - Podcasts related to cyber defense, incident response, and security topics.
- Books - Books focused on improving knowledge and skills in cyber defense and security.
- Training and Certifications - Training programs and certifications relevant to security operations and incident response.
- Twitter/X - Notable Twitter/X accounts to follow for security updates and news.
- Interview Questions - Sample interview questions for cybersecurity roles, particularly for SOC analysts.
- Tools - A collection of essential tools for security operations, categorized for easy reference:
- Sandboxes - Sandboxes for safe malware analysis and testing.
- IOC Lookups - Tools for looking up Indicators of Compromise (IOCs).
- Emails - Tools for analyzing and investigating email headers and email-related data.
- Multifunctional LookUp Services - Tools for searching multiple data points (IP, URL, Domain, etc.).
- Fingerprinting - Tools for identifying and fingerprinting devices and services.
- Network Scanning - Tools for scanning and analyzing network traffic.
- SSL/TLS - Tools for scanning and analyzing SSL/TLS configurations.
- Website Scan - Tools for scanning websites for security vulnerabilities.
- CMS Scan - Tools for scanning Content Management Systems (CMS) for vulnerabilities.
- URL - Tools for analyzing and investigating URLs.
- DNS - Tools for analyzing and querying DNS records.
- MAC - Tools for looking up and identifying MAC addresses.
- ASN - Tools for querying ASN information.
- Browser Extension - Browser extensions for security professionals.
- User Agent - Tools for investigating and analyzing User Agent data.
- USB and PCI - Tools related to USB and PCI devices for security analysis.
- EXE Lookup - Tools for analyzing executable files.
- Certificate - Tools for analyzing certificates.
- Hash - Tools for hashing and investigating file hashes.
- Misc Tools - Miscellaneous tools useful for various security tasks.
- Data Manipulation Online Tools - Online tools for data manipulation and analysis.
- MITRE ATT&CK® - MITRE ATT&CK knowledge base of adversary tactics and techniques.
- MITRE D3fend - A knowledge base of cybersecurity countermeasures
- Cyber Kill Chain | Lockheed Martin - Model for identification and prevention of cyber intrusions activity.
- Blue Team Notes | Purp1eW0lf
- CVE - Vulnerability database.
- Command Line Arguments Docs| ss64 - Command line arguments explanations.
- Port Information | Speedguide.net - Port information and common apps.
- LOLBAS (Living Off The Land Binaries and Scripts) - Collection of legitimate binaries and scripts abused by attackers.
- WTFBins - Binaries that behaves exactly like malware, except, somehow, they are not.
- LOLDrivers - Database of drivers used by adversaries to bypass security controls and carry out attacks.
- GTFOBins - Collection binaries that can be used to bypass local security restrictions in misconfigured systems.
- LOLRMM - Repository of Remote Monitoring and Management (RMM) software that attackers abuse.
- LOLOLFarm - Database of LOL (Living Off The Land) techniques used.
- Email Headers IANA - IANA Email headers reference.
- DKIM, DMARC, SPF - Simplified explanation of DKIM, DMARC, SPF.
- Kerberos Protocol | hackndo - Explanation of Keberos protocol.
- Service Principal Name (SPN) | hackndo - Explanation of SPN.
- ADSecurity AD Attacks - Attacks on Active Directory.
- Password Spraying | hackndo - Explanation of password spraying.
- Pass-The-Hash | hackndo - Explanation of pass the hash attack.
- Over Pass-The-Hash - Explanation of over pass the hash attack.
- Pass the ticket - Explanation of over pass the ticket attack.
- Kerberoasting | adsecurity - Explanation of kerberoasting attack.
- Kerberoasting | hackndo - Explanation of kerberoasting attack.
- Kerberos Unconstrained Delegation | hackndo - Explanation of Kerberos unconstained delegation.
- AS_REP Roasting | hackndo - Explanation of as_rep roasting attack.
- Golden Ticket | hackndo - Explanation of golden ticket attack.
- Silver Ticket | hackndo - Explanation of silver ticket attack.
- Skeleton Key | adsecurity - Explanation of Skeleton Key attack.
- NTLM Relay | hackndo - Explanation of NTLM Relay.
- LLMNR Poisoning - Explanation of LLMNR Poisoning.
- DCSync | adsecurity - Explanation of DCSync attack.
- DCShadow - Explanation of DCShadow attack.
- DNS Tunneling | unit42 - Simple example of DNS tunneling and how it is abused.
- DNS DGA | cybereason - Nice examples of DGA variants.
- Windows Event IDs and Audit Policies
- Windows Security Log Event IDs Encyclopedia
- Windows Logon Types
- Windows Logon Failure Codes
- Azure SigninLogs Schema
- Azure SigninLogs Risk Detection
- AADSTS Error Codes
- Microsoft Errors Search
- Microsoft Entra authentication and authorization error codes
- Microsoft Defender Event IDs
- Microsoft Defender for Cloud Alert References
- Microsoft Defender for Identity Alert References
- Microsoft Defender XDR Schemas
- Microsoft DNS Debug Event IDs
- Sysmon Event IDs
- Cisco ASA Event IDs
- Palo Alto PAN-OS Log Fields
- Palo Alto PAN-OS Threat Categories
- Palo Alto PAN-OS Applications
- FortiGate FortiOS Log Types and Subtypes
- FortiGate FortiOS Log Fields
- FortiGate FortiGuard Encyclopedia
- GCP Threat Detection Findings
- GuardDuty Finding Types
- Barracuda Firewall Log Files Structure and Log Fields
- Barracuda Web Security Gateway Log Fields
- Barracuda Web Application Firewall Log Format and Barracuda Web Application Firewall Log Formats
- Check Point Firewall Log Fields
- Cisco Umbrella Proxy Log Format, Cisco Umbrella DNS Log Format and Cisco Umbrella Content Categories
- Cisco WSA Access Log Fields and Cisco WSA Filtering Categories
- Cisco ESA Log Types
- Juniper Junos OS Log Fields
- Imperva Log Fields and Imperva Event Types
- Squid Log Fields and Log Types and Squid Log Format
- Suricata Log Format
- ZScaler Web Log Format, ZScaler Firewall Log Format, ZScaler DNS Log Format and ZScaler URL Categories.
- Broadcom Edge Secure Web Gateway (Bluecoat) Access Log Format and Broadcom Edge Secure Web Gateway (Bluecoat) Categories
- Broadcom Endpoint Protection Manager Log Format
- SonicWall SonicOS Log Events Documentation
- WatchGuard Fireware OS Log Format
- Sophos Firewall Log Documentation
- Sophos Central Admin Events
- Apache Custom Log Format
- IIS Log File Format
- NGINX Access Log Format
- The DFIR Report - Detailed and thorough analysis of real intrusions.
- Bad Sector Labs - Good catch all aggregator.
- This Week In 4n6 - Good catch all aggregator focused a lot on dfir.
- SOC Investigation - SOC related articles.
- Elastic Security Labs - Good collection of malware analysis blogposts.
- Dark Reading - Cyber security news.
- Bleeping Computer - Cyber security news.
- The Hacker News - Cyber security news.
- Darknet Diaries - True stories from the dark side of the Internet.
- Blue Team Handbook: SOC, SIEM, and Threat Hunting
- Blue Team Handbook: Incident Response Edition
- Effective Threat Investigation for SOC Analysts: The ultimate guide to examining various threats and attacker techniques using security logs
- BTFM: Blue Team Field Manual
- Blue Team Labs Online - A gamified platform for defenders to practice their skills in security investigations and challenges covering; Incident Response, Digital Forensics, Security Operations, Reverse Engineering, and Threat Hunting.
- The DFIR Labs - Cloud-based DFIR Labs offer a hands-on learning experience, using real data from real intrusions.
- LetsDefend SOC Analyst Path
- TCM Security Security Operations (SOC) 101
- TCM Security Security SOC Level 1 Live Training
- Security Blue Team L1
- Security Blue Team L2
- HackTheBox Academy SOC Analyst
- TryHackMe SOC Simulator
- TryHackMe SOC Level 1 Training Path
- TryHackMe SOC Level 2 Training Path
- Constructing Defense
- CyberDefenders CCD
- SANS SEC401: Security Essentials - Network, Endpoint, and Cloud
- SANS SEC450: Blue Team Fundamentals: Security Operations and Analysis
- SANS SEC504: Hacker Tools, Techniques, and Incident Handling
- OffSec SOC-200: Foundational Security Operations and Defensive Analysis
- TCM Security Practical SOC Analyst Associate
- CompTIA CySA+
- CompTIA Security+
- EC-Council Certified SOC Analyst
- EC-Council Certified Incident Handler
- TheDFIRReport
- Unit42
- malwrhunterteam
- abuse_ch
- elasticseclabs
- nextronresearch
- TheHackersNews
- BleepinComputer
- DarkWebInformer
- malwrhunterteam
- vxunderground
- Cryptolaemus1
- SOC List
- SOC Interview Questions | LetsDefend
- Interview Questions | socinvestigation.com
- SOC Interview Questions | siemxpert.com
- VirusTotal - Analyze suspicious files, domains, IPs and URLs to detect malware and other breaches.
- Hybrid Analysis - Free malware analysis service for the community that detects and analyzes unknown threats.
- AnyRun - Interactive malware analysis sandbox.
- Triage | Recorded Future - Malware analysis sandbox.
- JOE Sandbox Cloud Basic - Malware analysis sandbox.
- Threat Zone - Holistic malware analysis platform - interactive sandbox, static analyzer, emulation, URL Analyzer.
- Filescan.io - Insightful Malware Analysis Powered by Emulation.
- IBM X-Force Exchange - Engine powered by ReversingLabs Titanium Platform
- DOGGuard - Analyze files, Hashes and URLs.
- Kaspersky Threat Intelligence Portal - Kaspersky file analysis.
- VirusTotal | IP, Domain, URL, Hash
- Cisco Talos Intelligence | IP, URL, Domain, Hash
- AbuseIPDB | IP, Subnet, Domain
- SpamHaus | IP, Domain, ASN, SBL, Email, Hash
- MalwareBazaar | Hash
- URLHaus | Domain, URL, Hash
- IBM X-Force Exchange | IP, URL, Hash
- ThreatFox IOC Database | IP, Domain, URL, Hash
- GreyNoise | IP
- Pulsedive | IP, URL, Domain
- threatbook | IP, Domain
- FortiGuard Labs | IP, Domain, URL
- Spamhaus IP Reputation | IP
- Spamhaus Domain Reputation | Domain
- Palo Alto URL | URL
- DOGGuard | URL, Hash
- AlienVault | IP, Domain, URL, Hash, FilePath, Email
- Kaspersky Threat Intelligence Portal | Hash, IP, Domain, URL
- Tor Metrics - ExoneraTor | IP (Tor network)
- Tor Metrics - Relay Search | IP (Tor relay)
- MXToolbox Network Tools
- MXToolbox TCP Port Scan
- MXToolbox Ping
- MXToolbox Traceroute
- HackerTarget
- HackerTarget Nmap Scanner
- HackerTarget TCP Port Scan
- HackerTarget UDP Port Scan
- HackerTarget Ping
- HackerTarget Traceroute
- DNSChecker Port Scanner
- HackerTarget Whatweb/Wappalyzer Scan - Website technology analyzer.
- HackerTarget Dump Links - Dump links from a website.
- VirusTotal - Scans provided URLs.
- urlscan.io - Page source code, requests analysis.
- Cloudflare Radar URL Scan - Gives you information about cookies, technology used, SSL certificates, headers and dns records and other.
- URLVoid - Reputation check.
- URLQuery - Very nice analysis of the the scanned URL along with reputation check.
- CyberGordon - Multiple engines scan.
- Tiny Scan - Gives you information about cookies, technology used, SSL certificates, headers and dns records and other.
- CheckPhish - Check if URL is phishing.
- PhishTank - Check if URL is phishing.
- HTTPStatus.io - Check URLs.
- Redirect Checker - Shows redirects.
- MXToolbox DNS Tools - MXToolbox DNS tools.
- DNSChecker DNS Tools - DNSChecker DNS Tools.
- IPVoid Dig Lookup - Dig DNS Lookup.
- DNS Dumpster - DNS records.
- DNS History - Historical DNS records.
- macaddress.io - Information about manufacturers.
- macvendors.com - Information about manufacturers.
- DNS Checker MAC Lookup - Information about manufacturers.
- CRXaminer - Chrome extension analyzer.
- DeviceHunt - Find your device & driver from a massive database of PCI and USB devices.
- EchoTrail - Look up information about known files using hash or process name.
- XCyclopedia - Look up information about known exe files - hashes, known paths, metadata, other.\
- crt.sh - Certificate Search
- Hash Calculator - Calculator for hashes.
- Hash Crack - Cracking hashes online.
- WayBack Machine - Historical search of pages.
- RedHunt Labs Online Paste Tools Lookup - Lookup keywords on online paste sites like pastebin.
- de4js - JavaScript Deobfuscator and Unpacker.
- deobfuscate.relative.im - JavaScript Deobfuscator.
- A-Packets PCAP Analyzer - PCAP analyzer from A-Packets.
- URLEncoder - URL encoder and decoder.
- explainshell.com - Write down a command-line to see the help text that matches each argument
- Crontab Guru - The quick and simple editor for cron schedule expressions.
- MXToolbox Subnet Calculator - Enter a subnet range (CIDR) and see IP address information about that range.
- EpochConverter - Epoch & Unix Timestamp Conversion Tools.
- 10 minute mail - Can be used for registrations.
- Regex101 - Regex testing.
- Regexr - Regex testing.
- CyberChef - Multiple data manipulation tools, decoders, decryptors.
- JSON Formatter - JSON Beautifier.
- JSONCrack - JSON, YML, CSV, XML Editor.
- Text Mechanic - Text manipulation (Remove duplicates, prefix, suffix, word count etc.).
- Text Fixer - Text manipulation (Remove duplicates, prefix, suffix, word count etc.).
- Free Formatter - Formatter for XML, JSON, HTML.
- HTML Formatter - Formatter for HTML.
- Diff Checker - Diff comparison.
- ChatGPT - Can be used to transform data.
