This SOC Analyst Investigation Lab is designed to help security analysts build essential skills by investigating unusual network activity within a simulated SOC environment. Through a real-world scenario of detecting a sudden spike in outbound traffic from a domain controller, learners explore the investigation workflow, leverage Windows event data, and practice advanced hunting queries to identify the source and impact of potential threats.
- Advanced log hunting using Kusto Query Language (KQL) within Microsoft Sentinel and Defender.
- Investigating and scoping network anomalies using security event and Sysmon data.
- Identifying suspicious processes and binaries via process GUID and event correlation.
- Practical experience with event IDs for Windows security (Sysmon Event ID 3 for network connections, Event ID 15/11 for file creation, Event ID 22 for DNS queries).
- OSINT techniques for validating IP addresses and domains flagged during investigations.
- End-to-end SOC investigation workflow including alert triage, evidence enrichment, and reporting.
- Microsoft Sentinel / Defender: Security event management, real-time log analysis, KQL query building.
- Sysmon: Enhanced Windows event logging for process creation and network connections.
- Windows Security Event logs: Core telemetry for authentication and firewall events.
- VirusTotal: Malware file hash enrichment and threat validation.
- NSLookup / Browser tools: Domain and IP intelligence research for OSINT.
- Community SOC Simulator (MyDFIR): Interactive SOC workspace for scenario practice.
- Lab exercises are crafted from the real SOC investigation shown in the video, including:
- Baseline network activity and spike detection via dashboards.
- Table exploration: Security event vs Windows event logs (Sysmon focus).
- Query development: Identify suspicious outbound connections, filter for specific processes using process GUID/image.
- Investigation of created files and their execution timeline.
- Scope analysis: Cross-environment searches for affected hosts, binaries, and domains.
- External enrichment: File hash lookup on VirusTotal, OSINT investigation of suspicious IPs/domains.
- Final triage and remediation simulation (reporting, scoping, and incident conclusion).