Skip to content

guideops/SOC-Analyst-Investigation-Lab

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 

Repository files navigation

SOC-Analyst-Investigation-Lab

Objective

This SOC Analyst Investigation Lab is designed to help security analysts build essential skills by investigating unusual network activity within a simulated SOC environment. Through a real-world scenario of detecting a sudden spike in outbound traffic from a domain controller, learners explore the investigation workflow, leverage Windows event data, and practice advanced hunting queries to identify the source and impact of potential threats.

Skills Learned

  • Advanced log hunting using Kusto Query Language (KQL) within Microsoft Sentinel and Defender.
  • Investigating and scoping network anomalies using security event and Sysmon data.
  • Identifying suspicious processes and binaries via process GUID and event correlation.
  • Practical experience with event IDs for Windows security (Sysmon Event ID 3 for network connections, Event ID 15/11 for file creation, Event ID 22 for DNS queries).
  • OSINT techniques for validating IP addresses and domains flagged during investigations.
  • End-to-end SOC investigation workflow including alert triage, evidence enrichment, and reporting.

Tools Used

  • Microsoft Sentinel / Defender: Security event management, real-time log analysis, KQL query building.
  • Sysmon: Enhanced Windows event logging for process creation and network connections.
  • Windows Security Event logs: Core telemetry for authentication and firewall events.
  • VirusTotal: Malware file hash enrichment and threat validation.
  • NSLookup / Browser tools: Domain and IP intelligence research for OSINT.
  • Community SOC Simulator (MyDFIR): Interactive SOC workspace for scenario practice.

Lab Structure

  • Lab exercises are crafted from the real SOC investigation shown in the video, including:
  • Baseline network activity and spike detection via dashboards.
  • Table exploration: Security event vs Windows event logs (Sysmon focus).
  • Query development: Identify suspicious outbound connections, filter for specific processes using process GUID/image.
  • Investigation of created files and their execution timeline.
  • Scope analysis: Cross-environment searches for affected hosts, binaries, and domains.
  • External enrichment: File hash lookup on VirusTotal, OSINT investigation of suspicious IPs/domains.
  • Final triage and remediation simulation (reporting, scoping, and incident conclusion).

About

No description, website, or topics provided.

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors