Defensive Unit – SOC Analyst (5 days)

Understand the state of the art of SOC and respond to the needs of cyber issues and threats through the SOC analyst profession.

Jour 1 – SOC and the analyst profession 

❏ Section 1 – State of the art of the Security Operation Center 

❏ Definition of CSS 

❏ Benefits, evolution of the NCS 

❏ The services integrated in the SOC, the data collected, playbook 

❏ The SOC governance model (SSI approach, SOC type, CERT, CSIRT) 

❏ Prerequisites and roles of an SOC analyst (techniques, soft skills, roles, models) 

❏ Repositories (ATT&CK, DeTT&CT, Sigma, MISP)
❏ Demonstration 1 – use of the ATT & CK framework via Navigator (attack and defence) 

❏ Section 2 – Focus on the SOC analyst 

❏ What a day’s work 

❏ Triage of alerts 

❏ Review and security status 

❏ Identification and reporting 

❏ Threat hunting 

❏ Demonstration 2– use of the SYSMON tool 

❏ Section 3 – Data sources to be monitored 

❏ Windows indicator (process, firewall, etc.) 

❏ WEB service (server, WAF, activity) 

❏ IDS/IPS 

❏ EDR, XDR 

❏ USB 

❏ DHCP, DNS 

❏ Antivirus, EPP 

❏ DLP, whitelist 

❏ Email 

❏ Exercise 1 / use cases and line of defence 

Day 2 (Discovery & implementation of SIEM) 

❏ Section 4 – Overview of SIEM  

❏ Background to SIEM 

❏ Existing solution 

❏ Operating principle of a SIEM 

❏ Objectives of a SIEM

Solution de SIEM 

❏ Section 5 – Presentation of the Elastic suite 

❏ BEATS agents, sysmon 

❏ Discovering Logstash 

❏ Discovering Elastic search 

❏ Discovering Kibana 

❏ Practical Work 1 / setting up ELK and first logging 

Jour 3 (Analyse, Logstash, Elastic search) 

❏ Section 6 – Logstash (ETL) 

❏ How Logstash work 

❏ Input & ouPractical Workut files 

❏ Enrichment: Grok and source external filters
❏ Section 7 – ElasticSearch 

❏ Terminology 

❏  Lucene Syntax 

❏ Alerts with ElasticAlert and Sigma 

❏ Practical Work 2 / creating alerts, alarms 

❏ Démonstration 3 / use of Elastalert and Sigmac
❏ Section 8 – Kibana 

❏ Search of events 

❏ Data visualization 

 ❏ Démonstration 4 / creating a filter on Kibana 

❏ Adding detection rules, IoC 

         ❏ Go further in ELK architecture with HELK 

Day 4 (Cyber training) 

❏ Section 9 – Setting the scene 

❏ through ESD Academy tools, the SOC analyst is put in a situation and has to identify several attack scenarios attack scenarios launched by the trainer  

❏ Practical Work 3 / Setting a SIEM and operating it

Day 5 (Report) 

❏ Section 10 – Report

the SOC analyst must report attacks, detect and identify threats, impacts, check if his 

information system is affected. 

❏ Practical Work 4 / Create a report of intercepted attacks and evaluate the impact