# SOC/SOAR Security Operations Center Operations Wazuh \- HIDS \- OSSEC MISP \- Threat Intellegence Zeek/Suricata/Snort \- IDS/IPS PFSense \- Firewall Building blocks SOC * People * * SOC Analyst * Incident Responders * Threat Hunters * SOC Managers * IT Security/ Compliance/Auditor * Security Architects * Process * * Robust * Repeatable playbooks * Guidance with consistency * Periodical updates of Rules/TTP's * Technology * * Data Collection * * Log Sources * Data Management * Threat Detection * Threat Analytics Types of SOC's * Proactive SOC * Reactive SOC SOC Operations * Log Sources * * Access Logs * * System Activity logs * FTP server logs * Program execution error logs * Database query logs * Webserver access logs * Examples * * AD, DC, Azure, Apache, Database logs * Log Management * * NIST SP 800-92 guidelines * System Logs * Network Logs * Log Generation, Transmitting, Storing, Analyzing and Disposing * Alert Management * * Prioritize True Positives * Discard False Positives * Triage the alert * Resolve * Prevention * * Implementing preventive approach * Detection * * Unusual traffic * Incident Management * * Threat Analysis * How it disrupt organization operations * Incident Response * * Resolving the issue * Creating the new detection Rules * Compliance Management * * Industry and Government compliance and regulations * Application standards * Protocol Usage SOC Functions * Threat Detection * Threat Mitigation * Threat Monitoring * Threat Hunting * Troubleshooting the configuration and operational issues * Incident Investigation * Incident Forensics * Industry and government compliance auditing Few queriers * HTTP status codes * User login country * Application used to login * Request data file * Most clicked links * Most downloaded files * HTTP GET requests * Long tail analysis * * Source IP * Destination IP * Destination Port * geolocations * Protocol * Username * Resource * HTTP methods * Status codes * URI query * HTTP request header parse all the parameters useful for analysis