SOC/SOAR
Security Operations Center Operations
Wazuh
- HIDS
- OSSEC
MISP
- Threat Intellegence
Zeek/Suricata/Snort
- IDS/IPS
PFSense
- Firewall
Building blocks SOC
People
SOC Analyst
Incident Responders
Threat Hunters
SOC Managers
IT Security/ Compliance/Auditor
Security Architects
Process
Robust
Repeatable playbooks
Guidance with consistency
Periodical updates of Rules/TTP's
Technology
Data Collection
Log Sources
Data Management
Threat Detection
Threat Analytics
Types of SOC's
Proactive SOC
Reactive SOC
SOC Operations
Log Sources
Access Logs
System Activity logs
FTP server logs
Program execution error logs
Database query logs
Webserver access logs
Examples
AD, DC, Azure, Apache, Database logs
Log Management
NIST SP 800-92 guidelines
System Logs
Network Logs
Log Generation, Transmitting, Storing, Analyzing and Disposing
Alert Management
Prioritize True Positives
Discard False Positives
Triage the alert
Resolve
Prevention
Implementing preventive approach
Detection
Unusual traffic
Incident Management
Threat Analysis
How it disrupt organization operations
Incident Response
Resolving the issue
Creating the new detection Rules
Compliance Management
Industry and Government compliance and regulations
Application standards
Protocol Usage
SOC Functions
Threat Detection
Threat Mitigation
Threat Monitoring
Threat Hunting
Troubleshooting the configuration and operational issues
Incident Investigation
Incident Forensics
Industry and government compliance auditing
Few queriers
HTTP status codes
User login country
Application used to login
Request data file
Most clicked links
Most downloaded files
HTTP GET requests
Long tail analysis
Source IP
Destination IP
Destination Port
geolocations
Protocol
Username
Resource
HTTP methods
Status codes
URI query
HTTP request header parse all the parameters useful for analysis
Last updated