SOC Aalyst - Trainer

*Please find the content below*

Module 1 : Basics of Networking and Security Concepts

· Types of IP address

· How Computer Communication.

· Transport Protocol

· IP Planning.

· DNS Server and Various types of DNS records.

· Understanding of OSI model and Reference layer devices.

· TCP/IP Packet Understanding.

· 3 Ways Handshake.

· Router, Switches Understanding Of designing Corporate network etc.

· Understanding of Firewall. Web Application Firewall (WAF) Proxy

· Email Gateway (Email Security) IPS/IDS

· DLP

· End Point Security

· Ransomware Attack.

· DOS Attack.

· SQL Injection.

· Cross Sites Scripting.

· Malware Attack. Phishing Attack.

Module 2 : Splunk SIEM (Splunk Enterprise + Splunk Enterprise Security)

Analyst Essentials on Splunk

· What is SIEM

· Logs, Events, Parsing, Normalization

· Introduction of Splunk and its Components

· Splunk Indexes, Buckets, Data Retention Policies (High Level)

· Splunk Licensing

· Heavy Forwarders, Universals Forwarders

· Splunk Solution Architect Scenario: Size and Design an Splunk Deployment Architecture for a Company

· Installing Splunk Enterprise

· Basics of Data source onboarding (Device Integration)

Searching & Threat Detection (Deep Focus)

· Splunk Field based Searching

· Understanding logical operators

· SPL fundamentals

· Field extraction basics for SOC

· Analyst-Required SPL Commands

· Fields, search, dedup, rename, sort, tail, head, top

· stats, timechart, table, eval

· lookup, join

· tstats for ES

· transaction (session building)

Threat Detection & Use Case Development

·Understanding correlation searches (Correlation Rules)

·Writing correlation searches e.g-

- Brute Force & Password Spraying

- Malware activity detection

- Based on Threat Intelligence and IOCs

- Traffic Towards trojan Ports

- VPN Anomalies detection

· Understand the detailed concept to write correlation searches for any device

· MITRE ATT&CK–mapped detections

· Detail understanding MITRE ATT&CK farmwork (Self-paced learning from previous batch)

· Baselining normal activity

1. Fine-tuning correlation searches
2. How to reduce false positives (Fine Tuning of Use Cases)

Investigation in Splunk Enterprise Security (ES)

· ES dashboards overview

· SOC Incident Response

· Analysing and investigating on the Real-time Incidents for True Positive or False Positive

· How to Create Incident on the Email and Tickets for True Positive cases

· Learning TOP 10 Incident Response Cases which commonly generated in the companies SIEM

(Live or Can be given access to the previous batch sessions for below topics)

· What is Phishing email

· Phishing email Analysis

· Email Header Analysis

· SOC Team Shift Handover

· Interview Preparation Session

· Resume Preparation Session

· LinkedIn Profile Preparation, Naukri Profile Key Skills

· Realtime Company Environment Scenario discussion, like Number of Devices, EPS, Locations, Licenses, number of Soc analyst etc.

· Type of SOC, Dedicated, MSSP etc.

· Roles of L1, L2, L3, Administrator etc.

Module 3 : Microsoft Sentinel SIEM (SOC Analyst-Focused)

Introduction to Cloud & Azure Fundamentals

· What is Cloud Computing

· Cloud Service Models: IaaS, PaaS, SaaS

· Public, Private, and Hybrid Cloud

· Introduction to Microsoft Azure

· Key Azure Services: Azure AD, Azure Security Center, Azure Monitor

· Creating a Free Azure Account

· Navigating the Azure Portal

Sentinel Overview

· Microsoft Sentinel Architecture

· Log Analytics Workspace fundamentals

· Tables, schemas, KQL structure

Data Connectors (Analyst View)

· Microsoft AD

· Defender for Endpoint

· Syslog/CEF ingestion overview (No Deployment; only understanding)

KQL for SOC Analysts

· Core Commands

- project, extend

- where, summarize, count

- top, take

- join, union

- mv-expand etc

Analytics Rules (Detection Engineering)

· Rule creation

· NRT rules

· Suppression logic

· Scheduling

· Custom rule creation using KQL

Threat Hunting and Incident Investigation Lifecycle

· Threat Hunting KQL queries

· Alert vs Incident

· Evidence & Entities

· Analysing Incidents in Sentinel

· Incident Response Process

Module 4 : CrowdStrike EDR

· Understanding EDR

· EDR vs Anti Virus

· Understanding Fileless Malware

· Briefing on Pyramid of Pain

· Mitre attack frame work

· Falcon Platform Architecture Overview

· Falcon Platform Technical Fundamentals

· Falcon console overview

· Roles and access control & user Management

· Sensor installation and troubleshooting

· Falcon Fusion workflow & Policy briefing

· Dashboards and Reports creation

· On-demand Scans

· Investigation Fundamentals & Event Searches.

· Threat Intelligence & Sandboxing

· Falcon for responders & RTR fundamentals.

· Incident response using EDR

· USB Device Control management

Module 5 : AI for SOC analyst

· Role of AI in Cyber security & Security Operations.

· Getting started with AI

· Using AI for Use case creation and log search for SIEM

· Using ChatGPT for Incident response

· Incident investigation using AI

· Code analysis

· Macros

· File based analysis

· Phishing email analysis

· Malware analysis using AI

· AI as Threat intelligence agent

Module 6 : Cortex XSOAR

Domain 1: Knowing SOAR

· What is SOAR

· What does SOAR consist of

· What can be integrated with SOAR

· Benefits of SOAR in Today's SOC

Domain 2: Knowing Playbook

· Reference and manipulate context data to manage automation workflow

· Summarize inputs, outputs, and results for playbook tasks

· Differentiate among Playbook Task Types

- Manual

- Automated

- Conditional

- Data Collection

- Sub-Playbook

Domain 3: Automations, Integrations, and Related Concepts

· Playbook Tasks

· War Room

· Layouts (Dynamic Sections, Buttons)

· Jobs

· Field Trigger Scripts

· Pre/Post-Processing

Domain 4: UI Workflow, Dashboards, and Reports.

· Identify Methods for Querying Data

- Indicators

- Incidents

- Dashboards

- Global Search

· Interact with Layouts for Incident Management

- Sections

- Fields

- Buttons

· Summarize Tools used for Managing Incidents

- Bulk Incident Actions

- Table View versus Summary View

- Table Settings

Module 7 : Vulnerability Management (Self-paced)

· Need for Vulnerability Assessment

· The life cycles of Vulnerability Assessment and Penetration Testing

· Introduction to Nmap (Discovery, Port scanning, Vulnerability scanning)

· Various features of Nmap

· Introduction to Nessus

· Installing Nessus on different platforms

· Scan prerequisites

· Scan-based target system admin credentials

· Direct connectivity without a firewall

· Backup of all systems including data and configuration

· Updating Nessus plugins

· Sufficient network bandwidth to run the scan

· Policy configuration

· Credential scan vs Non-Credential scan

· Removing False Positive from the Scan /Scan execution and results

· Preparing the report (Mitigation/Vulnerability Tracker)