Security Operations Center
SOC operations, SIEM, threat hunting, and security monitoring.
Overview
SOC monitors, detects, and responds to security incidents.
SOC Structure
Architecture Diagram
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā SOC Manager ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā Tier 1 Tier 2 Tier 3 ā
ā Analysts Analysts Experts ā
ā (Monitoring) (Analysis) (Hunt) ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
SIEM Configuration
Splunk Query
index=security sourcetype=firewall action=blocked
| stats count by src_ip
| where count > 100
| sort -count
ELK Stack Query
{
"query": {
"bool": {
"must": [
{ "match": { "event_type": "failed_login" } },
{ "range": { "@timestamp": { "gte": "now-1h" } } }
]
}
},
"aggs": {
"by_ip": {
"terms": { "field": "source_ip", "size": 10 }
}
}
}
Log Sources
| Source | Purpose |
|---|---|
| Firewall | Network traffic |
| IDS/IPS | Intrusion attempts |
| Proxy | Web activity |
| Endpoint | Host events |
| Authentication | Login events |
| DNS | Domain queries |
Threat Hunting
# IOC search
iocs = {
"ips": ["10.0.0.1", "192.168.1.100"],
"domains": ["malicious.com"],
"hashes": ["abc123..."]
}
for log in logs:
for ip in iocs["ips"]:
if ip in log:
alert(f"IOC matched: {ip}")
Playbooks
phishing_response:
steps:
- isolate_endpoint
- collect_emails
- analyze_attachments
- block_sender
- notify_users
- update_filters
Practice
Set up a basic SIEM with ELK Stack and create detection rules.