1. What is a SOC used for?
A SOC (Security Operations Center) is a cybersecurity monitoring
center.
It is used to:
- Detect cyberattacks in real time
- Analyze security alerts
- Respond to incidents (phishing, malware, intrusion, etc.)
- Monitor system and network logs
- Protect an organization 24/7
In short:
A SOC is the “security control center” of an organization.
2. Lab Objectives
This SOC lab helps you:
- Understand how a real SOC works
- Learn how to analyze security logs
- Detect simulated cyberattacks
- Respond to security incidents
- Use professional cybersecurity tools (SIEM, EDR, SOAR)
3. Tools Used in a SOC Lab
1. SIEM – (e.g. Splunk or Elastic Stack)
Role:
- Collects all logs (PCs, servers, firewalls…)
- Detects suspicious behavior
- Generates security alerts
2. EDR (Endpoint Detection & Response)
Role:
- Monitors computers (endpoints)
- Detects malware and suspicious activity
3. SOAR (e.g. TheHive + Cortex)
Role:
- Automates incident response
- Manages security tickets
- Helps security decision-making
4. Network Analysis (Wireshark)
Role:
- Analyzes network traffic
- Detects suspicious connections
5. Virtual Machines (VirtualBox / VMware)
Role:
- Creates a safe SOC simulation environment
- Allows attack testing without risk
4. SOC Interface (Key Splunk Tabs)
1. Search & Reporting
Use:
- Search logs
- Filter suspicious activity
Example:
- failed login attempts
- malware detection
2. Dashboards
Use:
- Visual display of attacks
- Real-time statistics
Example:
- number of attacks per day
- suspicious IP addresses
3. Alerts
Use:
- View automatic security alerts
Example: brute force detection
4. Data Inputs
Use:
- Add log sources
- PCs, servers, firewalls
5. Settings
Use:
- SIEM configuration
- System and machine connections
5. SOC LAB – Step-by-Step Guide (Click by
Click)
STEP 1: Install the Environment
1. Install VirtualBox or VMware
- Download VirtualBox
- Install it (Next → Next → Finish)
2. Create Virtual Machines
You create:
- SOC machine (Splunk server)
- Attacker machine (Kali Linux)
- Victim machine (Windows/Linux)
STEP 2: Install SIEM (Splunk)
1. Download Splunk
- Go to official website
- Install Free/Enterprise version
2. Launch Splunk
- Click: Start Splunk
- Open browser:
```
http://localhost:8000
```
3. Login
- Username: admin
- Password: (set during installation)
STEP 3: Add Log Sources
1. Go to:
Settings → Data Inputs
2. Click:
Add Data
3. Choose:
- Files & Directories (system logs)
- Network logs (if available)
STEP 4: Launch a Simulated Attack
From attacker machine:
Examples:
- Brute force login attack
- Network scanning
- Malware execution test
STEP 5: Detection in SOC
1. Go to Search & Reporting
2. Run query:
```
failed login OR brute force
```
3. Result:
- Suspicious IP detected
- Multiple login attempts
STEP 6: Dashboard Analysis
Go to:
Dashboards
You will see:
- Attack graphs
- Traffic spikes
- Attacking IPs
STEP 7: Create an Alert
1. Go to Search
2. Click:
Save As → Alert
3. Configure:
- Trigger if > 5 failed logins
- Action: notification
STEP 8: Incident Response (SOAR)
In TheHive:
1. Create an incident ticket
- Type: Brute Force Attack
2. Add:
- Attacker IP
- Splunk logs
3. Actions:
- Block IP
- Isolate victim machine
STEP 9: Final Validation
You should confirm:
- Attack detected
- Alert generated
- Incident created
- Response executed
6. Final SOC Lab Result
At the end of the lab, you have:
- Real-time attack detection
- Log analysis in SIEM
- Security alerts triggered
- Incident response executed
- Attack successfully blocked
Simple Summary
SOC = detect + analyze + respond
Tools used:
- SIEM (Splunk)
- SOAR (TheHive/Cortex)
- EDR systems
- Wireshark
Copyright © All rights reserved.