An Automatic Discount of $100 will be Applied at the Checkout

    Security Operation Center (SOC) Guide for SOC Analyst – SIEM Tools & Use Cases Overview

    • Date April 28, 2021
    • Comments 0 comment
    • Tags

    This blog helps you to understand the operational goal of SOC and how we can build use cases using Splunk (one of the famous SIEM tools). This blog will help Student, Fresher, Industry Expert who wants to work for the Security Operation Center.

    What is security Operation?

    Security Operation is the continuous operational practice for maintaining and managing a secure IT environment through the Implementation and execution of certain services and process its main purpose is to detect, prevent, prioritize and respond to security incidents. here you can refer How to Build and Run a Security Operations Center

    Security Operation Consist of various security operation tasks, which include

    • Security Monitoring
    • Security Incident Management
    • Vulnerability Management
    • Security Device Management
    • Network flow Monitoring

    Security Operation Center

    SOC is a centralized unit and a single point of view through which an organization’s assets are monitored, assessed, and defended from the threats. It also facilitates situational awareness and real-time alerting if any intrusion or attack is detected.

    SOC capabilities

    • Situational Awareness and operational intelligence – SOC provides information about what is going on across the different parts of IT infrastructure. It also provides Operational intelligence about IT infrastructure.
    • Threat control and prevention – Using Internal and external resource it provides the knowledge of IOC’S (Indicator of compromise) of attacks this enables SOC to provide Threat control and prevention.
    • Forensics – SOC analysts use structured log data to conduct an investigation and understand the root cause of the attack and also restrict the attacker’s ability to perform an attack against the organization.

    What Operations carried out in Security Operation Center?

    1. Log Collection – Logs are collected from the various devices on a network that can have an impact on the security of the organization.
    2. Log Retention and Archival – Collected logs are stored centrally and logs always have Retention and Archival period for better management.
    3. Log Analysis – logs are analyzed through different SOC technology to extract information from raw data.
    4. Monitoring of Security Environments for security Events – Information received by log analysis is transferred to the SOC team for monitoring purposes so that it can be used to identify the current security position of an organization.
    5. Event Correlation – The events from the various source are correlated and contextualized based on a set of predefined correlation rules.
    6. Incident Management – Prioritization of Incident as per the predefined rules and objectives.
    7. Threat Identification and Reaction – It is a process of determining threats correctly and a proactive measure obtained through. A SOC reacts either re-actively or proactive to threats.
    8. Reporting – It generates Client detailed Security report

     

    SOC-as-a-Service |

     

    Security Operation Center Work Flow.

     

     

    Components of Security Operation Center.

    People < >Process < > Technology
    Security Operations Center (SOC) Services | Management case ...

     

    Type of Security Operation Center Models.

     

    • Internal SOC model
    • Outsourced SOC model
    • Hybrid SOC model

     

    SOC Implementation phases

     

    Difference Between Log Event and Incident

    So let’s understand where we can find logs that we need to collect for the Security Operation center and how to build use cases for detection of an incident.

    Window Logs and location

    Windows Event log audit configuration is recorded based on the registry key.

    Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eve ntLog


    In windows, machine event log are stored in system32\winevt\logs as shown below.

    In windows, machine events is stored in Event viewer which you can open through RUN “eventvwr”.

    Linux Log and Location

    Mac Log and Location

    Mac Log and Location

     

    Firewall Log and Location


    Web server Log and Location

     

     

    Based on these log we can create a centralized log mechanism and able to identify potential incident. lets talk about some case studies using SPLUNK.

    USE CASES of Operational Intelligence using SPLUNK

    CASE STUDY 1

    Solution:

    CASE STUDY 2

    Solution:

     

    CASE STUDY 3

    Solution:

    USE CASES for threats using SPLUNK

    XSS Attack detection using Splunk

    Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other.

    Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user’s data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application’s functionality and data.

    SQL Attack Detection using SPLUNK

    SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior.

    In some situations, an attacker can escalate an SQL injection attack to compromise the underlying server or other back-end infrastructure or perform a denial-of-service attack.


    Directory Traversal Detection using SPLUNK

    Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files. In some cases, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server.

    Likewise, we can detect all the threats using SPLUNK. Thanks for your time I hope you all have a seriously awesome week. This is just an overview let me know if you need more guidance for the same. 

    You can take a completeSOC Analyst Trainingfor Level 1 and Level 2 Analyst

    author avatar
    lms-admin

    You may also like

    Shodan_Search_700x
    What is Shodan and How to Use it for Finding Vulnerable Devices?
    21 June, 2023
    Kali_Linux_2023.1_a741f40c-aae1-484a-8557-22d1d154415f_700x
    Kali Linux 2023. 1 Released – New To Both Offensive & Defensive Security
    15 March, 2023
    active_directory_cheatsheet_700x
    Active Directory Exploitation Cheat Sheet – 2023
    23 February, 2023

    Leave A Reply

    Your email address will not be published. Required fields are marked *

    4.7
    Rated 4.7 out of 5
    4.7 out of 5 stars (based on 6 reviews)
    Excellent67%
    Very good33%
    Average0%
    Poor0%
    Terrible0%

    Certified course !

    Rated 4 out of 5
    July 17, 2023

    “The information was useful and a good starting point for someone looking to get into the Security industry.

    This course provided complete information about soc and cyber security.which is very helpful to freshers

    Sikandar

    Definitely a very good course I am looking all these days..!!

    Rated 5 out of 5
    August 30, 2020

    “i left the rating because i really enjoy the course 🙂 He is extremely knowledgeable in this topic I plan on taking his other courses because o how knowledgeable he is and how easy it is too learn.

    Wesley vincent

    Thanks for the real time examples and explanation..

    Rated 4 out of 5
    August 11, 2020

    “I’m just re-entering this field, and this has given me a rough draft of the path I want to follow. I was having a difficult time trying to relate my other security skills into the cyber world, but the accessibility of the instructor as well as the provided resources will ease that process.

    Abubacker siddiq

    Impressive course

    Rated 5 out of 5
    July 15, 2020

    A very impressive course with many detailed information about ethical network hacking as well as very knowledgeable and teachable tutor

    Marwan Mohamed

    thank you!

    Rated 5 out of 5
    July 4, 2020

    “I learned and understood effectively what is SOC analyst in his day to day duties.

    Very easy to understand, I’m so glad I found it. Thank you

    daniel john

    Subscribe our Newsletter

    Subscribe to get Advanced Cyber Security Courses, E-books and Cyber Security News.

    100% free, Unsubscribe any time!

    Ethical Hackers Academy is the #1 most trusted e-Learning portal with 100+ advanced cyber security courses for students and working professionals worldwide. 

    Company

    Secured Access

    Follow Us

    Facebook Instagram Linkedin

    © 2023 Ethical Hackers Academy

    We Accept
    American Express Apple Pay Diners Club Discover JCB Mastercard Visa