SIEM/SOC Advanced


Nowadays, a Security Operation Centers (SOC) should have everything it needs to mount a competent defense of the constantly-changing IT enterprise. The SOC includes a vast array of sophisticated detection and prevention technologies, cyber intelligence reporting, and access to a rapidly expanding workforce of talented IT professionals. This SOC Operation course is designed for SOC organizations implementing a SOC solution and provides full guidance on the necessary skills and procedures to operate it. The training will provide participants with all aspects needed for a SOC team to keeping the adversary out of the enterprise.

Duration: 40 Hours

Target Audience
The course targets participants with foundation knowledge in computer networking, who wish to train SOC analysts and incident responders, or individuals who serve as corporate security analysts. Tier-1 SOC analysts and operators.

Incident responders

  • System/network administrators
  • IT security personnel
  • Future trainers


  • None


  • Provide participants with a solid understanding of the SOC environment, its roles, and functionalities
  • Provide the participants the ability to gain practical capabilities of working inside a SOC as Tier-1 analysts and incident responders
  • Understanding the work of forensic investigators in a SOC
  • How to practice the acquired knowledge in real-time through the simulation environment


Module 1: Intrusion Detection

During this module, participants will further explore the study of data packets on a deeper level, learn to identify network anomalies, and understand system alerts. Students will master the use of well-known command-line-interface (CLI) and graphic-user-interface (GUI) tools to further specialize in the field. Students will learn methodologies to approach investigations of incidents.

  • Basic Intrusion Detection Tools and Methods
    o Sysmon
    o Advanced Wireshark
    o Uncovering User-Accounts
    o OS Fingerprinting
    o GeoIP Integration
    o Streams Analysis
    o Incident Investigation
    o Hashing Tables
    o Analyzing Cyber-Events
    o Web-Filtering
    o Network Events
    o TShark: Wireshark CLI Tool
  • Using Scapy Module
    o Crafting and Analysing Packets
    o Working with PCAP Files
    o Replaying Packets for Investigating

Module 2: Using the SIEM

This module will drill down to SIEM (Security Information and Event Management), the primary system used by SOC analysts for monitoring the network. Participants will install a freely-available open-source SIEM platform and simulate different scenarios through a pre-prepared virtual environment, mimicking an organization. The virtual environment will include: Firewall, WAF, a Domain Controller, and an Antivirus. During this part, students will have to demonstrate the various practical capabilities they acquired during the course and operate in a real-time environment.

Building SIEM Environment

  • Installing AlienVault
  • Running and Configuring your SIEM
  • SIEM Monitoring and Correlation
  • Notifications
  • Setting-up an Open Source SIEM
  • Connecting Devices to the SIEM
  • Vulnerability Assessment and Monitoring
  • File Integrity Monitoring
  • Deploying Security-Onion
  • Installing and Configuring Security-Onion
  • Upgrading your Log Filtering with Bro
  • Setting your Methodology to Cyber Threats
  • Network and Host DLP Monitoring and Logging

Monitoring using the Virtual Environment

  • Firewall Monitoring and Management using Glasswire
  • Centralized Logging Platforms
  • Email and Spam Gateway and Web Gateway Filtering
  • Threat Monitoring and Intelligence
  • Application Whitelisting or File Integrity Monitoring
  • Vulnerability Assessment and Monitoring
  • Setting your Methodology to Cyber Threats

Module 3: Windows Management Instrumentation (WMI)

This module will explain and expand on the use of Windows Management Instrumentation. Students will learn how the core management process accomplished and to use WMI to manage both local and remote computers on the LAN network to consolidate the acquired knowledge into building tools skills in PowerShell scripts and regular WMI usage.

WMI Architecture

  • WMI Classes and Namespaces
  • Using WMI Methods
  • Associations
  • Working with Remote Computers
  • Access to the Registry
  • Information Gathering
  • Storage Information
  • Command Execution
  • WMI Common Events
  • Detection with WMI

Module 4: SOC and IR

This module will teach the student to manage an enterprise security incident, while avoiding common errors, increasing both the effectiveness and efficiency of your incident response efforts.
Tools and Techniques for digital investigations

  • Data Analysis of data formats analysis for investigative purposes
  • Behavior Analysis
  • Review of Data Collection Techniques
  • IR Essentials
  • Base Policy and Common Detection
  • Fingerprinting New Systems
  • Intro to Threat Hunting