SIEM/SOC Intermediate


The Security Operations Center (SOC) lies at the front line of malicious attacks against the organization’s network. Those responsible for the initial triage of an incident are the SOC analysts and incident responders; This course covers the necessary skills and practices to train such SOC personnel and successfully operate a modern-day SOC. The training starts from a broad understanding of the various functions in a SOC and a thorough workout on its technologies, up to a real-time hands-on practice in a virtual simulation environment. The goal of this training is to develop a highly knowledgeable, practical, and skilled security team inside the organization to handle cybersecurity incidents regularly.

Duration: 40 Hours

Target Audience
The course targets participants with foundation knowledge in computer networking, who wish to operate a SOC on the analyst and incident responder levels, or individuals who serve as corporate security analysts.

  • Incident responders
  • System/network administrators
  • IT security personnel


  • None


  • Provide students with an understanding of the SOC environment, roles and functionalities
  • Gain practical capabilities of working inside a SOC as Tier-1 analysts and incident responders
  • Understanding the work of forensic investigators in a SOC
  • Practicing the acquired knowledge in real-time through the simulation environment
  • Becoming familiar with different attack scenarios


Module 1: Networking Fundamentals

The first module will introduce participants to the technical environment of a security-operations-center and deepen their understanding of network processes, protocols, Firewalls, IDS/IPS, and more. Finally, they will become familiar with the various stages of the investigation process, which they will practice and implement at a later stage of the course.

  • Working with Linux
    o Linux Directories
    o Linux Users
    o Packages
  • Packages Commands
  • Updating
  • Installing and Managing
    o File Manipulation Commands
    o Variables
  • Internal
  • External
  • Terminal
    o Text and File Manipulation Technics
  • Networking
    o Network Protocols & Data Communications
    o The OSI Model
    o Analyzing Packets using Wireshark and Tshark
  • Sniffing the Network
  • Analyzing Packets
  • “Studying” the Network and Assets
    o Crafting and Analyzing Packets using Scapy
  • Firewalls on Windows and Linux
    o Firewall Types
  • Rules-Based
  • Next Generation
    o Working with Firewalls
  • Linux Firewall
    o Iptables
    o UFW
  • Windows Firewall and Defender
  • Setting Firewall Rules
  • Understanding Firewall Permissions

Module 2: Practical Incident Response

During this module, participants will learn about the different roles and functions that make up the SOC environment and, more importantly, will experience the various processes that are regularly running in a SOC. This knowledge will help the SOC staff be better correlated between themselves to ensure the correct flow of procedures. By the end of this module, participants will know to handle an incident from A to Z.

  • SOC Fundamentals
    o Roles and Responsibilities
    o Network Events
  • Unsuccessful Activity Attempt
  • Non-Compliant Activity
  • Reconnaissance
  • Investigating
  • Explained Anomaly
    o Security Incidents
  • Root Level Intrusion
  • User Level Intrusion
  • Denial of Service
  • Malicious Logic
  • Identifying External/Internal Intrusions
    o Incident Response Tactics – the Phases of Incident Response
    o Awareness and Communication
  • Monitoring the system
    o Attacks Inside and Outside the Network
  • Phishing Attack
  • Social Engineering
  • Denial of Service Floods
    o Identifying Malicious Traffic using Advanced Tshark Techniques

Module 3: IDS & IPS

During this module, participants will learn to inspect the network and the machines connected. Also, explore different types of attacks, both internal and external. Student will learn the differences between an event and an incident. By the end of this module, students will be able to identify when a computer on the network is being compromised in real-time.

  • IDS And IPS Terminology
    o Intrusion Detection System (IDS)
  • Network-Based
  • Host-Based
    o Intrusion Prevention System (IPS)
  • Network-Based
  • Host-Based
    o Deploying IDS & IPS
  • Using Tshark to Identify Network Anomalies
  • Hands-on PfSense
    o Installation and Configuration
    o Setting and Configuring Rules
  • Passing Traffic using the NAT Feature
  • Configuring Firewall Rules
    o Managing Network Security
    o Snort

Module 4: Setting Up the SOC Environment

Companies regularly deploy a variety of security technologies designed to prevent and detect threats, as well as to strengthen and protect assets. During this module, we will go into detail about SOC environments and how they work, the student will know to build and properly configure his SOC environment and learn to correlate it with other security products/ assets. Having a SOC allows you to have dynamic security that acts as a real bastion of analysis, monitoring, prevention, and remediation.

  • Preparing the Framework
    o The Elastic Stack
  • Introduction to ELK
  • Deploying Beats
  • Identifying Threats
  • Aggregating Data
    o Real-Time Monitoring
  • Reporting Methodology
    o Post-incident Analysis
    o Reporting Methodologies
    o Designing Infrastructures