Security Operations (SOC) 201

Security Operations (SOC) 201 is an intermediate-level security operations course designed to enhance your skills in detecting, investigating, and responding to complex cyber threats at scale. After establishing fundamental security operations knowledge and practical skills in SOC 101, the next logical step is to progress your career by applying advanced investigation methodologies and grasping the responsibilities of an Incident Responder and Threat Hunter.

The SOC 201 curriculum teaches analysts how to identify, hunt, and respond to real-world adversary tactics and techniques. With a practical, hands-on focus, the curriculum provides realistic scenarios where students investigate sophisticated threats across multiple systems, learning to detect and respond effectively in enterprise-scale environments. The course also integrates proactive threat hunting as part of a continuous detection and response cycle, giving analysts the mental models to identify active threats, uncover gaps, and feed insights back into investigative processes to improve future detection and response efforts.

• Developing an investigator’s methodology
• Incident Response
• Threat Hunting
• Data transformation techniques
• Understanding and identifying anomalies
• Evidence collection and handling at scale
• Using PowerShell for Incident Response
• Hunting and responding to advanced threats following MITRE ATT&CK TTPs
• Incident investigation and root cause analysis

To get the most out of this course and follow along with the labs, there will be times where you need to run multiple (2-3) virtual machines (VMs) simultaneously.

Your BIOS must have virtualization technology enabled, such as Intel-VTx or AMD-V.

Processor: 64-bit Intel i5 or i7, 2.0 GHz or higher.

RAM: 16GB of RAM or more is required to efficiently run multiple VMs.

Disk Space: 250 GB of free storage. SSDs are recommended for better performance.

Note: Apple Silicon devices cannot perform the necessary virtualization natively. Hardware with native x86 support is highly recommended.

This course relies heavily on working with IR investigations and forensic artifacts, but does not cover learning basic analysis tools. It is strongly recommended to have taken or be familiar with the Security Operations (SOC) 101 material and its prerequisites, which includes experience with:

• Networking & Operating System Fundamentals:
•  Practical Help Desk (PHD) or equivalent
• Security Operations Fundamentals
• Network Traffic Analysis
• Endpoint Security Monitoring
• Log Analysis and Management
• Security Information and Event Management (SIEM)
• Familiarity with common Windows-based digital forensic artifacts

SOC 201 is designed for individuals seeking to advance their defensive security skills beyond foundational knowledge. Ideal candidates include those already familiar with core SOC concepts who are ready to develop expertise in investigating and responding to sophisticated cyber threats.

This course is well-suited for:

• Tier 2 Security/SOC Analysts
• Tier 3 Security/SOC Analysts
• Incident Responders
• Threat Hunters
• Digital Forensic Examiners

• Introduction
  • Course Introduction
  • Prerequisites and Course Resources
  • Course Discord and Support
• Lab Setup
  • Installing Oracle VM VirtualBox
  • Installing Windows
  • Configuring Windows
  • Installing Ubuntu
  • Configuring Ubuntu
  • Configuring the Lab Network
• Security Operations Fundamentals
  • The SOC and Its Role
  • Day in the Life of a SOC Analyst
  • Information Security Refresher
  • SOC Models, Roles, and Organizational Structures
  • Incident and Event Management
  • SOC Metrics
  • SOC Tools
  • Common Threats and Attacks
  • ✏️ Quiz – Security Operations Fundamentals
• Phishing Analysis
  • Introduction to Phishing
  • Email Fundamentals
  • Phishing Analysis Configuration
  • Phishing Attack Types
  • Phishing Attack Techniques
  • Email Analysis Methodology
  • Email Header and Sender Analysis
  • Email Authentication Methods
  • Email Content Analysis
  • The Anatomy of a URL
  • Email URL Analysis
  • Email Attachment Analysis
  • Dynamic Attachment Analysis and Sandboxing
  • Static MalDoc Analysis
  • Static PDF Analysis
  • Automated Email Analysis with PhishTool
  • Reactive Phishing Defense
  • Proactive Phishing Defense
  • Documentation and Reporting
  • 🧪 Phishing Analysis Challenge 1
  • 🧪 Phishing Analysis Challenge 2
  • 🧪 Phishing Analysis Challenge 3
  • Additional Practice
  • ✏️ Quiz – Phishing Analysis
• Network Security
  • Introduction to Network Security
  • Network Security Theory
  • Packet Capture and Flow Analysis
  • Introduction to tcpdump
  • tcpdump: Capturing Network Traffic
  • tcpdump: Analyzing Network Traffic
  • tcpdump: Analyzing Network Traffic (Sample 2)
  • 🧪 tcpdump Challenge 1
  • Introduction to Wireshark
  • Wireshark: Capture and Display Filters
  • Wireshark: Statistics
  • Wireshark: Analyzing Network Traffic
  • 🧪 Wireshark Challenge 1
  • Intrusion Detection and Prevention Systems
  • Introduction to Snort
  • Snort: Reading and Writing Rules
  • Snort: Intrusion Detection and Prevention
  • 🧪 Snort Challenge 1
  • Additional Practice
  • ✏️ Quiz – Network Security
• Endpoint Security
  • Introduction to Endpoint Security
  • Endpoint Security Controls
  • Creating Our Malware
  • Windows Network Analysis
  • Windows Process Analysis
  • Windows Core Processes (Part 1)
  • Windows Core Processes (Part 2)
  • The Windows Registry
  • Windows Autoruns (Part 1)
  • Windows Autoruns (Part 2)
  • Windows Service Analysis
  • Windows Scheduled Tasks
  • 🧪 Windows Endpoint Analysis Challenge 1
  • Windows Event Logs
  • 🧪 Windows Events Challenge 1
  • Introduction to Sysmon
  • Sysmon Events
  • Linux Network Analysis
  • Linux Process Analysis
  • Linux Cron Jobs
  • 🧪 Linux Endpoint Analysis Challenge 1
  • Introduction to LimaCharlie
  • LimaCharlie: Endpoint Detection and Response
  • LimaCharlie: Deploying Endpoint Agents
  • ✏️ Quiz – Endpoint Security
• Security Information and Event Management (SIEM)
  • Introduction to SIEM and Log Management
  • SIEM Architecture
  • SIEM Deployment Models
  • Log Types
  • Log Formats
  • Common Attack Signatures: User Behavior
  • Common Attack Signatures: SQL Injection
  • Common Attack Signatures: Cross-Site Scripting
  • Common Attack Signatures: Command Injection
  • Common Attack Signatures: Path Traversal and Local File Inclusion
  • Command Line Log Analysis
  • Pattern Matching
  • Structured Log Analysis
  • 🧪 Log Analysis Challenge 1
  • Introduction to Splunk
  • Splunk: Initial Walkthrough
  • Splunk: Importing and Exploring Events
  • Splunk: Search Processing Language (SPL)
  • Splunk: Search Commands
  • Splunk: Reports and Alerts
  • Splunk: Creating Dashboards
  • 🧪 [Live] Splunk: Website Defacement Investigation
  • 🧪 Splunk: Ransomware Challenge
  • Splunk: Deploying a Forwarder and Generating Real-Time Alerts
  • Section Cleanup
  • ✏️ Quiz – SIEM
• Threat Intelligence
  • Introduction to Threat Intelligence
  • Types of Threat Intelligence
  • The Threat Intelligence Cycle
  • The Diamond Model of Intrusion Analysis
  • The Cyber Kill Chain
  • The Pyramid of Pain
  • MITRE ATT&CK
  • 🧪 MITRE ATT&CK Challenge 1
  • Introduction to YARA
  • YARA: Reading and Writing Rules (Part 1)
  • YARA: Reading and Writing Rules (Part 2)
  • 🧪 YARA Challenge 1
  • Introduction to MISP (Malware Information Sharing Platform)
  • MISP: Event Management
  • MISP: Ingesting Threat Intelligence Feeds
  • ✏️ Quiz – Threat Intelligence
• Digital Forensics
  • Introduction to Digital Forensics
  • The Digital Forensics Investigation Process
  • Order of Volatility
  • Chain of Custody
  • Introduction to FTK Imager
  • FTK Imager: Forensic Image Acquisition
  • FTK Imager: Memory Acquisition
  • Common Windows Forensic Artifacts
  • Windows Forensic Artifacts: User and System
  • Windows Forensic Artifacts: Files
  • Windows Forensic Artifacts: Program Execution
  • LNK Files, Prefetch Files, and Jump Lists
  • Windows Forensic Artifact Triage
  • Introduction to Volatility
  • Volatility: Memory Analysis
  • Volatility: Network Memory Analysis
  • Volatility: Process Memory Analysis
  • Volatility: Registry Memory Analysis
  • 🧪 Volatility Challenge 1
  • ✏️ Quiz – Digital Forensics
• Incident Response
  • Introduction to Incident Response
  • Incident Response Frameworks
  • Preparation
  • Identification
  • Containment
  • Eradication
  • Recovery
  • Lessons Learned
  • ✏️ Quiz – Incident Response
• Conclusion
  • Course Wrap Up
  • Next Steps: Practical SOC Analyst Associate (PSAA)