SOC Analyst


Table of Contents


Nowadays, a Security Operation Centers (SOC) should have everything it needs to mount a competent defense of the constantly changing IT enterprise. The SOC includes a vast array of sophisticated detection and prevention technologies, cyber intelligence reporting, and access to a rapidly expanding workforce of talented IT professionals.

This SOC Operation course is designed for SOC organizations to implement a SOC solution and provide full guidance on the necessary skills and procedures to operate it. The training will provide participants with all aspects of a SOC team to keep the enterprise’s adversary.

How to make the most of this course?

In order to succeed in the course, the following requirements must be met:

  • Participation in all practical laboratories
  • Self-work at home between lessons
  • Repetition of materials, self-learning, performing tasks, etc…

In addition to regular classroom studies, the participant is required to practice at least 10 hours a week in order to gain practical experience in the field.
A personal computer suitable for running virtual machines, with an Internet connection
Transition of the scenarios in the Cyberium Arena.

Target audience

The course targets participants with foundation knowledge in computer networking.

  • Incident responders
  • System/network administrators
  • Computer specialists to begin or evolved in cybersecurity with network foundation knowledge
  • People implicated in internal security policy


  • Provide participants with a solid understanding of the SOC environment, its roles, and functionalities
  • Provide the participants the ability to gain practical capabilities of working inside a SOC
  • Practice the acquired knowledge in real-time through the simulation environment


To be best prepared to succeed in this program, participants should have basic familiarity or experience with:

  • Principles of network connectivity.
  • Principles of IT systems
  • Principles of Information Systems
  • Basic operating system fundamentals with Linux.



During this module, participants will further explore data packets’ and study on a deeper level, learn to identify network anomalies, and understand system alerts. Students will master the use of well-known command-line-interface (CLI) and graphic-user-interface (GUI) tools to further specialize in the field. Students will learn methodologies to approach investigations of incidents.

Technical content

  • Networking
    Network Protocols
    The OSI Model
    Analyzing Packets

  • Basic Intrusion Detection Tools and Methods
    GeoIP Integration

  • Using the Scapy Module
    Crafting and Analysing Packets
    Working with PCAP Files
    Replaying Packets for Investigating


Companies regularly deploy various security technologies designed to prevent and detect threats and strengthen and protect assets. During this module, we will detail SOC environments and how they work. The student will know to build and properly configure his SOC environment and correlate it with other security products/assets. Having a SOC allows you to have dynamic security that acts as a real bastion of analysis, monitoring, prevention, and remediation.

Technical content

  • Preparing the Framework
    Introduction to ELK
    Deploying Beat
    Identifying Threats
    Aggregating Data
    Real-Time Monitoring
  • Hands-on PfSense
    Setting and Configuring Rules
    Passing Traffic using the NAT Feature
    Configuring Firewall Rules
    Managing Network Security

Learning about the SIEM (Security Information and Event Management), the primary system used by SOC analysts for monitoring the network. Participants will install a freely-available open-source SIEM platform and simulate different scenarios through a pre-prepared virtual environment, mimicking an organization.

Technical content
  • Building SIEM Environment Configuring Your Domain Setting-Up an Open Source SIEM Deploying Security-Onion Network and Host DLP Monitoring and Logging
  • Monitoring using the Virtual Environment Firewall Monitoring and Management Email and Spam Gateway and Web Gateway Filtering Vulnerability Assessment and Monitoring Setting your Rules for Cyber Threats


In this module, students will learn to use the Windows Management Instrumentation. Students will learn how the core management process is accomplished and use WMI to manage both local and remote computers on the LAN network to consolidate the acquired knowledge into building tools skills in PowerShell scripts and regular WMI usage.

Technical content

  • WMI Architecture
    Using WMI Methods
    Working with Remote Computers
    Access to the Registry
    Information Gathering
    Storage Information
    Command Execution
    Common Events
    Detection with WMI


The following labs are part of the actual course:

  • Lab 1 ​Wireshark
  • Lab 2 Iptables
  • Lab 3 Basic Log Filtering
  • Lab 4 Advanced Log Filtering
  • Lab 5 Volatility
  • Lab 6 Basic Tshark
  • Lab 7 Advanced Wireshark
  • Lab 8 Advanced Tshark
  • Lab 9 Snort & Snort Alerts
  • Lab 10 PfSense
  • Lab 11 ELK Filtering

Real Cases Studies

Case Study #1( SCCA001)
During the coronavirus, a medical research university suffered a data breach. Criminal groups seek to exploit the crisis for financial gain. We need to track down their actions to understand what was stolen. Our tech engineer captured the network traffic during the attack; you have the task to solve the incident.
Case Study #2 (SCCA002)
Recently a large insurance company called VitaLife has suffered a severe breach. The SOC team that worked on that breach that day are still investigating the scene. You have been asked to filter through those logs to find the possible cause of the attack.
Case Study #4 (SCCA004)
Financial company in Asia suffered from a ransomware attack, which made them pay $1 million in bitcoin to restore encrypted files. They hired you as a specialist to help them find any traces. The SOC team was able to monitor some of that traffic that might contain valuable information related to the attack.
Case Study #5 (SCCA005)
A company suspects it has been attacked and needs your help in finding network traces left by a group of hackers that are targeting several businesses and organizations in Germany.
Previous slide
Next slide
BT22 SOC Analyst

 Course type

This course is delivered in the following ways:

  • Virtual classroom with proctored labs and scenarios executed in our Cyberium Arena
  • In situe classroom with proctored labs and scenarios executed in our Cyberium Arena

All sessions are recorded and attendees can replay them  during 30 days. All course material is electronically made available to the participant.

 Course Group:


 Hands-on / Theory MiX

The following course incorporates a high level of hands-on labs exercises, as well as real life case studies.

1 %
Case Studies


In conjunction with course  SOC Analyst, the present course prepares the participant to the following certifications:

  • GSEC (SANS),

Required EqUIPMENT

Network connection

As this course extensively uses a cloud based Learning Management System, including a lab arena, attendees need a stable broadband connection to the Internet.

BYOD – Bring Your Own Device

As it is a very practical course, and in order for the participants to make the most of the course, they need a laptop with the following capabilities:

  • Audio and Video
  • 8 GB RAM
  • 200 GB Disk Space
  • Virtualization capabilities ( supporting latest version of Virtualbox or similar virtual machine application)

And also a Good Headset with Mic

More Details