SIEM/SOC Advanced



Table of Contents


Nowadays, a Security Operation Center (SOC) should have everything it needs to mount a competent defense of the constantly-changing IT enterprise.
The SOC includes a vast array of sophisticated detection and prevention technologies, cyber intelligence reporting, and access to a rapidly expanding workforce of talented IT professionals.
This SOC Operation course is designed for SOC organizations implementing a SOC solution and provides full guidance on the necessary skills and procedures to operate it. The training will provide participants with all aspects needed for a SOC team to keep the adversary out of the enterprise.

How to make the most of this course?

In order to succeed in the course, the following requirements must be met:

  • Participation in all practical laboratories
  • Self-work at home between lessons
  • Repetition of materials, self-learning, performing tasks, etc…

In addition to regular classroom studies, the participant is required to practice at least 10 hours a week in order to gain practical experience in the field.
A personal computer suitable for running virtual machines, with an Internet connection
Transition of the scenarios in the Cyberium Arena.

Target audience

The course targets participants with foundation knowledge in computer networking, who wish to train SOC analysts and incident responders, or individuals who serve as corporate security analysts. Tier-1 SOC analysts and operators.

  • Incident responders
  • System/network administrators
  • IT security personnel
  • Future trainers


  • Provide participants with a solid understanding of the SOC environment, its roles, and functionalities
  • Provide the participants the ability to gain practical capabilities of working inside a SOC as Tier-1 analysts and incident responders
  • Understanding the work of forensic investigators in a SOC
  • How to practice the acquired knowledge in real-time through the simulation environment


To be best prepared to succeed in this program, participants should have basic familiarity or experience with:

  • Principles of network connectivity.
  • Principles of IT systems
  • Principles of Information Systems
  • Basic operating system fundamentals including Windows or Linux.

As well as knowledge of the syllabus covered in course NS 107 SIEM/SOC Intermediate



During this module, participants will further explore the study of data packets on a deeper level, learn to identify network anomalies, and understand system alerts. Participants will master the use of well-known command-line-interface (CLI) and graphic-user-interface (GUI) tools to further specialize in the field. Participants will learn methodologies to approach investigations of incidents.

Technical content

  • Basic Intrusion Detection Tools and Methods
    o Sysmon
    o Advanced Wireshark
    o Uncovering User-Accounts
    o OS Fingerprinting
    o GeoIP Integration
    o Streams Analysis
    o Incident Investigation
    o Hashing Tables
    o Analyzing Cyber-Events
    o Web-Filtering
    o Network Events
    o TShark: Wireshark CLI Tool
  • Using Scapy Module
    o Crafting and Analysing Packets
    o Working with PCAP Files
    o Replaying Packets for Investigating


This module will drill down to SIEM (Security Information and Event Management), the primary system used by SOC analysts for monitoring the network. Participants will install a freely available open-source SIEM platform and simulate different scenarios through a pre-prepared virtual environment mimicking an organization. The virtual environment will include: Firewall, WAF, a Domain Controller, and an Antivirus. During this part, participants will have to demonstrate the various practical capabilities they acquired during the course and operate in a real-time environment.

Technical content

Building SIEM Environment

  • Installing AlienVault
    ▪ Running and Configuring your SIEM
    ▪ SIEM Monitoring and Correlation
    ▪ Notifications
  • Setting-up an Open Source SIEM
    ▪ Connecting Devices to the SIEM
    ▪ Vulnerability Assessment and Monitoring
    ▪ File Integrity Monitoring
  • Deploying Security-Onion
    ▪ Installing and Configuring Security-Onion
    ▪ Upgrading your Log Filtering with Bro
  • Setting your Methodology to Cyber Threats
  • Network and Host DLP Monitoring and Logging

Monitoring using the Virtual Environment

  • Firewall Monitoring and Management using Glasswire
  • Centralized Logging Platforms
  • Email and Spam Gateway and Web Gateway Filtering
  • Threat Monitoring and Intelligence
  • Application Whitelisting or File Integrity Monitoring
  • Vulnerability Assessment and Monitoring
  • Setting your Methodology to Cyber Threats


This module will explain and expand on the use of Windows Management Instrumentation. Participants will learn how to accomplish the core management process and to use WMI to manage both local and remote computers on the LAN network to consolidate the acquired knowledge into building tools skills in PowerShell scripts and regular WMI usage.

Technical content

WMI Architecture

  • WMI Classes and Namespaces
  • Using WMI Methods
  • Associations
  • Working with Remote Computers
  • Access to the Registry
  • Information Gathering
  • Storage Information
  • Command Execution
  • WMI Common Events
  • Detection with WMI


This module will teach the participant to manage an enterprise security incident, while avoiding common errors, increasing both the effectiveness and efficiency of your incident response efforts.

Technical content

Tools and Techniques for digital investigations

  • Data Analysis of data formats analysis for investigative purposes
  • Behavior Analysis
  • Review of Data Collection Techniques
  • IR Essentials
  • Base Policy and Common Detection
  • Fingerprinting New Systems
  • Intro to Threat Hunting


The following labs are part of the actual NS108 course:

  • Lab 1 ​Windows Events
  • Lab 2 Sysmon Events
  • Lab 3 Text Manipulation
  • Lab 4 Working with Tshark
  • Lab 5 ELK
  • Lab 6 Registry Analysis
  • Lab 7 Process Analysis
  • Lab 8 Advanced Filtering using Zeek
  • Lab 9 Working with WMI

Real Cases Studies

Case Study #1( SCCB001)
Rodpicom Botnet sends a message to the victim with a link to a malicious site that leads to downloadable content. The link content contained malware, which causes CPU overloads on a small advertising company customer. The company’s SOC team was asked to check the security logs on the web-server for further investigation.
Case Study #2 (SCCB002)
In the last few months, multiple groups of attackers successfully compromised corporate email accounts at various firms, using phishing techniques. As part of the security team, we need your help to find leads to the attacker.
Case Study #4 (SCCB004)
Over the past few months, hundreds of Android users have been complaining about a new piece of mysterious malware. Our company uses the system "Security Onion", and we need your help analyzing the logs it generated by the malware traffic.
Case Study #5 (SCCB005)
The web hosting company, Hostinger, has suffered a data breach. Using the access token, the hackers infiltrated a SQL database server and found a file containing a list holding millions of hashed passwords and usernames. Following the incident, the CEO hired a group of Cyber Security professionals, to work together and close the vulnerability that allowed the hackers to infiltrate the network and steal the file.
NS108 SIEM/SOC Advanced

 Course type

This course is delivered in the following ways:

  • Virtual classroom with proctored labs and scenarios executed in our Cyberium Arena
  • In situe classroom with proctored labs and scenarios executed in our Cyberium Arena

All sessions are recorded and attendees can replay them  during 30 days. All course material is electronically made available to the participant.

 Course Group: FOUNDATION


 Hands-on / Theory MiX

The following course incorporates a high level of hands-on labs exercises, as well as real life case studies.

1 %
Case Studies


This course prepares the participant to the following certifications:


Required EqUIPMENT

Network connection

As this course extensively uses a cloud based Learning Management System, including a lab arena, attendees need a stable broadband connection to the Internet.

BYOD – Bring Your Own Device

As it is a very practical course, and in order for the participants to make the most of the course, they need a laptop with the following capabilities:

  • Audio and Video
  • 8 GB RAM
  • 200 GB Disk Space
  • Virtualization capabilities ( supporting latest version of Virtualbox or similar virtual machine application)

And also a Good Headset with Mic

More Details