SOC Analyst (Overview)
SIEM (Security Information & Event Management)
Host-Centric Log Sources
SOC Frameworks
PyramidofPain
EDR (Endpoint Detection & Response)
Important Features
Elastic Stack (ELK)
Elastic Stack is a group of tools used to collect, store, search, and visualize data such as logs and security events. It commonly includes Elasticsearch for storing and searching data, Kibana for dashboards and analysis, and data collection tools like Logstash or Elastic Agent. Elastic describes it as a platform that takes data from many sources, then lets you search, analyze, and visualize it. Beats still exist, but Elastic says Elastic Agent has replaced Beats for most use cases.
Splunk (Core Components)
Splunk Forwarder, Indexer, and Search Head are three main parts of a Splunk setup. They work together like this: the forwarder sends data, the indexer stores and organizes it, and the search head lets analysts search and investigate it.
Windows Event Viewer (Quick Notes)
Which Event ID is generated when event logs are removed? Event Id 104
SOAR
SOAR
SOC Labs (Scratchpad)
1. create a punycode attack