
Drive security operations across level one to level three in a SOC, triaging alerts, conducting incident response and malware analysis, and proactively hunting threats with Splunk, SIEM, and EDR.
Explore SoC tools from sim to edr, threat intel, incident response tools, and itsm, showing how logs from firewalls and endpoints are analyzed, correlated, and turned into alerts and incidents.
Understand how a security information and event management tool collects, normalizes, and analyzes logs from devices and servers to detect threats, support investigation, and enable real-time response.
Explore log analysis fundamentals, including log structure, timestamps, severity, and sources across Linux and Windows, using tools like Splunk and Wazuh for incident detection and forensics.
Analyze linux logs in the /log directory, including auth.log, kernel log, and syslog, to support forensics, threat hunting, and detection of brute force and unauthorized access.
Analyze network logs from firewalls, routers, and switches to track traffic, detect scans and brute force attempts, and support blocking blacklisted IPs and unusual outbound transfers.
Define the lab's minimum hardware and software requirements for Windows or Mac hosts and Ubuntu-based components. Set up Splunk, Wazuh, and Kali on Ubuntu, with VMware or VirtualBox virtualization.
Learn to download and install Oracle VirtualBox, set up Ubuntu VMs, and prepare lab environments for Splunk, Wazuh, and Kali Linux.
Set up Ubuntu 22.04 in a VirtualBox VM named Lab agent to host Splunk, Wazuh, and Kali installations, with 1 CPU, 2 GB RAM, 20 GB disk, and OpenSSH server.
Install Splunk on Ubuntu, update apt, download with wget, install via dpkg, start Splunk, set admin user and password, and bind to 0.0.0.0 for access on port 8000.
Set up Wazuh server and agent on Ubuntu 22.04 using the quickstart curl, then verify the dashboard and open required ports (443, 80, 1514–1516) for onboarding.
Set up a Kali Linux attacker machine in VirtualBox by downloading the Kali ISO, allocating memory and disk, and completing a graphical install with hostname and user credentials.
Discover how a security information and event management (SIEM) tool collects and normalizes logs from devices and servers, aggregates data, and enables threat detection, investigation, and real-time response.
Explore Splunk’s SIM features, including data indexing, primary data search, alerts, save searches, dashboards, and the Splunk marketplace with apps, forwarder, indexer, and search head components.
Explore Splunk in a practical environment, navigating the search and reporting app, adding data sources, configuring forwarders, and building dashboards, reports, and alerts.
Learn how to ingest logs from firewalls and endpoints into Splunk with forwarders and indexers, then use Splunk Enterprise Security and Splunk Security Essentials for correlation, alerts, and dashboards.
Explore fields in Splunk search, including selected fields and interesting fields, and understand source and source type metadata such as Palo Alto and Fortinet traffic, with filtering by destination IP.
Learn to use the head command to view the latest ten events in a firewall index, then refine output with limit and table to summarize data.
Use the stats command to aggregate data, compute counts by source IP, rename fields with as, and apply value to pair source and destination IPs for failed logins.
Learn to use the time chart command to visualize trends over time by counting data per source IP address, enabling security analysts to spot spikes and exfiltration in network traffic.
Use the dedup command to create a table with source and destination IPs (and ports), then deduplicate by source IP or by source-destination IP pairs to obtain unique entries.
Investigate ssh brute force attacks with splunk on ubuntu server, analyzing failed password events to identify the user with the most attempts, and the related IP address and counts.
Learn Wazuh, an open source security monitoring platform that detects threats and file integrity changes. Integrate threat intelligence, automate operations, and perform incident response, with siem and xdr capabilities.
Explore the Wazuh demo: navigate the dashboard modules, view security events and alerts, apply filters, inspect agents, and leverage rules, decoders, MITRE mapping, and compliance tagging for unified security monitoring.
Learn to detect unauthorized file modifications with Wazuh by configuring file integrity monitoring on Ubuntu and Windows agents and viewing real-time events in the Wazuh dashboard.
Enable vulnerability detection in wazuh for ubuntu, restart the wazuh manager, and review detected vulnerabilities on the dashboard by severity. Use CVE lookups and csv export to share findings.
Detects SQL injection attempts using wazuh by analyzing curl-based requests and triggering rule 3103, logging attacker IP, URL, method, and full log message.
Learn to enumerate installed Linux software with osquery, identify unapproved tools like nmap, verify install times, and check active processes to detect potential compromises.
Identify recently created user accounts on a Linux system using osquery queries, flag suspicious usernames and accounts with unusual shells or sudo rights, and verify active sessions to assess persistence.
Detect malware making outbound connections from a temp directory using osquery queries to flag established sockets. Correlate process IDs and remote addresses to identify potential data exfiltration.
Welcome to the SOC Analyst Masterclass: Security Investigation with Splunk, Wazuh, and Osquery!
This course is designed to give you the skills and confidence to investigate, detect, and respond to real-world security incidents using leading open-source and enterprise SOC tools. Whether you’re starting your SOC career or looking to enhance your security investigation skills, this hands-on, step-by-step program will guide you through the complete process of setting up a virtual SOC lab, understanding different log types, and mastering investigation techniques.
This is a practical, Learn-by-Doing course — you’ll not only understand the theory but also build your own SOC lab, work with real logs, and replicate real-world investigation scenarios. You’ll get detailed demonstrations, guided exercises, and ready-to-use commands for Splunk, Wazuh, and Osquery so you can follow along at your own pace.
In this course, you will cover:
SOC & SIEM Fundamentals: Understand SOC roles, functions, tools, and processes. Learn core SIEM concepts and how they fit into security monitoring.
Log Types & Data Sources: Explore Windows (Event Logs, Sysmon), Linux (Syslog, Auth), and network logs (Firewall, DNS, HTTP) to understand their value in threat detection.
Lab Setup & Tools Installation: Build your own SOC lab from scratch, including Splunk, Wazuh Manager, Kali Linux, and supporting infrastructure using VMware or VirtualBox.
Security Investigations with Splunk: Perform hands-on analysis with SPL commands to investigate brute force attacks, DNS beaconing, suspicious file transfers, compromised accounts, and unauthorized cloud access.
Threat Detection with Wazuh: Investigate file modifications, brute force activity, vulnerabilities, and learn how Wazuh rules trigger alerts.
Endpoint Forensics with Osquery: Run live queries to collect endpoint data, investigate anomalies, and support incident response efforts.
By the end of this course, you will have the ability to:
Confidently investigate security incidents using Splunk, Wazuh, and Osquery
Understand how to analyze logs from multiple sources for accurate threat detection
Build and manage your own virtual SOC lab for continuous practice
Apply your skills to real-world SOC scenarios and improve your incident response capabilities
Who this course is for:
Aspiring SOC analysts, blue team members, and cybersecurity enthusiasts
IT professionals looking to transition into security operations
Anyone who wants practical, hands-on SOC investigation experience with industry tools
Get ready to take your security investigation skills to the next level — I’ll see you in the course!