This document provides a structured overview of how a Security Operations Center (SOC) functions, the tools it relies on, and the responsibilities of SOC analysts across different levels. It is designed as a foundational study resource for understanding detection, response, automation, and continuous improvement within modern blue team environments.

The content focuses on practical SOC operations, clearly defining core technologies such as SIEM and EDR, outlining analyst roles, and explaining incident response frameworks and workflows exactly as they are used in operational settings.

Download SOC Analyst Study Notes here ⬇️

Soc Analyst Notes

1.23MB ∙ PDF file

Download

Download

Who this document is for

• Individuals preparing for SOC analyst roles

• Entry-level and junior SOC analysts

• Blue team practitioners revisiting fundamentals

• Students studying SIEM, EDR, and incident response concepts

• Professionals seeking a structured overview of SOC operations

The material progresses logically from foundational concepts to response and hands-on practice.

First Time Seeing This? Please Subscribe

SOC Analyst Essentials

This chapter introduces key concepts used in SOC environments by defining SIM, SEM, and SIEM.

• SIM (Security Information Management) focuses on long-term storage, analysis, and reporting of security data, supporting compliance, forensics, and historical analysis.

• SEM (Security Event Management) focuses on real-time monitoring, correlation, and alerting of security events to support rapid detection and response.

• SIEM (Security Information and Event Management) combines both capabilities, providing centralized collection, real-time monitoring, historical analysis, compliance management, and incident response.

This chapter establishes the conceptual foundation required to understand how SOC tooling supports security operations

Functions of SIEM

This chapter outlines the core functionalities provided by SIEM systems, detailing how security data is processed and analyzed.

Key SIEM functions covered include:

• Log collection and aggregation

• Rule-based alerting

• Artificial intelligence–assisted detection

• Parsing and normalization of log data

• Categorization and enrichment

• Indexing and secure storage for compliance and analysis

The focus is on how SIEM enables visibility, detection, and response across an organization’s environment

Roles and Responsibilities of SOC Analysts

This chapter defines the Security Operations Center (SOC) as a centralized unit responsible for monitoring, detecting, and responding to cybersecurity threats.

Core SOC functions include:

• Threat monitoring

• Alert investigation

• Incident response

The chapter then outlines analyst responsibilities by level:

• L1 SOC Analysts handle alert triage, act as the first line of defense, identify anomalies, manage whitelist requests, and perform preliminary investigations.

• L2 SOC Analysts monitor alerts, conduct threat hunting, mentor junior analysts, approve whitelists, and manage escalated investigations.

• L3 SOC Analysts focus on client onboarding, incident management, reporting, documentation, and stakeholder communication.

The chapter also lists technologies used within SOC environments, including SIEM, EDR, TIP, SOAR, MDR services, ticketing systems, DLP, network security tools, vulnerability management, cloud tools, and IAM/PAM

Endpoint Detection and Response (EDR)

This chapter explains EDR architecture and functionality.

The architecture includes:

• Endpoints such as computers, servers, and mobile devices

• A central server that collects and processes endpoint data

• A web-based GUI for analyst access

• Integration with threat intelligence sources

Key EDR functions described include:

• Real-time continuous monitoring

• Endpoint data collection

• Signature-less, behavior-based detection

• Rules-based automated response

The chapter also details the types of data collected by EDR, such as network connections, process execution, registry modifications, currently running processes, and cross-process events. It highlights EDR benefits including prompt threat response, reduced breach risk, broader data collection, and improved compliance.

Incident Response Frameworks and Automation Techniques

This chapter focuses on the role of automation in incident management.

Automation use cases covered include:

• Incident triage

• Data enrichment

• Threat intelligence gathering

• Validation across detection tools

• False positive closure

• Email notifications

• Blocking suspicious IP addresses

• Administrator alerts

The chapter explains two incident response frameworks:

• NIST Incident Response Framework, covering preparation, detection and analysis, containment, eradication and recovery, and post-incident activity

• SANS Incident Response Framework, covering preparation, identification, containment, eradication, and recovery

It also details eradication and recovery processes, including artifact removal, vulnerability patching, configuration updates, system restoration, monitoring, documentation, and reinfection prevention

Lessons Learned

This section emphasizes post-incident review as a critical step for improvement.

Practices covered include:

• Incident review meetings

• Analysis using the 5W+H method (Who, What, When, Where, Why, How)

• Defining a way forward

• Maintaining thorough documentation for future reference

The goal is to ensure continuous improvement in response readiness and effectiveness

Practice Websites for Blue Team Labs

The final chapter lists platforms and tools for hands-on blue team practice.

Practice resources include:

• CyberDefenders

• Blue Team Level 1

• LetsDefend

Tools referenced for skill development include:

• Network security tools: Netcat, Nmap, tcpdump

• Malware analysis tools: VirusTotal, ANY.RUN, Ghidra

This chapter reinforces the importance of practical experience in developing SOC skills

If you find this material useful, subscribe to CyberMaterial’s Substack for daily cybersecurity briefings, practical insights, and structured learning resources.