alidakwar/SOC-Analyst-Investigation-Writeups

# SOC Analyst Investigation Writeups ## Overview This repository contains documented investigations, alert triage exercises, and hands-on blue team labs completed through the LetsDefend SOC training platform. The project focuses on practical Security Operations Center (SOC) workflows including alert analysis, phishing investigations, malware analysis, network traffic inspection, SIEM-based detection, and incident response procedures within a simulated enterprise environment. To date, this repository reflects: - 60+ completed SOC investigation labs - 75+ completed security alert investigations - Continuous blue team skill development through realistic SOC simulations The goal of this repository is to document investigation methodology, analytical reasoning, and technical findings while strengthening practical defensive security skills aligned with real-world SOC operations. ## Areas of Focus ### Security Operations & Incident Response - Alert triage and escalation - Security event correlation - Incident investigation workflows - Threat validation and classification - False positive analysis - IOC identification and enrichment ### Threat Detection & Analysis - Phishing email investigations - Malware execution analysis - Suspicious PowerShell activity - Brute-force detection - Web attack investigations - Network anomaly analysis - Endpoint activity review ### Defensive Security Concepts - SIEM investigations - MITRE ATT&CK mapping - Cyber Kill Chain analysis - Threat intelligence usage - Log analysis and event interpretation - Detection engineering fundamentals ## Technologies & Tools Used - SIEM platforms - EDR telemetry - Windows Event Logs - Wireshark - VirusTotal - CyberChef - DNS / WHOIS analysis tools - Network log analysis - MITRE ATT&CK Framework - Splunk fundamentals - Malware analysis tooling ## Investigation Topics Covered This repository includes investigations and labs related to: - Phishing campaigns - Malicious document activity - Credential attacks - Malware infections - Web application attacks - Command and scripting abuse - Lateral movement indicators - Suspicious authentication events - Network-based attacks - Threat intelligence analysis ## Investigation Methodology 1. Review and validate the alert 2. Analyze related logs and telemetry 3. Investigate hosts, users, IPs, domains, and hashes 4. Identify malicious indicators and attacker behavior 5. Map findings to MITRE ATT&CK techniques 6. Determine incident severity and impact 7. Document remediation recommendations and conclusions ## MITRE ATT&CK Integration Where applicable, investigations are mapped to relevant MITRE ATT&CK tactics and techniques to improve threat classification and adversary behavior analysis. Examples include: - T1059 — Command and Scripting Interpreter - T1566 — Phishing - T1110 — Brute Force - T1071 — Application Layer Protocol - T1204 — User Execution