jhaaaryan/letsdefend-soc-blue-team-investigations

# letsdefend-soc-blue-team-investigations Hands-on SOC analyst investigation labs focused on phishing analysis, endpoint monitoring, malware triage, and web attack investigations using Splunk, Wazuh, Wireshark, Linux, and MITRE ATT&CK mapping. # Overview This repository contains structured SOC investigation notes and recreated analyst workflows based on practical cybersecurity labs and blue-team exercises. The investigations focus on: * phishing detection and triage * endpoint monitoring and alert analysis * suspicious PowerShell activity * web traffic inspection * IOC extraction * MITRE ATT&CK mapping * detection engineering fundamentals # Skills Demonstrated * SIEM investigation * Log analysis * IOC extraction * Splunk searches * Wazuh alert triage * Wireshark packet inspection * MITRE ATT&CK mapping * Threat investigation documentation * Security operations workflows # Tools Used * Splunk * Wazuh * Wireshark * Linux * PowerShell * MITRE ATT&CK * VirusTotal * OSQuery # Repository Structure 01-phishing-investigation/ * phishing alert analysis * IOC extraction * Splunk searches * attack timelines 02-endpoint-activity/ * endpoint triage notes * Wazuh investigations * suspicious process analysis 03-web-attack/ * network traffic inspection * PCAP investigation notes * HTTP/DNS analysis 04-mitre-mapping.md * ATT&CK technique mapping # Important Note The original training environments were hosted online through cybersecurity learning platforms. Some screenshots and exports were unavailable after lab completion. This repository contains: * recreated investigation documentation * personal analyst notes * recreated IOC examples * synthetic investigation artifacts for educational purposes # MITRE ATT&CK Examples | Technique | ID | | ------------------- | --------- | | Phishing | T1566 | | PowerShell | T1059.001 | | Command and Control | T1071 | | Registry Run Keys | T1547.001 | # Certifications / Badges See: * badges-and-certificates/ # License MIT License