3 days10:00 – 16:00

SOC Analyst

Learn how to monitor for IS incidents, detect threats, eliminate false positives, and perform initial incident response.

About the course

SOC teams are the first responders of the cybersecurity community. Their role is to quickly determine whether an incident is a false positive or needs to be escalated. They do this with lightning efficiency thanks to their knowledge of the fundamentals of the incident response and remediation processes, including threat hunting, network forensics, and malware detonation. This comprehensive knowledge base is invaluable when handling an emergency.

SOC teams also possess an intimate knowledge of the threat landscape, which they monitor and from which they collect valuable information and indicators of compromise. By keeping up to date with the latest trends, SOC analysts help companies handle passive and active threats quicker and more effectively.quicker and more effectively.

The three-day SOC Analyst course addresses each of the abovementioned functions of a SOC worker.

Course description:

The course is broken up into three days. The lessons cover a vast array of topics, including the basics of incident response and SOC operations, IoC categorization, hypothesis generation, network forensics, and malware analysis. Each day will include hands-on practice of each new skill learned.

The course is designed for newcomers to the field, but experienced professionals are likely to benefit from the structure it provides to existing skills and knowledge. You may be surprised at how much you’ll learn.

Day 1

Day 1 will start with a short introduction to current cybersecurity trends, which will give you an understanding of what kind of threat landscape you’ll be jumping into. Next, we’ll explain how a security operations center is structured, what functions it performs, and how it cooperates with other information security departments. We’ll show you the best practices applied by high-performance SOCs and lay out the metrics and requirements you need to set to maximize SOC efficiency (e.g. time frames for response and escalation, dwell time).

Since SOC analysts serve as the first line of defense in a security incident, we’ll explain the basic principles of incident handling, including how to evaluate the severity of incidents and identify false positives. The instructors will give you the tools and methods needed for data collection, and show you how to distinguish between good and bad indicators of compromise (IoCs).

Finally, we’ll touch upon threat hunting and how it’s relevant — and important — for SOCs. You’ll be taught how to apply the scientific method (i.e. hypothesis testing) in threat hunting and which sources of events to search for (i.e. where you find additional information in the system to aid in your hunt).

The day will end with our Hypogame, during which you’ll create your own hypotheses and test them together with your peers and instructor.

Day 2

Another key to being a successful SOC analyst is a base knowledge of network forensics. You will receive basic information about fundamental network protocols, their fields, their working principles, and how they can be used during attacks. The instructor will explain the features of the traffic collection process and analysis, and how to search for, extract, and analyze artifacts from network traffic. You will then complete exercises as part of which you’ll analyze network traffic dumps.

The last part of the day will be spent on learning the basic principles of intrusion detection systems using Suricata and how to write rules for Suricata and similar systems.

Day 3

The more angles you consider when analyzing a security incident, the better you’ll be able to understand its severity and scope. To this end, you’ll need to know the basics of searching for and analyzing artifacts at the host level. This is how Day 3 will start. You’ll learn the main sources of artifacts and how to perform an express analysis of Windows-based systems.

We will then take things one step further and you’ll be introduced to sandboxes and how to use them to detect malicious activity. You will learn the basics of malware detonation and practice launching malware in a controlled environment to obtain IoCs. The instructor will also give recommendations on how to extract helpful IoCs from sandbox reports.

Attackers are becoming increasingly clever and are always coming up with new ways of bypassing sandboxes and other technologies. To help you stay one step ahead of them, our course will go over the most common methods used by attackers to bypass sandboxes.

To successfully pass the course the participants should have basic programming skills and knowledge about assembly language.

After this course, you’ll be able to:

  • Monitor all solutions to ensure that the organization is secure
  • Quickly assess security incidents and determine whether they should be flagged to the IR team or marked as a false positive
Who can benefit from this course?
Specialists who monitor for cyber threats
Technical specialists with IS experience
CISOs, and heads of IT teams
SOC/CERT analysts

What you’ll receive

Lecture videos and practical materials used during training

Personal certificate of completion

Valuable information that you can put into practice

Insight on malware analysis and how it can fit in IS practices

Why Group-IB?

Experience in international investigations

Our training courses are based on 1300+ successful investigations worldwide.

Technical expertise

All courses are led by GCFA-, EnCE- and MCFE-certified experts.

Practicing experts

The course instructors are current Group-IB specialists, which translates to the most up-to-date and first-hand information for course participants.

Stimulating practical training

Practical exercises based on real-life cases make up 70% of the course.

Continuously updated program

Course materials are regularly updated with new cases from Group-IB’s experience, which ensures that the course program always reflects the latest trends.

Comprehensive development

Group-IB’s training courses provide a wide range of competencies for creating an effective information security department in any company.

Individual learning approach

Send us a request for an individual consultation on Group-IB technical training courses

Get new report
Ransomware Uncovered 2021/2022

The well-known complete guide to the latest tactics, techniques, and procedures of ransomware operators based on MITRE ATT&CK®


We use cookies on the website to make your browser experience more personal, convenient and secure. You may block or manage the use of cookies, however, in some cases they’re essential to make this site work properly. Learn more about cookies in Group-IB Privacy And Cookies Policy.