What is a Security Operations Center (SOC)?

SOC roles and responsibilities (Analyst tiers, Team Leads, Incident Responders)

SOC maturity models (Level 1 to Level 4)

SOC workflow: Detect → Analyze → Respond → Recover

Types of SOC: In-house, MSSP, Hybrid

Tour of a SOC environment (video-based walkthrough included in lecture recording)

SIEM: Purpose, components, and architecture

Log sources: Firewalls, endpoints, IDS/IPS, cloud services

Endpoint Detection and Response (EDR)

Threat intelligence platforms (TIPs)

SOAR: Automation and orchestration in SOCs

Data pipelines and retention policies

Understanding log types: Syslog, NetFlow, Windows Event Logs, DNS logs

Parsing, normalization, and enrichment

Event correlation techniques

Alerting and tuning: Avoiding false positives

Time synchronization, log integrity, and secure storage

MITRE ATT&CK for SOC use

Indicators of Compromise (IoC) vs Indicators of Attack (IoA)

Use case development for detection

Basic alert triage: Steps, priorities, and escalation

Case Study Assignment

The SOC playbook lifecycle

Phases of incident response (NIST Framework)

Ticketing systems and workflow management

Incident escalation and communication protocols

Retrospective: Root cause analysis and lessons learned

Key SOC performance indicators (MTTD, MTTR, alert-to-ticket ratio)

Report generation for different audiences (executive vs technical)

Compliance basics (SOC 2, ISO 27001, HIPAA, etc.)

Role of SOC in audits and internal reviews

Practical 1: Log Triage and Alert Investigation

Practical 2: Threat Hunting Challenge

Analyst levels and career roadmap (SOC Tier 1 - 3, Threat Hunter, IR Lead)

Overview of tools used in the field: Splunk, ELK, Wazuh, AlienVault, CrowdStrike, SentinelOne

Certifications to pursue: CompTIA Security+, CySA+, GCIH, GCIA, etc.

Building a home lab and practicing with open-source tools

Final Assessment