Description

This curriculum spans the design and operationalization of core SOC functions, comparable in scope to a multi-phase internal capability build for cybercrime prevention, covering intelligence integration, detection engineering, incident response, and governance across complex enterprise environments.

Module 1: Threat Intelligence Integration and Operationalization

Selecting and onboarding threat intelligence feeds based on relevance to industry-specific attack patterns and minimizing noise in alerting systems.
Mapping external threat indicators (IOCs) to internal detection rules in SIEM platforms while accounting for false positive rates.
Establishing automated enrichment pipelines for IOC validation using sandboxing and DNS reputation services.
Defining retention policies for threat intelligence data to comply with data sovereignty laws and storage constraints.
Coordinating with external ISACs and information-sharing partners while managing disclosure risk and legal boundaries.
Implementing feedback loops from SOC analysts to refine intelligence prioritization and reduce analyst fatigue.

Module 2: Detection Engineering and Rule Development

Writing Sigma or YARA rules that balance specificity and generality to detect novel malware variants without excessive false alarms.
Validating detection logic against historical logs to measure baseline effectiveness before deployment.
Managing version control and peer review processes for detection rules using Git-based workflows.
Adjusting detection thresholds based on environmental changes such as new software deployments or remote work expansions.
Integrating behavioral analytics into detection rules to identify lateral movement and privilege escalation.
Documenting detection rationale and expected alert volume for each rule to support SOC triage efficiency.

Module 3: Incident Response Playbook Design and Execution

Developing playbooks for ransomware, phishing, and insider threat scenarios with clear escalation paths and role assignments.
Validating playbook effectiveness through tabletop exercises involving cross-functional teams.
Integrating automated response actions (e.g., endpoint isolation) into playbooks while defining approval thresholds.
Updating playbooks based on post-incident reviews and changes in adversary tactics.
Ensuring playbook accessibility during network outages via offline documentation and mobile access.
Aligning playbook steps with legal and compliance requirements for data handling and breach notification.

Module 4: SIEM Architecture and Log Management

Designing log source onboarding workflows that include parsing validation and normalization checks.
Optimizing event filtering at collection points to reduce SIEM licensing costs without losing forensic value.
Implementing log retention tiers based on data sensitivity, regulatory requirements, and storage budgets.
Configuring correlation rules to minimize alert storms during large-scale scanning events.
Securing SIEM administrative access with multi-factor authentication and just-in-time privilege elevation.
Monitoring SIEM health metrics such as parser failure rates and data ingestion latency.

Module 5: Endpoint Detection and Response (EDR) Integration

Selecting EDR telemetry levels that provide sufficient visibility without overwhelming network bandwidth.
Configuring EDR sensors to enforce containment policies during suspected compromise events.
Correlating EDR alerts with network and identity data to reduce false positives from benign tool usage.
Managing EDR agent updates across global endpoints with staggered rollout schedules.
Defining forensic data collection scope during investigations to preserve chain of custody.
Establishing thresholds for automated response actions to prevent disruption of critical systems.

Module 6: Identity and Access Monitoring in the SOC

Integrating identity provider logs (e.g., Azure AD, Okta) into the SIEM for anomaly detection.
Creating detection rules for impossible travel, bulk file access, and privilege escalation via group membership changes.
Responding to alerts involving service accounts with elevated permissions and non-human identities.
Coordinating with IAM teams to validate deprovisioning of terminated employee accounts.
Monitoring for suspicious MFA bypass attempts and token theft indicators.
Handling alerts involving executive accounts with additional approval steps and communication protocols.

Module 7: Threat Hunting Methodology and Execution

Planning hypothesis-driven hunts based on emerging threat actor TTPs from recent intelligence reports.
Using ATT&CK framework mappings to guide data collection and analysis scope.
Executing queries across EDR, SIEM, and DNS logs to identify stealthy persistence mechanisms.
Documenting hunting findings with reproducible steps and evidence for peer validation.
Integrating hunting outcomes into detection engineering to close identified coverage gaps.
Allocating dedicated hunting time within analyst shifts without degrading real-time monitoring duties.

Module 8: SOC Governance, Metrics, and Continuous Improvement

Defining KPIs such as mean time to detect (MTTD) and mean time to respond (MTTR) with accurate baseline measurements.
Conducting quarterly detection coverage assessments against the MITRE ATT&CK matrix.
Managing analyst workload through shift rotation planning and burnout prevention protocols.
Reporting security event trends and control effectiveness to executive leadership using concise dashboards.
Updating SOC policies in response to audit findings, regulatory changes, or major incidents.
Integrating feedback from red team exercises into detection tuning and response process refinement.