"Share Knowledge"

SOC Analyst Day -12

Published by

Share Knowledge

on

Day 12 – Blue Team Response (Incident Response for SOC Analysts)

Yesterday (Day 11) we simulated a full attack chain.
Today students will learn how SOC teams respond to real threats.

This is the transition from detection → response.

🛡️ 1. What Is Blue Team Response? (Simple Explanation)

Blue Team Response = what SOC analysts do after detecting an attack.

It includes:

  1. Confirm the attack
  2. Investigate
  3. Contain the attacker
  4. Block IP or user
  5. Remove threat
  6. Recover system
  7. Write incident report

This is the real SOC workflow.

🧠 2. Incident Response Lifecycle (Very Easy)

1️⃣ Detection

Find the alert in Splunk.

2️⃣ Analysis

Confirm if it’s real
Check logs, source IP, user, MITRE stage.

3️⃣ Containment

Stop the attack quickly:

  • Disable user
  • Block IP
  • Stop service
  • Quarantine machine

4️⃣ Eradication

Remove malware, delete new backdoor accounts.

5️⃣ Recovery

Restore system safely.

6️⃣ Lessons Learned

Document everything.

This is followed by SOC leaders, IR team, and forensics.

🔍 3. Example Scenario for Students

Attacker brute-forces a user → logs in → creates new admin account.

SOC Analyst must:

Step 1 – Validate alert

Check:

index=* EventCode=4625
index=* EventCode=4624
index=* EventCode=4672
index=* EventCode=4720

Step 2 – Confirm attacker IP

index=* | stats count by IpAddress

Step 3 – Check if attacker created persistence

index=* EventCode=4720 OR EventCode=4732

Step 4 – Containment

SOC should:

✔ Disable the user
✔ Block attacker IP
✔ Disconnect machine
✔ End remote RDP sessions

Step 5 – Eradication

Check:

index=* "EncodedCommand"
index=* WinEventLog:Security 7045

Remove backdoors.

🔥 4. SOC Response Actions (Simple for Beginners)

🟥 Block IP

Firewalls, WAFs, proxies.

🟧 Disable user account

Windows AD / Azure AD:

  • Set password reset
  • Disable account
  • Remove from admin group

🟨 Isolate machine

EDR tools:

  • CrowdStrike
  • Defender for Endpoint
  • SentinelOne

🟩 Kill malicious processes

PowerShell or EDR.

🟦 Remove persistence

Delete:

  • Scheduled tasks
  • New local users
  • Malicious services

🟪 Document everything

SOC ticketing:

  • Jira
  • ServiceNow
  • FreshService

📊 5. Practical SOC Response Lab for Students

Task 1 — Identify brute-force attack

index=* EventCode=4625

Task 2 — Identify successful login

index=* EventCode=4624

Task 3 — Identify admin privilege escalation

index=* EventCode=4672

Task 4 — Identify persistence

index=* EventCode=4720 OR EventCode=4732

Task 5 — Write “SOC Response Plan”

Students must prepare:

  • What to block
  • What to disable
  • What to investigate
  • How to contain

🎤 Trainer Script

Say this during class:

“Detection only tells us the attacker is inside.
Blue Team Response tells us what to do next.
A SOC analyst’s job is not just finding attacks — but stopping them.”

📝 Homework for Day 12

Students submit:

  1. An attack they detected
  2. Their response plan
  3. Actions they would take to contain and eradicate
  4. MITRE mapping

Leave a comment

Previous Post
Next Post

Recent posts

Quote of the week

in learning you will teach and in teaching you will learn

~ Phil Collins

"Share Knowledge"

About

A passionate to teach Technical skills.

Topics

Follow Us

Create a free website or blog at WordPress.com.

Design a site like this with WordPress.com
Get started