EC-Council Certified SOC Analyst (CSA)
Cybersecurity
COURSE OVERVIEW
The EC-Council Certified SOC Analyst (CSA) program equips learners with essential skills in security operations, threat intelligence, and incident response. It covers the processes, technologies, and techniques used to detect, investigate, and respond to threats while covering attack vectors, SIEM deployment (with 350 use cases), and SOC development. Students gain proficiency in Centralized Log Management, incident triaging, investigating loCs, and applying the cyber kill chain. They also learn to create effective reports and leverage Al-enabled tools and platforms to enhance SIEM capabilities, automate threat detection, prioritize alerts, and support threat hunting- critical skills for building a successful SOC analyst career.
· Build job-ready skills with 50 labs and 120 tools
· Earn a globally recognized, in-demand certification
· Learn flexibly without leaving your current job
The Certified SOC Analyst (CSA) is a globally recognized certification offering flexible learning options to suit your schedule and goals. It equips you with the skills to build a rewarding career in SOC and blue team, making you a valuable asset to any cybersecurity or blue team.
Duration: 5 days / 40 hours
Delivery Method: Classroom-based, Virtual Instructor Led Training
WHAT SKILLS YOU'LL LEARN
· Acquire a comprehensive knowledge of SOC processes, procedures, technologies, and workflows.
· Develop a foundational and advanced understanding of security threats, attacks, vulnerabilities, attacker behavior, and the cyber kill chain.
· Learn to identify attacker tools, tactics, and procedures to recognize indicators of compromise (loCs) for both active and future investigations.
· Gain the ability to monitor and analyze logs and alerts from various technologies across multiple platforms, including IDS/IPS, endpoint protection, servers, and workstations.
· Understand the centralized log management (CLM) process and its significance in security operations.
· Acquire skills in collecting, monitoring, and analyzing security events and logs.
· Attain extensive knowledge and hands-on experience in security information and event management (SIEM).
· Learn how to administer SIEM solutions such as Splunk, AlienVault, OSSIM, and the ELK Stack.
· Understand the architecture, implementation, and fine-tuning of SIEM solutions for optimal performance.
· Gain practical experience in the SIEM use case development process.
· Develop threat detection cases (correlation rules) and create comprehensive reports.
· Learn about widely used SIEM use cases across different deployments.
· Plan, organize, and execute threat monitoring and analysis within an enterprise environment.
· Acquire skills to monitor emerging threat patterns and perform security threat analysis.
· Gain hands-on experience in the alert triaging process for effective threat management.
· Learn how to escalate incidents to the appropriate teams for further investigation and remediation.
· Use service desk ticketing systems for efficient incident tracking and resolution.
· Develop the ability to prepare detailed briefings and reports outlining analysis methodologies and results.
· Learn how to integrate threat intelligence into SIEM systems for enhanced incident detection and response.
· Understand how to leverage diverse and continually evolving sources of threat intelligence.
· Gain knowledge of the incident response process and best practices for managing security incidents.
· Develop a solid understanding of SOC and incident response team (IRT) collaboration for improved incident management and response.
· Assist in responding to and investigating security incidents using forensic analysis techniques.
· Gain specialized knowledge in cloud-based threat detection and how to adapt techniques for cloud environments.
· Engage in proactive threat detection by participating in threat-hunting exercises.
· Develop skills in creating SIEM dashboards, generating SOC reports, and building effective correlation rules for advanced threat detection.
· Acquire hands-on experience in malware analysis techniques.
· Explore how Al/ML technologies can be leveraged to improve threat detection and response in SOC operations.
WHAT AL SKILLS YOU'LL LEARN
Al-driven capabilities are seamlessly embedded within SIEM's architecture, automating processes like threat detection, correlation, and prioritization without requiring separate configurations.
· Improve traditional SOC operations with Al.
· Enhance traditional SIEM systems with Al-enabled features.
· Leverage Al-powered tools' natural language inputs to create detection rules.
· Leverage Al-enabled tools for enhanced behavioral analytics.
· Enhance the identification, categorization, and prioritization of security alerts with Al.
· Integrate Splunk Al and Elasticsearch Al with SIEM.
· Use Al-driven platforms like Copilot, ChatGPT, PowerShell Al module, etc., to generate PowerShell scripts for threat hunting.
COURSE OUTLINE
Module 01: Security Operations and Management
o Learn how a SOC enhances an organization's security management to maintain a strong security posture, focusing on the critical roles of people, technology, and processes in its operations.
o Key topics covered:
§ SOC
§ SOC Capabilities
§ SOC Operations
§ SOC Workflow
§ Components of SOC
§ SOC Models
§ SOC Maturity Models
§ SOC Generations
§ SOC KPIs and Metrics
§ SOC Challenges
Module 02: Understanding Cyber Threats, loCs, and Attack Methodology
o Learn various cyberattacks, their loCs, and the attack tactics, techniques, and procedures (TTPs) cybercriminals use.
o Hands-on labs:
§ Perform SQL injection attack, Cross-Site Scripting (XSS) attack, network scanning attack, DoS attack, and brute force attack to understand their TTPs and loCs.
§ Detect and analyze loCs using Wireshark.
o Key topics covered:
§ Cyber Threats
§ TTPs
§ Reconnaissance Attacks
§ Man-in-the-Middle Attacks
§ Password Attack Techniques
§ Malware Attacks
§ Advanced Persistent Threat Lifecycle
§ Host-Based DoS Attacks
§ Ransomware Attacks
§ SQL Injection Attacks
§ XSS Attacks
§ Cross-Site Request Forgery (CSRF) Attack
§ Session Attacks
§ Social Engineering Attacks
§ Email Attacks
§ Insider Attack
§ loCs
§ Attacker's Hacking Methodology
§ MITRE D3FEND Framework
§ Diamond Model of Intrusion Analysis
Module 03: Log Management
o Learn log management in SIEM, including how logs are generated, stored, centrally collected, normalized, and correlated across systems.
o Hands-on labs:
§ Configure, monitor, and analyze various logs.
§ Collect logs from different devices into a centralized location using Splunk.
o Key topics covered:
§ Incident
§ Event
§ Log
§ Log Sources
§ Log Format
§ Local Logging
§ Windows Event Log
§ Linux Logs
§ Mac Logs
§ Firewall Logs
§ Iptables
§ Router Logs
§ IIS Logs
§ Apache Logs
§ Database Logs
§ Centralized Logging
§ Log Collection
§ Log Transmission
§ Log Storage
§ Al-Powered Script for Log Storage
§ Log Normalization
§ Log Parsing
§ Log Correlation
§ Log Analysis
§ Alerting and Reporting
Module 04: Incident Detection and Triage
o Learn SIEM fundamentals, including its capabilities, deployment strategies, use case development, and how it helps SOC analysts detect anomalies, triage alerts, and report incidents.
o Hands-on labs:
§ Develop Splunk use cases to detect and generate alerts for brute-force attempts, ransomware attacks, SQL injection attempts, XSS attempts, Broken Access Control attempts, application crashes using Remote Code Execution, scanning attempts, monitoring insecure ports and services, HTTP flood/denial of service (DoS) attacks, monitoring Windows audit log tampering, and malicious PowerShell script execution.
§ Enhance alert triage using the SIGMA rules for Splunk queries.
§ Create dashboards in Splunk.
§ Create ELK use cases for monitoring trusted binaries connecting to the internet, credential dumping using Mimikatz, and monitoring malware activity in the system.
§ Create dashboards in ELK.
§ Detect brute-force attack patterns using correlation rules in ManageEngine Log 360.
o Key topics covered:
§ SIEM
§ SIEM Architecture and Its Components
§ Al-Enabled SIEM
§ Types of SIEM Solutions
§ SIEM Deployment
§ SIEM Use Cases
§ SIEM Deployment Architecture
§ SIEM Use Case Lifecycle
§ Application-Level Incident Detection SIEM Use Cases
§ Insider Incident Detection SIEM Use Cases
§ Examples of Network Level Incident Detection SIEM Use Cases
§ Examples of Compliance Use Cases
§ SIEM Rules Generation with Al
§ Alert Triage
§ Splunk Al
§ Elasticsearch Al
§ Alert Triage with Al
§ Dashboards in SOC
§ SOC Reports
Module 05: Proactive Threat Detection
o Learn the importance of threat intelligence and threat hunting for SOC analysts, and how their integration with SIEM helps reduce false positives and enables faster, more accurate alert triage.
o Hands-on labs:
§ Integrate loCs into the ELK Stack.
§ Integrate OTX threat data into OSSIM.
§ Detect incidents in Windows Server using YARA.
§ Conduct threat hunting using Windows PowerShell scripts, Hunt Manager in Velociraptor, Log360 UEBA, and Sophos Central.
o Key topics covered:
§ Cyber Threat Intelligence (CTI)
§ Threat Intelligence Lifecycle
§ Types of Threat Intelligence
§ Threat Intelligence Strategy
§ Threat Intelligence Sources
§ Threat Intelligence Platform (TIP)
§ Threat Intelligence-Driven SOC
§ Threat Intelligence Use Cases for Enhanced Incident Response
§ Enhanced Threat Detection with Al
§ Threat Hunting, Threat Hunting Process
§ Threat Hunting Frameworks
§ Threat Hunting with PowerShell Script
§ PowerShell Al Module
§ Threat Hunting with Al
§ Threat Hunting with YARA
§ Threat Hunting Tools
Module 06: Incident Response
o Learn the stages of incident response and how the IRT collaborates with SOC to handle and respond to escalated incidents.
o Hands-on labs:
§ Generate tickets for incidents.
§ Contain data loss incidents.
§ Eradicate SQL injection and XSS incidents.
§ Perform recovery from data loss incidents.
§ Create incident reports using OSSIM.
§ Perform automated threat detection and response using Wazuh.
§ Detect threats using Sophos Central XDR.
§ Integrate Sophos Central XDR with Splunk.
o Key topics covered:
§ Incident Response (IR)
§ IRT
§ SOC and IRT Collaboration
§ IR Process
§ Ticketing System
§ Incident Triage
§ Notification
§ Containment
§ Eradication
§ Recovery
§ Network Security Incident Response
§ Application Security Incident Response
§ Email Security Incident Response
§ Insider Threats and Incident Response
§ Malware Threats and Incident Response
§ SOC Playbook, Endpoint Detection and Response (EDR)
§ Extended Detection and Response (XDR)
§ SOAR
§ SOAR Playbook
Module 07: Forensic Investigation and Malware Analysis
o Learn the importance of forensic investigation and malware analysis in SOC operations to understand attack methods, identify loCs, and enhance future defenses.
o Hands-on labs:
§ Perform forensic investigation of application security incidents: SQL injection attacks.
§ Perform forensic investigation of a compromised system incident using Velociraptor.
§ Analyze RAM for suspicious activities using Redline.
§ Perform static analysis on a suspicious file using PeStudio.
§ Examine a suspicious file using Virus Total.
§ Perform dynamic malware analysis in Windows using Process Hacker.
o Key topics covered:
§ Forensics Investigation
§ Forensics Investigation Methodology
§ Forensics Investigation Process
§ Forensics Investigation of Network Security Incidents
§ Forensics Investigation of Application Security Incidents
§ Forensics Investigation of Email Security Incidents
§ Forensics Investigation of Insider Incidents
§ Malware Analysis, Types of Malware Analysis
§ Malware Analysis Tools, Static Malware Analysis
§ Dynamic Malware Analysis
Module 08: SOC for Cloud Environments
o Learn the SOC processes in cloud environments, covering monitoring, incident detection, automated response, and security in AWS, Azure, and GCP using cloud-native tools.
o Hands-on Labs:
§ Implement Microsoft Sentinel in Azure.
o Key topics covered:
§ Cloud SOC
§ Azure SOC Architecture
§ Microsoft Sentinel
§ AWS SOC Architecture
§ AWS Security Hub
§ Centralized Logging with OpenSearch
§ Google Cloud Platform (GCP) Security Operation Center
§ Security Command Center
§ Chronicle
REGISTER NOW