Network Security Channel
SOC Analyst Technical Assessment.pdf
🚨 A real SOC Analyst does not just close alerts.
They investigate, correlate, contain, and communicate.
I’ve been reviewing a SOC Analyst Technical Assessment, and it highlights something many people still misunderstand about the role:
Being a SOC Analyst is not just about staring at dashboards.
It is about making the right judgment under pressure.
What stood out to me most is how realistic the assessment is.
It tests the exact skills that matter in the real world:
✅ SIEM alert triage
• separating true positives from false positives
• prioritizing incidents correctly
• recognizing brute force, phishing, malware, and benign IT activity
✅ Log analysis and threat hunting
• identifying suspicious RDP activity
• spotting privilege escalation
• noticing command-line abuse
• correlating firewall, Windows, EDR, and SMB-related events
✅ Attack chain thinking
• mapping activity to the MITRE ATT&CK stages
• understanding initial access, execution, persistence, privilege escalation, defense evasion, and exfiltration
✅ Incident response under pressure
• isolating affected systems
• blocking SMB spread
• identifying IOCs
• building timelines
• recommending containment and remediation actions
✅ Written communication
• turning technical findings into an executive summary
• explaining business impact
• giving clear next steps after a ransomware incident
That is the part I like most:
A strong SOC Analyst is not just technical.
They must also be able to:
• think critically,
• connect small signals,
• understand attacker behavior,
• write clearly,
• and explain risk in a way the business can act on.
The uncomfortable truth?
A lot of people think SOC work is repetitive.
But real SOC work is where:
• false positives waste time,
• missed signals become breaches,
• and one bad decision can change the impact of an incident.
This assessment proves something important:
SOC is not about tools alone.
It is about analysis quality.
👇 Don’t just like comment:
What do you think is the most important SOC Analyst skill today?
A) Alert triage
B) Log correlation
C) Threat hunting
D) Incident response
E) Reporting and communication
Comment A / B / C / D / E I’m curious what security professionals value most in real environments.
#SOC #SOCAnalyst #CyberSecurity #SIEM #ThreatHunting #IncidentResponse #LogAnalysis #BlueTeam #ThreatDetection #MITREATTACK #Ransomware #EDR #SecurityOperations #InfoSec #CyberDefense #DFIR #DetectionEngineering #SecurityMonitoring #AnalystMindset #CyberCareer
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
They investigate, correlate, contain, and communicate.
I’ve been reviewing a SOC Analyst Technical Assessment, and it highlights something many people still misunderstand about the role:
Being a SOC Analyst is not just about staring at dashboards.
It is about making the right judgment under pressure.
What stood out to me most is how realistic the assessment is.
It tests the exact skills that matter in the real world:
✅ SIEM alert triage
• separating true positives from false positives
• prioritizing incidents correctly
• recognizing brute force, phishing, malware, and benign IT activity
✅ Log analysis and threat hunting
• identifying suspicious RDP activity
• spotting privilege escalation
• noticing command-line abuse
• correlating firewall, Windows, EDR, and SMB-related events
✅ Attack chain thinking
• mapping activity to the MITRE ATT&CK stages
• understanding initial access, execution, persistence, privilege escalation, defense evasion, and exfiltration
✅ Incident response under pressure
• isolating affected systems
• blocking SMB spread
• identifying IOCs
• building timelines
• recommending containment and remediation actions
✅ Written communication
• turning technical findings into an executive summary
• explaining business impact
• giving clear next steps after a ransomware incident
That is the part I like most:
A strong SOC Analyst is not just technical.
They must also be able to:
• think critically,
• connect small signals,
• understand attacker behavior,
• write clearly,
• and explain risk in a way the business can act on.
The uncomfortable truth?
A lot of people think SOC work is repetitive.
But real SOC work is where:
• false positives waste time,
• missed signals become breaches,
• and one bad decision can change the impact of an incident.
This assessment proves something important:
SOC is not about tools alone.
It is about analysis quality.
👇 Don’t just like comment:
What do you think is the most important SOC Analyst skill today?
A) Alert triage
B) Log correlation
C) Threat hunting
D) Incident response
E) Reporting and communication
Comment A / B / C / D / E I’m curious what security professionals value most in real environments.
#SOC #SOCAnalyst #CyberSecurity #SIEM #ThreatHunting #IncidentResponse #LogAnalysis #BlueTeam #ThreatDetection #MITREATTACK #Ransomware #EDR #SecurityOperations #InfoSec #CyberDefense #DFIR #DetectionEngineering #SecurityMonitoring #AnalystMindset #CyberCareer
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
❤1👍1
🛡 Wazuh Mastery Pack · 01 of 15 — Installation & Setup
The single most repeated question from juniors picking up Wazuh:
"Where do I even start?"
This first cheat sheet gets a Wazuh stack from zero to producing alerts in under 30 minutes — Manager, Indexer, Dashboard, Agents, all the ports you must open, and the verification one-liners I run before walking away from any new install.
A few non-obvious things people miss on day one:
- The all-in-one assistant script (wazuh-install.sh -a) is a lab/PoC tool — don't ship it to prod
- /var/ossec/wazuh-install-files.tar contains your initial creds. Move it to a vault. Lose it = full reinstall.
- Prefer TCP/1514 over UDP for event ingest — UDP silently drops events under load
- Always run /var/ossec/bin/wazuh-control configtest before restarting the manager
If you're starting your Wazuh journey this week, this one is for you.
#Wazuh #SIEM #SOC #CyberSecurity #BlueTeam #InfoSec #OpenToWork
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
The single most repeated question from juniors picking up Wazuh:
"Where do I even start?"
This first cheat sheet gets a Wazuh stack from zero to producing alerts in under 30 minutes — Manager, Indexer, Dashboard, Agents, all the ports you must open, and the verification one-liners I run before walking away from any new install.
A few non-obvious things people miss on day one:
- The all-in-one assistant script (wazuh-install.sh -a) is a lab/PoC tool — don't ship it to prod
- /var/ossec/wazuh-install-files.tar contains your initial creds. Move it to a vault. Lose it = full reinstall.
- Prefer TCP/1514 over UDP for event ingest — UDP silently drops events under load
- Always run /var/ossec/bin/wazuh-control configtest before restarting the manager
If you're starting your Wazuh journey this week, this one is for you.
#Wazuh #SIEM #SOC #CyberSecurity #BlueTeam #InfoSec #OpenToWork
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
❤1
🛡 Wazuh Mastery Pack · 02 of 15 — CLI Commands
The Wazuh GUI is great. The CLI is where you actually solve problems at 2am.
This cheat sheet is the muscle memory I wish I'd had on day one — service control, agent management, live log testing with wazuh-logtest, cluster operations, and the file paths you'll touch a thousand times.
Three commands every Wazuh operator should burn into memory:
🔹 /var/ossec/bin/wazuh-control configtest
→ validates ossec.conf BEFORE you restart in production. Has saved me from at least three outages.
🔹 /var/ossec/bin/wazuh-logtest
→ paste a raw log line, see exactly which decoder and which rule fires (or doesn't). Single best tool for tuning custom rules.
🔹 /var/ossec/bin/agent_control -l
→ shows every agent and its connection status. Faster than the dashboard when you just need a quick health check.
If you operate Wazuh and aren't using these, you're doing it the hard way.
#Wazuh #SIEM #SOC #BlueTeam #DevSecOps #CLI #InfoSec
📱 Channel : @Engineer_Computer
The Wazuh GUI is great. The CLI is where you actually solve problems at 2am.
This cheat sheet is the muscle memory I wish I'd had on day one — service control, agent management, live log testing with wazuh-logtest, cluster operations, and the file paths you'll touch a thousand times.
Three commands every Wazuh operator should burn into memory:
🔹 /var/ossec/bin/wazuh-control configtest
→ validates ossec.conf BEFORE you restart in production. Has saved me from at least three outages.
🔹 /var/ossec/bin/wazuh-logtest
→ paste a raw log line, see exactly which decoder and which rule fires (or doesn't). Single best tool for tuning custom rules.
🔹 /var/ossec/bin/agent_control -l
→ shows every agent and its connection status. Faster than the dashboard when you just need a quick health check.
If you operate Wazuh and aren't using these, you're doing it the hard way.
#Wazuh #SIEM #SOC #BlueTeam #DevSecOps #CLI #InfoSec
📱 Channel : @Engineer_Computer
❤2
🛡 Wazuh Mastery Pack · 03 of 15 — Configuration Files
Wazuh's power lives in three XML files:
🔹 /var/ossec/etc/ossec.conf — manager's brain
🔹 /var/ossec/etc/shared/default/agent.conf — central agent policy
🔹 /var/ossec/etc/rules/local_rules.xml — your custom detections
This cheat sheet ships ready-to-paste blocks for all three — the global section, the <remote> block agents connect through, central agent policy that pushes to every endpoint, and a working custom rule template.
The single biggest mistake I see in custom rules:
👉 Using rule IDs below 100000.
The 1–9999 range is owned by Wazuh's built-in ruleset. Collide with it and your rule will silently lose to the built-in. Always use 100000 and above for your custom detections.
If you're tuning Wazuh this week, save this one.
#Wazuh #SIEM #SOC #DetectionEngineering #InfoSec #BlueTeam
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
Wazuh's power lives in three XML files:
🔹 /var/ossec/etc/ossec.conf — manager's brain
🔹 /var/ossec/etc/shared/default/agent.conf — central agent policy
🔹 /var/ossec/etc/rules/local_rules.xml — your custom detections
This cheat sheet ships ready-to-paste blocks for all three — the global section, the <remote> block agents connect through, central agent policy that pushes to every endpoint, and a working custom rule template.
The single biggest mistake I see in custom rules:
👉 Using rule IDs below 100000.
The 1–9999 range is owned by Wazuh's built-in ruleset. Collide with it and your rule will silently lose to the built-in. Always use 100000 and above for your custom detections.
If you're tuning Wazuh this week, save this one.
#Wazuh #SIEM #SOC #DetectionEngineering #InfoSec #BlueTeam
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
❤2
🛡 Wazuh Mastery Pack · 04 of 15 — Rules & Decoders
Detection engineering with Wazuh comes down to two artifacts:
📜 Decoders — pull structure out of unstructured logs
🚨 Rules — turn structured fields into alerts
This cheat sheet is the anatomy of both: alert levels 0–16 and what they actually mean, the rule ID ranges that keep you from colliding with built-ins, the chained-rule pattern (if_matched_sid + frequency + timeframe) that detects brute-force behavior, and a working decoder for a custom application log.
A practice that separates senior detection engineers from juniors:
👉 Every rule should map to a MITRE ATT&CK technique.
<mitre><id>T1110</id></mitre>
It costs nothing, takes seconds, and makes your alerts speak the same language as every threat report on the planet.
#Wazuh #DetectionEngineering #SIEM #MITREATTACK #SOC #ThreatHunting #InfoSec
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
Detection engineering with Wazuh comes down to two artifacts:
📜 Decoders — pull structure out of unstructured logs
🚨 Rules — turn structured fields into alerts
This cheat sheet is the anatomy of both: alert levels 0–16 and what they actually mean, the rule ID ranges that keep you from colliding with built-ins, the chained-rule pattern (if_matched_sid + frequency + timeframe) that detects brute-force behavior, and a working decoder for a custom application log.
A practice that separates senior detection engineers from juniors:
👉 Every rule should map to a MITRE ATT&CK technique.
<mitre><id>T1110</id></mitre>
It costs nothing, takes seconds, and makes your alerts speak the same language as every threat report on the planet.
#Wazuh #DetectionEngineering #SIEM #MITREATTACK #SOC #ThreatHunting #InfoSec
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
❤1
🛡 Wazuh Mastery Pack · 05 of 15 — Wazuh API Anything you can do in the Wazuh dashboard, you can automate via the REST API on port 55000. This cheat sheet is the muscle: token auth, the endpoints I hit weekly, filtering and pagination, and curl one-liners you can drop into a Bash script today. Three workflows the API unlocks:
🔹 Mass-restart agents after a rule change → PUT /agents/restart (no more clicking through 200 hosts)
🔹 Auto-decommission stale agents → GET /agents?lastKeepAlive&status=disconnected → DELETE the list
🔹 Pipe rule and SCA data into your own dashboards → no need to touch OpenSearch directly Tokens expire in 15 minutes by default. Re-auth in your script, don't hardcode them.
#Wazuh #API #SIEM #Automation #SOC #DevSecOps #InfoSec
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
🔹 Mass-restart agents after a rule change → PUT /agents/restart (no more clicking through 200 hosts)
🔹 Auto-decommission stale agents → GET /agents?lastKeepAlive&status=disconnected → DELETE the list
🔹 Pipe rule and SCA data into your own dashboards → no need to touch OpenSearch directly Tokens expire in 15 minutes by default. Re-auth in your script, don't hardcode them.
#Wazuh #API #SIEM #Automation #SOC #DevSecOps #InfoSec
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
❤1
🛡 Wazuh Mastery Pack · 06 of 15 — Wazuh Query Language (WQL)
Triage speed = how fast you can write the right query.
This cheat sheet is the field-level reference for filtering alert data inside the Wazuh Dashboard — exact-match, ranges, boolean logic (AND / OR / NOT), wildcards, and the fields you'll reach for every shift.
The three queries every SOC analyst should know by heart:
🔹 rule.level >= 12
→ only critical alerts. Cuts the noise instantly during triage.
🔹 rule.groups: "authentication_failed" AND NOT data.srcuser: "backup"
→ real failed-auth events, minus your noisy service accounts.
🔹 rule.mitre.id: "T1110"
→ every brute-force alert across your fleet, in one click.
Save these as Saved Searches in the Dashboard. Triage time drops by half.
#Wazuh #SOC #ThreatHunting #SIEM #BlueTeam #SecurityAnalyst #InfoSec
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
Triage speed = how fast you can write the right query.
This cheat sheet is the field-level reference for filtering alert data inside the Wazuh Dashboard — exact-match, ranges, boolean logic (AND / OR / NOT), wildcards, and the fields you'll reach for every shift.
The three queries every SOC analyst should know by heart:
🔹 rule.level >= 12
→ only critical alerts. Cuts the noise instantly during triage.
🔹 rule.groups: "authentication_failed" AND NOT data.srcuser: "backup"
→ real failed-auth events, minus your noisy service accounts.
🔹 rule.mitre.id: "T1110"
→ every brute-force alert across your fleet, in one click.
Save these as Saved Searches in the Dashboard. Triage time drops by half.
#Wazuh #SOC #ThreatHunting #SIEM #BlueTeam #SecurityAnalyst #InfoSec
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
❤1
🛡 Wazuh Mastery Pack · 07 of 15 — MITRE ATT&CK Mapping
Detections without ATT&CK tags are detections that nobody else can interpret.
This cheat sheet shows how to add a single <mitre> block to your custom rules, the techniques you should cover first (T1110, T1078, T1059, T1486, T1003 — these alone catch a huge chunk of real-world attacks), and the queries to slice your alerts by technique.
Why this matters:
👉 Threat reports speak ATT&CK.
👉 Tabletop exercises speak ATT&CK.
👉 Threat-intel feeds tag IOCs with ATT&CK.
The moment your Wazuh rules speak it too, the whole stack — detection → triage → reporting → red team feedback — starts working as one system.
Bonus tip: load your rule.mitre.id data into the MITRE ATT&CK Navigator to see your detection coverage as a heatmap. Find the gaps. Close them.
#Wazuh #MITREATTACK #DetectionEngineering #ThreatIntel #SOC #BlueTeam #InfoSec
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
Detections without ATT&CK tags are detections that nobody else can interpret.
This cheat sheet shows how to add a single <mitre> block to your custom rules, the techniques you should cover first (T1110, T1078, T1059, T1486, T1003 — these alone catch a huge chunk of real-world attacks), and the queries to slice your alerts by technique.
Why this matters:
👉 Threat reports speak ATT&CK.
👉 Tabletop exercises speak ATT&CK.
👉 Threat-intel feeds tag IOCs with ATT&CK.
The moment your Wazuh rules speak it too, the whole stack — detection → triage → reporting → red team feedback — starts working as one system.
Bonus tip: load your rule.mitre.id data into the MITRE ATT&CK Navigator to see your detection coverage as a heatmap. Find the gaps. Close them.
#Wazuh #MITREATTACK #DetectionEngineering #ThreatIntel #SOC #BlueTeam #InfoSec
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
❤1
🛡 Wazuh Mastery Pack · 08 of 15 — File Integrity Monitoring
FIM is the most underrated detection control in any SIEM.
This cheat sheet is the working syscheck config — Linux paths, Windows registry Run keys, realtime vs whodata vs scheduled, report_changes for actual diffs, and the ignore patterns that keep alert volume sane.
Where FIM earns its keep:
✓ /etc on every Linux server (configs, sudoers, cron)
✓ /var/www on web hosts (catches web shells the moment they land)
✓ HKLM\Software\Microsoft\Windows\CurrentVersion\Run on Windows (boot persistence)
✓ C:\Windows\System32\drivers\etc (hosts-file tampering)
Real-time FIM on /etc and Windows registry Run keys = the highest-ROI detection you can deploy in under 10 minutes.
#Wazuh #FIM #FileIntegrityMonitoring #SIEM #SOC #BlueTeam #InfoSec
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
FIM is the most underrated detection control in any SIEM.
This cheat sheet is the working syscheck config — Linux paths, Windows registry Run keys, realtime vs whodata vs scheduled, report_changes for actual diffs, and the ignore patterns that keep alert volume sane.
Where FIM earns its keep:
✓ /etc on every Linux server (configs, sudoers, cron)
✓ /var/www on web hosts (catches web shells the moment they land)
✓ HKLM\Software\Microsoft\Windows\CurrentVersion\Run on Windows (boot persistence)
✓ C:\Windows\System32\drivers\etc (hosts-file tampering)
Real-time FIM on /etc and Windows registry Run keys = the highest-ROI detection you can deploy in under 10 minutes.
#Wazuh #FIM #FileIntegrityMonitoring #SIEM #SOC #BlueTeam #InfoSec
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
❤1
🛡 Wazuh Mastery Pack · 09 of 15 — VirusTotal & TI Integrations
A Wazuh alert that says "new file in /var/www" is OK.
A Wazuh alert that says "new file in /var/www, hash matched 47 VT vendors" is a different conversation.
This cheat sheet is the <integration> block pattern — VirusTotal for hash lookups, Slack for alerting, PagerDuty for on-call wake-ups, Shuffle for SOAR playbooks, and custom webhook for the rest.
Pro tip on VirusTotal:
👉 Free tier = 4 requests/min. Pair the integration with a tight rule_id (e.g. only FIM events under /var/www and /home), or you'll burn the quota in the first 10 minutes of any attack.
The ROI: every analyst-hour spent on triage drops, because the enrichment is already in the alert.
#Wazuh #ThreatIntel #VirusTotal #SOAR #SOC #BlueTeam #InfoSec
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
A Wazuh alert that says "new file in /var/www" is OK.
A Wazuh alert that says "new file in /var/www, hash matched 47 VT vendors" is a different conversation.
This cheat sheet is the <integration> block pattern — VirusTotal for hash lookups, Slack for alerting, PagerDuty for on-call wake-ups, Shuffle for SOAR playbooks, and custom webhook for the rest.
Pro tip on VirusTotal:
👉 Free tier = 4 requests/min. Pair the integration with a tight rule_id (e.g. only FIM events under /var/www and /home), or you'll burn the quota in the first 10 minutes of any attack.
The ROI: every analyst-hour spent on triage drops, because the enrichment is already in the alert.
#Wazuh #ThreatIntel #VirusTotal #SOAR #SOC #BlueTeam #InfoSec
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
❤1