Day 1: SOC Architecture and Threat Detection

Today's Objective

The SOC is where attacks go to die — if the team is ready. Tier 1/2/3 analyst roles, SIEM fundamentals, alert triage workflow, and the detection coverage gaps most orgs never close.

What Is a SIEM?

A SIEM collects logs from firewalls, servers, endpoints, network devices, and applications, normalizes them into a common schema, stores them for search, and runs correlation rules that generate alerts when attack patterns are detected. Commercial SIEMs: Splunk, Microsoft Sentinel, IBM QRadar, Exabeam. Open source: Elastic SIEM (ELK Stack), Wazuh, OSSIM. A Tier 1 analyst spends their day triaging SIEM alerts.

Log Sources and Collection

Critical log sources: Windows Event Logs (login events, privilege use, process creation), Linux syslog/auditd, firewall logs (allow/deny with IP:port), DNS query logs (detect C2 and data exfiltration), proxy/web gateway logs (URLs visited), and EDR telemetry (file, process, network activity). Collection agents (Beats, NXLog, Splunk UF) forward logs to the SIEM over encrypted channels.

Log Normalization and Parsing

Logs come in dozens of formats: syslog, CEF, LEEF, JSON, Windows XML Event. The SIEM must parse each format and map fields to a common schema. In Splunk this is done with field extractions. In the Elastic Stack, Logstash grok patterns and Filebeat modules handle parsing. Good normalization lets you write one detection rule that works across all log sources.

bash

# Deploy Wazuh SIEM (Docker)
docker-compose -f /path/to/wazuh/docker-compose.yml up -d

# Or: Elastic Stack quick setup
docker run -d --name elasticsearch -p 9200:9200 \
  -e 'discovery.type=single-node' elasticsearch:8.12.0

docker run -d --name kibana -p 5601:5601 \
  --link elasticsearch:elasticsearch kibana:8.12.0

# Filebeat: ship logs to Elasticsearch
# /etc/filebeat/filebeat.yml
# filebeat.inputs:
# - type: log
#   paths: ['/var/log/auth.log', '/var/log/syslog']
# output.elasticsearch:
#   hosts: ['localhost:9200']

filebeat setup --dashboards
systemctl start filebeat

# Query logs in Elasticsearch
curl -X GET 'localhost:9200/filebeat-*/_search' -H 'Content-Type: application/json' -d '
{"query": {"match": {"event.action": "failed-login"}}}'

💡

Log retention is a compliance requirement, not just a nice-to-have. NIST 800-53 recommends 1 year minimum. PCI-DSS requires 1 year with 3 months online. Size your SIEM storage accordingly before deployment.

📝 Day 1 Exercise

Stand Up an ELK SIEM

Deploy Elasticsearch and Kibana using Docker on your lab machine
Install Filebeat on a Linux VM and configure it to ship auth.log and syslog
In Kibana, create an index pattern for filebeat-* and explore the data
Build a simple dashboard showing failed SSH logins by source IP over time
Create an alert that fires when more than 5 failed logins occur from one IP in 60 seconds

Day 1 Summary

SIEM ingests, normalizes, and correlates logs from all security-relevant systems
Critical log sources: Windows Events, Linux auditd, firewall, DNS, proxy, EDR
Beats and Logstash collect and parse logs before ingestion
Log normalization maps diverse formats to a common schema for unified searching
Retention requirements: minimum 1 year for most compliance frameworks

Challenge

Configure Filebeat to collect logs from 5 different sources on your lab network. Build a Kibana dashboard showing top talkers, failed authentications, and suspicious DNS queries. Screenshot your dashboard.

Day 2: Alert Triage & Investigation

→

What's Next

The foundations from today carry directly into Day 2. In the next session the focus shifts to Log Analysis and SIEM Queries — building directly on everything covered here.

Supporting Videos & Reading

Go deeper with these external references.

YouTube

SOC Architecture and Threat Detection — Video Walkthroughs Community tutorials and walkthroughs covering the concepts in this lesson.

→

YouTube

SOC Architecture and Threat Detection Explained Deep-dive explanations and live-coding sessions from top educators.

→

Official Docs

Official Documentation Primary reference documentation for the technologies covered in this lesson.

→

GitHub

Open Source Examples Real-world codebases demonstrating the patterns taught in this lesson.

→

Day 1 Checkpoint

Before moving on, verify you can answer these without looking:

What is the core concept introduced in this lesson, and why does it matter?
What are the two or three most common mistakes practitioners make with this topic?
Can you explain the key code pattern from this lesson to a colleague in plain language?
What would break first if you skipped the safeguards or best practices described here?
How does today's topic connect to what comes in Day 2?

Live Bootcamp

Learn this in person — 2 days, 5 cities

Thu–Fri sessions in Denver, Los Angeles, New York, Chicago, and Dallas. $1,490 per seat. June–October 2026.

Reserve Your Seat →

Continue To Day 2

Day 2: Alert Triage & Investigation

→