SOC Analyst | Threat Hunting | Detection Engineering | Incident Response
I investigate real attacks, build detection rules, and analyze alerts across SIEM and endpoint telemetry.
My home lab simulates realistic attack scenarios with detections mapped to MITRE ATT&CK frameworks.
Built 16+ cybersecurity labs covering Active Directory, SIEM, endpoint monitoring, IDS/IPS, threat hunting, phishing investigations, detection engineering, and incident response.
Lab Workflow:
Attacker VM → Target VM → Sysmon / Suricata → SIEM → Alert Validation & Investigation
Every investigation follows the same workflow. Here's what I actually do:
- Detection – Alert fires (SIEM rule, IDS signature, or log anomaly)
- Triage – Is this real or noise? Check the logs
- Log Analysis – Build a timeline. What happened? When? From where?
- Threat Intelligence – Validate IPs, hashes, domains against external sources
- Decision – Close it (benign positive), escalate it (real incident), or tune the rule
This methodology runs through every lab. Pick a repo and you'll see exactly this pattern.
🏢 Enterprise Active Directory SOC Lab
What: Built an enterprise Active Directory environment with Wazuh, Sysmon, and PowerShell automation to simulate enterprise attack scenarios and practice SOC monitoring and investigation.
Lab Highlights:
- 4 virtual machines integrated into the lab
- 10+ Active Directory users and groups configured
- 2 monitored Windows endpoints with Wazuh + Sysmon
- Multiple Active Directory attack techniques simulated
- MITRE ATT&CK mapped detections investigated
What I Did:
- Built an enterprise Active Directory domain from scratch
- Joined Windows endpoints to the domain
- Integrated Wazuh SIEM with Sysmon for endpoint visibility
- Simulated Active Directory attacks from Kali Linux
- Investigated detections mapped to MITRE ATT&CK techniques
- Automated administrative tasks using PowerShell
Tools: Windows Server 2022 | Active Directory | Wazuh | Sysmon | PowerShell | Kali Linux
MITRE ATT&CK: T1087 (Account Discovery), T1018 (Remote System Discovery), T1059.001 (PowerShell)
🍯 Azure Honeypot – Windows RDP Exposed to the Internet
What: Intentionally exposed Windows Server 2022 VM to collect real attack traffic. No simulation, actual threat actors found the open RDP port within minutes.
By the Numbers:
- 3,404 failed RDP logins in 14 hours (real brute force)
- 43 High-severity incidents generated by custom analytics rules
- 27 unique external IPs identified and validated via threat intel
- Geolocation mapping of attackers across Argentina, China, India, Japan, Philippines
What I Did:
- Built custom detection rules in Microsoft Sentinel before the VM went live (detection-first thinking)
- Investigated real incidents: correlated alerts, pulled Windows logs, validated attacker IPs with VirusTotal
- Created KQL queries to hunt failed logins and identify successful compromises
- Built workbooks to visualize attack geography and volume trends
Tools: Microsoft Sentinel | KQL | Azure NSG Rules | GeoIP Watchlist | VirusTotal | AbusePDB
MITRE ATT&CK: T1110 (Brute Force), T1078 (Valid Accounts)
Repo: Azure-Honeypot-SOC-Lab
📊 Splunk Incident Investigation
What: Monitored SSH authentication logs over 21 days. Real automated scanning tools (not simulated) hit the system from IPs across Argentina, China, Philippines, India, Japan, South Korea.
By the Numbers:
- 17,126 total failed login attempts analyzed
- 2 malicious IPs validated via threat intelligence
- 230 successful logins investigated for post-compromise indicators
- Custom detection dashboard built to visualize attack patterns in real-time
What I Did:
- Wrote SPL queries to detect password spraying patterns (multiple accounts, single IP)
- Correlated failed attempts with successful logins to identify breaches
- Validated suspicious IPs against AbuseIPDB and VirusTotal
- Built a dashboard showing top attacking sources, failed login trends, and targeted accounts
- Investigated post-compromise activity – found none, system was defended
Tools: Splunk Enterprise | SPL | Windows Security Event Logs | VirusTotal | AbuseIPDB
MITRE ATT&CK: T1110 (Brute Force), T1110.003 (Password Spraying), T1078 (Valid Accounts)
🎯 RDP Brute Force Incident – Detection to Closure
What: A real brute force alert fires in Sentinel. I investigate it end-to-end: validate the threat, check logs, verify with threat intel, contain it, and close it. This is an L1 analyst workflow.
The Investigation:
- Alert: High-severity RDP brute force detected from 103.108.141.126
- Validation: ~50 failed login attempts from single IP, targeting multiple admin accounts
- Scope Check: No successful logins, no lateral movement, no file access
- Threat Intel: VirusTotal flags IP as malicious (10/94 vendors), known for SSH/RDP scanning
- Actions Taken: Blocked IP at firewall, restricted RDP to trusted subnets, enforced account lockout policy
- Outcome: Incident closed as True Positive (Attack Contained)
What This Demonstrates:
- Multi-layer validation (SIEM alert + IDS logs + threat intel + firewall rules agree)
- Practical L1 mindset (validate before escalating)
- Incident containment and remediation
- Understanding that logs tell different stories at different layers
Tools: Microsoft Sentinel | KQL | Suricata IDS | VirusTotal | Azure NSG Rules | Windows Defender Firewall
MITRE ATT&CK: T1110.003 (Password Spraying), T1021.001 (RDP)
🔓 Elastic SIEM Lab – Real SSH Attacks Detected at Scale
What: Deployed Elasticsearch + Kibana on Azure. Collected SSH logs from an exposed Ubuntu VM. Real threat actors hit it within minutes.
Findings:
- External SSH brute force attempts from real internet traffic
- Detected using authentication failure pattern analysis
- Timeline reconstruction via Kibana dashboards
- MITRE ATT&CK mapping and threat correlation
Tools: Elastic Stack | Kibana | Filebeat | EQL queries
MITRE ATT&CK: T1110 (Brute Force), T1078 (Valid Accounts)
🔴 Sysmon Attack Investigation – Meterpreter Payload to Credential Theft
What: Staged a complete attack chain on Windows 10. Delivered a Meterpreter reverse shell, established persistence, dumped credentials with Mimikatz. Goal: investigate every trace using only Sysmon event logs.
Attack Chain:
- Payload delivered via phishing (FreeGamePasses.exe from Discord CDN)
- Reverse shell opened → attacker gained interactive access
- Enumeration commands (whoami, systeminfo)
- Persistence → scheduled task (backdoortask) + hidden user account
- LOLBin abuse → certutil.exe downloading Mimikatz from GitHub
- Credential dumping → sekurlsa::logonpasswords
What I Found (Sysmon Only):
- Event ID 15 (File stream created) – Payload origin and Discord download URL
- Event ID 3 (Network connection) – Reverse shell callback to attacker IP
- Event ID 1 (Process creation) – Parent-child relationships showing cmd.exe → backdoor creation
- Event ID 22 (DNS query) – certutil reaching github.com (LOLBin exposed)
- Event ID 1 (Masquerading) – Mimikatz renamed, but internal metadata still readable
The Insight: You cannot hide what you are. Renaming a file changes the filename, not the PE header. Sysmon catches what Windows Event Viewer misses.
Tools: Sysmon | Windows Event Viewer | Metasploit | Mimikatz | VirusTotal
MITRE ATT&CK: T1204, T1571, T1189, T1136, T1053, T1218, T1202, T1036, T1003
🛡️ Suricata IDS + Sentinel Integration – Network Detection at Scale
What: Deployed Suricata on Ubuntu to detect network attacks. Ran port scans, SSH brute force, and web application attacks from Kali Linux. All alerts flow to Microsoft Sentinel via syslog.
Attacks Simulated & Detected:
- Port scanning (Nmap) → 29 Suricata alerts
- SSH brute force (Hydra) → Custom detection rule fired
- Web application attacks (LFI, SQL injection) → ModSecurity WAF + Suricata rules triggered
- HTTP reconnaissance → Emerging Threats ruleset caught it
What I Learned:
- IDS mode (watches, alerts) vs. IPS mode (blocks)
- How SIEM and IDS complement each other
- Writing custom Suricata rules from packet analysis
- Mapping raw alerts to MITRE ATT&CK techniques
Tools: Suricata 7.x | Microsoft Sentinel | Azure Monitor Agent | Emerging Threats Ruleset | Kali Linux | KQL
MITRE ATT&CK: T1595 (Active Scanning), T1110 (Brute Force), T1190 (Exploit Public-Facing Application)
🔍 KQL Detection Queries – Real Threat Hunting
What: Wrote detection queries in Microsoft Sentinel's KQL language. Covers authentication threats, endpoint visibility, and network connections.
Queries Included:
- Brute force detection (Event ID 4625 correlation)
- Suspicious process execution (parent-child relationships)
- Lateral movement patterns (RDP to unexpected servers)
- DNS C2 beaconing (high query volume to rare domains)
- Failed login aggregation by account and IP
Why This Matters: Detection rules are how L1 analysts scale their attention. Good rules catch attacks automatically; bad rules create alert fatigue.
Tools: Microsoft Sentinel | KQL | Log Analytics Workspace
TryHackMe
Completed the SOC Level 1 path – hands‑on modules covering Wireshark, Splunk, Elastic, EDR tools, and incident response.
Currently exploring advanced rooms focused on detection engineering, log analysis, and threat hunting.
Let's Defend
Engaged in blue‑team simulations and theory learning to strengthen SOC workflow understanding and incident triage skills.
Forage Virtual Internships
Completed seven SOC analyst simulation internships (Commonwealth Bank and others) — focused on alert analysis, triage, and reporting.
Hands‑on SOC labs mapped to MITRE ATT&CK and real‑world detection workflows.
View all 17 repositories (Click to Expand)
Real Attack Data:
- Azure-Honeypot-SOC-Lab – 3,400+ real RDP logins, custom detection rules
- SOC-Incident-Investigation-Splunk – 17,126 failed logins, threat validation
- SOC-Workflow-RDP-Brute-Force-Suricata-Sentinel – Alert to closure workflow
- Elastic-SIEM-Lab-Azure-Cloud-Deployment – Real SSH attacks, Kibana dashboards
Enterprise & Detection Labs:
- Enterprise-Active-Directory-SOC-Lab – Enterprise Active Directory, Wazuh SIEM, Sysmon, PowerShell automation
- Sysmon-attack-investigation-lab – Full attack chain from payload to credential dumping
- SOC-Home-Lab-BlueTeam – 3-VM home lab with Wazuh, Splunk, pfSense
- Wazuh-SIEM-SOC-Hands-On-Lab – Windows + Linux agent deployment, VirusTotal integration
- ModSecurity-WAF-DVWA-Lab – Web attack detection, WAF rule testing
Detection & Analysis:
- Microsoft-Sentinel-KQL-Sysmon-Lab – KQL queries, Sysmon integration, authentication analysis
- Suricata-and-Sentinel-integration – IDS → SIEM pipeline, custom rules
- Incident-Investigation-Report – Template for end-to-end incident documentation
- Log-Analysis-Detection-Notes – Windows Event IDs, Linux logs, IOC extraction
- Splunk-SIEM-Practice-Notes – SPL queries, dashboards, alert logic
Specialized Topics:
- Phishing-Analysis – Email header analysis, domain spoofing detection
- pfSense-firewall-lab – Network segmentation, firewall rules, traffic control
- AIRIA-AI-Log-Triage-Lab – AI-assisted SOC triage experimentation
I Don’t Just Run Labs – I Investigate Like an Analyst
- Each repository answers the question: “What happened?”
- Findings are validated using logs, threat intelligence, and multiple sources.
- Every decision is documented – escalation, closure, and lessons learned.
I Map to Real‑World Frameworks
- MITRE ATT&CK techniques integrated into every investigation.
- Incident response workflow: Detect → Triage → Investigate → Remediate.
- Alert validation focused on distinguishing signal from noise.
I Learn From Mistakes
- Labs are real – VMs freeze, configs break, rules need tuning.
- Each repo includes what went wrong and how it was fixed.
- Continuous improvement is how true SOC analysts grow.
Actively exploring opportunities as a SOC Analyst L1 / Security Analyst
Focused on entry‑level roles where I can apply hands‑on detection, investigation, and threat‑hunting skills.