🛡️

SOC Analyst & Blue Team Fundamentals

This isn't "learn attacks from the defender's side." It's about operating detection and response systems under process control — triage, escalation, documentation, and continuous tuning. 8 stages. SIEM, EDR/XDR, MITRE ATT&CK, cloud logging, and the full NIST IR lifecycle.

Intermediate CySA+ Aligned SC-200 Aligned GCIH Prep NIST CSF 2.0 MITRE ATT&CK

📖 8 Stages

⏱️ 120–150 Hours

🔍 KQL & SPL Query Labs

📋 Playbook Templates

🏆 Full Capstone Incident

Become a Founding Member — $9/mo View All 8 Stages ↓

What You'll Learn

SOC roles, shift operations, and escalation workflows

Windows and Linux log sources — what telemetry matters and why

KQL fundamentals for Microsoft Sentinel — write queries from scratch

SPL fundamentals for Splunk — search, stats, correlations

Alert ingestion, tuning, and false positive reduction

EDR endpoint timeline analysis with CrowdStrike and Defender XDR

Containment actions and isolating compromised endpoints

MITRE ATT&CK TTP mapping and detection hypothesis writing

Red-to-Blue translation — turn offensive techniques into detections

AWS CloudTrail, Azure Monitor, and GCP logging for cloud IR

NIST SP 800-61 Rev. 3 incident response phases end-to-end

Stakeholder communication, documentation, and auditability standards

Tools & Platforms Covered

Telemetry literacy across the real-world blue team stack — not toy environments.

⚡

Microsoft Sentinel

KQL querying, analytic rules, workbooks

🔎

Splunk

SPL searches, dashboards, correlation rules

🦅

CrowdStrike Falcon

EDR timeline, threat graph, containment

🛡️

Defender XDR

Unified incident view, auto-remediation

🤖

SOAR Platforms

Playbook automation, enrichment pipelines

🎯

MITRE ATT&CK

TTP mapping, Navigator, threat modeling

🔵

MITRE D3FEND

Defensive countermeasure mapping

☁️

AWS / Azure / GCP

CloudTrail, Monitor, Cloud Logging

Curriculum — 8 Stages

120–150 hours. Each stage builds operational discipline — triage, documentation, and continuous tuning at every step.

01

Blue Team Foundations

SOC roles, tools landscape, log sources, and what "good" detection looks like

▾

Before you touch a SIEM, you need to understand what you're defending and why. This stage covers the SOC operating model — Tier 1/2/3 analyst roles, escalation paths, shift handoffs, and alert triage philosophy. You'll survey the blue team toolchain and dive into Windows and Linux log sources: Event IDs that matter, Sysmon configuration, syslog, auditd, and what "telemetry coverage" actually means. By the end, you'll have a lab environment ready and a clear mental model of how detection and response systems connect.

SOC tiers & escalation Windows Event IDs Sysmon configuration Linux auditd / syslog Log telemetry coverage Alert triage philosophy Lab environment setup
02

SIEM Operations

Log ingestion, KQL fundamentals (Sentinel), SPL fundamentals (Splunk), alert tuning

▾

The SIEM is your single pane of glass — and most analysts barely scratch its surface. This stage is a deep dive into both query languages used in real enterprise SOCs. KQL in Microsoft Sentinel: table structure, filtering, joins, summarize, project, time ranges, and building analytic rules. SPL in Splunk: search commands, stats, eval, lookup tables, and building correlation searches. Then the unglamorous but critical work of alert tuning — reducing false positive volume, threshold calibration, and building a feedback loop that makes your detection rules smarter over time.

KQL syntax & operators Sentinel analytic rules SPL search commands Splunk correlation rules Log ingestion pipelines Alert threshold tuning False positive reduction

Microsoft Sentinel Splunk KQL SPL
03

EDR/XDR Investigations

Endpoint timeline analysis, containment actions, correlating telemetry across sources

▾

Alerts tell you something happened. The EDR tells you exactly what happened, in what order, and what else to look for. This stage covers endpoint timeline analysis with CrowdStrike Falcon and Microsoft Defender XDR: reading process trees, parent-child relationships, network connections, file writes, and registry changes. You'll practice real containment decisions — when to isolate an endpoint, how to do it without breaking business operations, and how to collect forensic artifacts before and after. Then cross-correlating EDR telemetry with SIEM data to build a complete picture of an intrusion.

Process tree analysis Parent-child relationships Network connection telemetry Registry & file event analysis Endpoint isolation decisions Forensic artifact collection SIEM + EDR correlation

CrowdStrike Falcon Defender XDR
04

MITRE ATT&CK in Practice

TTP mapping, detection hypotheses, threat hunting basics, and D3FEND countermeasures

▾

MITRE ATT&CK isn't a checklist — it's a shared language for describing adversary behavior. This stage teaches you to use it operationally: mapping alerts and incidents to specific Tactics, Techniques, and Procedures (TTPs), building detection hypotheses for gaps in your coverage, and writing your first threat hunts. You'll use ATT&CK Navigator to visualize your detection surface and identify blind spots. We also cover MITRE D3FEND — the companion framework for mapping defensive countermeasures to specific attack techniques — giving you a structured way to recommend defensive improvements, not just detect threats.

Tactics, Techniques, Procedures ATT&CK Navigator Detection hypothesis writing Coverage gap analysis Threat hunting fundamentals MITRE D3FEND Defensive countermeasure mapping

MITRE ATT&CK ATT&CK Navigator MITRE D3FEND
05

Red-to-Blue Translation

Turn offensive techniques into detection hypotheses, SIEM queries, playbooks, and response actions

▾

The bridge between offensive and defensive knowledge. For each major attack technique — credential dumping, lateral movement, persistence via scheduled tasks, living-off-the-land binaries, phishing payloads, C2 beaconing — you'll produce the complete defensive package: the log sources that capture it, the SIEM queries (KQL and SPL) that detect it, the indicators to hunt for, the investigation playbook, and the response actions to contain and remediate. Students who've completed the Ethical Hacking course will recognize the techniques from the other side. This stage operationalizes that knowledge into real defensive output.

Credential dumping detection Lateral movement signatures Persistence mechanism hunting LOLBins detection C2 beaconing patterns Phishing payload analysis KQL detection queries SPL detection queries Investigation playbooks Response action mapping
06

Cloud Security Monitoring

AWS CloudTrail, Azure Monitor, GCP logging, identity anomalies, and cloud-native SIEM integration

▾

Modern environments live in the cloud, and cloud incidents look different from on-prem ones. This stage covers the security telemetry available in each major cloud provider: AWS CloudTrail for API activity, VPC Flow Logs, GuardDuty findings, and Security Hub. Azure Monitor Logs, Entra ID sign-in logs, Defender for Cloud, and activity logs. GCP Cloud Audit Logs, Security Command Center, and Cloud Logging. You'll practice detecting cloud-specific attack patterns: IAM privilege escalation, impossible travel on service accounts, credential exfiltration from metadata services, and storage bucket exposure. All three providers covered in Sentinel and Splunk queries.

AWS CloudTrail analysis VPC Flow Logs GuardDuty findings Azure Entra ID sign-in logs Azure Defender for Cloud GCP Audit Logs IAM privilege escalation detection Identity anomaly detection Impossible travel alerts Metadata service abuse

AWS CloudTrail Azure Monitor GCP Logging GuardDuty
07

Incident Response Lifecycle

NIST SP 800-61 Rev. 3 phases, documentation standards, stakeholder communication, and SOAR automation

▾

Detection without response is just logging. This stage walks the complete NIST SP 800-61 Rev. 3 incident response lifecycle — aligned to the NIST Cybersecurity Framework 2.0 — as a professional operating procedure, not a theoretical framework. Preparation: runbooks, communication trees, jump bags, and IR plan documentation. Detection & Analysis: severity classification, triage criteria, and initial scoping. Containment: short-term isolation decisions vs. long-term containment strategies. Eradication: root cause removal and persistence cleanup. Recovery: system restoration and monitoring enhancement. Post-Incident: lessons-learned documentation, metrics, and tuning feedback loops. We also cover SOAR playbook automation — when to automate, what enrichment looks like, and how human-in-the-loop decisions fit into automated pipelines.

NIST 800-61 Rev. 3 CSF 2.0 alignment IR plan documentation Severity classification Containment strategies Eradication & recovery Post-incident review Stakeholder communication SOAR playbook design Audit trail requirements

NIST SP 800-61 NIST CSF 2.0 SOAR
08

Capstone — Full Incident Scenario

Detect, investigate, contain, document, and present a complete multi-phase intrusion end-to-end

▾

Everything converges here. You'll be handed a realistic, multi-phase intrusion scenario spanning initial phishing delivery, credential theft, lateral movement, cloud pivot, and data staging. Your job is to run the full response: detect the initial indicator in the SIEM, pivot across SIEM and EDR data, build a timeline, map every observed action to MITRE ATT&CK TTPs, execute containment, perform root cause analysis, write the post-incident report, and present findings to a simulated executive audience. Deliverables include: SIEM queries, investigation timeline, MITRE ATT&CK Navigator layer, containment decision log, full incident report, and a lessons-learned memo with detection improvement recommendations.

Multi-phase scenario response SIEM pivoting Cross-source timeline construction ATT&CK TTP mapping Containment decision documentation Incident report writing Executive communication Detection improvement recommendations

Certification Alignment

This course is built around the knowledge domains that matter for the exams that matter for blue team careers.

🎯

CompTIA CySA+ (Primary)

The core blue team cert. All course domains map directly to CySA+ exam objectives. Recommended as your first certification goal after completing this course.

🎓

CompTIA Security+ (Pre/Co-Req)

Covered in our Security+ SY0-701 course. Recommended as a baseline before starting this course if you're new to cybersecurity.

⚡

Microsoft SC-200

Sentinel-heavy. Stages 2, 5, and 6 directly build the KQL and Sentinel operational knowledge the SC-200 tests. Strong prep for Microsoft-centric SOC environments.

☁️

Microsoft AZ-500

Azure security engineering. Stage 6 (Cloud Security Monitoring) and the IR lifecycle stages build direct AZ-500 domain coverage, especially identity and threat detection.

🏅

GIAC GCIH

GIAC Certified Incident Handler. The entire IR lifecycle stage and capstone are built around GCIH-level incident handling competency. Strong prep for this advanced cert.

🏅

GIAC GCIA & GCED

Intrusion analysis (GCIA) and enterprise defense (GCED). Stages 3–5 provide substantial preparation for these analyst-track GIAC certifications.

Who This Course Is For

🔐

Offensive security students going blue

Finished the Ethical Hacking or Kali Linux course? Stage 5 directly translates your offensive knowledge into detection and response capabilities.

💼

Entry-level SOC analysts

Already working Tier 1? This course builds the query skills, investigation depth, and documentation discipline to move to Tier 2 and beyond.

🎓

Security+ holders ready to specialize

Security+ gives you breadth. This course gives you the depth and operational tool experience to land a blue team role and perform on day one.

☁️

Cloud engineers adding security skills

Stage 6 is built for you. Learn how your cloud infrastructure generates security telemetry and how to detect threats in environments you already know.

Start detecting. Start responding.

Join TechNodeX as a Founding Member and get full access to the SOC Blue Team course, every other course on the platform, and everything we ship next — all for $9/month, locked forever.

Become a Founding Member — $9/mo →