SOC(Security Operations Centre)
A Security Operations Center (SOC) is a centralized unit that monitors, detects, analyzes, and responds to cybersecurity threats in real time. It combines people, processes, and technology to safeguard an organization’s digital assets. SOC teams use advanced tools like SIEM, threat intelligence, and AI-driven analytics to identify and mitigate risks. Operating 24/7, a SOC enhances cybersecurity resilience by proactively preventing attacks and ensuring compliance with security policies and regulations.
You’re a SOC analyst at NetSecure Inc. The SIEM (Security Information and Event Management) system has raised an alert for unusual network activity on one of the company’s servers.
Your task is to investigate the incident, identify the threat, and respond accordingly.
You’re analyzing the following server log:
Mar 21 08:12:45 server sshd[2345]: Failed password for root from 10.0.0.5 port 22 ssh2
Mar 21 08:14:01 server sshd[2346]: Failed password for root from 10.0.0.6 port 22 ssh2
Mar 21 08:15:15 server sshd[2347]: Accepted password for root from 10.0.0.7 port 22 ssh2
Mar 21 08:16:40 server sudo: root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/bash
Mar 21 08:17:50 server sshd[2348]: Failed password for root from 10.0.0.8 port 22 ssh2
Mar 21 08:18:55 server sshd[2349]: Accepted password for root from 10.0.0.9 port 22 ssh2
Scenario:
You’re a SOC analyst at CyberDefense Ltd. A network intrusion detection system (NIDS) has raised an alert about a possible port scanning activity from an internal IP address.
Your task is to investigate the alert, identify the source, and determine if it’s a potential threat.
You’re provided with the following network log:
Mar 22 14:05:23 server kernel: IN=eth0 OUT= MAC=00:1a:2b:3c:4d:5e:6f:7g:8h:9i:0j:1k SRC=192.168.1.50 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54321 PROTO=TCP SPT=12345 DPT=22 FLAGS=S
Mar 22 14:05:25 server kernel: IN=eth0 OUT= MAC=00:1a:2b:3c:4d:5e:6f:7g:8h:9i:0j:1k SRC=192.168.1.50 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54322 PROTO=TCP SPT=12345 DPT=80 FLAGS=S
Mar 22 14:05:27 server kernel: IN=eth0 OUT= MAC=00:1a:2b:3c:4d:5e:6f:7g:8h:9i:0j:1k SRC=192.168.1.50 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54323 PROTO=TCP SPT=12345 DPT=443 FLAGS=S
Scenario:
You’re a SOC analyst at SecureNet Solutions. The Security Operations Center (SOC) has detected an unusual file download activity from an internal system. This could be an attempt to exfiltrate sensitive data or a sign of a compromised system
Log Data:
Mar 23 10:20:15 server wget[1234]: downloading file from http://192.168.1.150/malware.zip
Mar 23 10:21:30 server sshd[5678]: Accepted password for user1 from 192.168.1.151 port 22 ssh2
Mar 23 10:22:05 server scp[6789]: file transfer from 192.168.1.151 to 192.168.1.100
Mar 23 10:23:50 server kernel: IN=eth0 OUT= MAC=00:1a:2b:3c:4d:5e:6f:7g:8h:9i:0j:1k SRC=192.168.1.152 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54324 PROTO=TCP SPT=12346 DPT=80 FLAGS=S
Scenario:
You’re a SOC analyst at DataSecure Corp. A network monitoring tool has flagged an unusual outbound connection from an internal server to an external IP address. This could indicate a potential data breach or unauthorized communication with a malicious server.
You’re a SOC analyst at InfoSecure Technologies. A security alert has been triggered due to suspicious file access on a sensitive server. The file was accessed at an unusual time, and the user accessing it is not part of the regular team.
Your job is to analyze the logs, identify the suspicious activity, and determine if this is an insider threat or an external compromise.
Log Data:
Mar 25 03:12:45 server auditd[123]: USER_AUTH pid=4567 uid=1001 auid=1001 ses=3 msg='op=access dir=/sensitive/data file=confidential.docx exe="/usr/bin/vi" hostname=server1 addr=192.168.1.150 terminal=pts/0 res=success'
Mar 25 03:13:01 server sshd[789]: Accepted password for user1 from 192.168.1.150 port 22 ssh2
Mar 25 03:14:30 server auditd[124]: USER_ACCESSED pid=4568 uid=1001 auid=1001 ses=3 msg='op=read file=/sensitive/data/confidential.docx exe="/usr/bin/vi" hostname=server1 addr=192.168.1.150 terminal=pts/0 res=success'
You’re a SOC analyst at GlobalSecure Corp. The DNS monitoring system has flagged an unusual outbound DNS query from an internal system. This could be an attempt to communicate with a malicious domain or exfiltrate data using DNS tunneling.
Your task is to investigate the DNS logs, identify the suspicious activity, and determine if it’s part of a security incident.
Log Data:
Mar 26 15:30:12 server dnsmasq[1234]: query[A] suspicious-domain.com from 192.168.1.200
Mar 26 15:30:15 server dnsmasq[1234]: reply suspicious-domain.com is 203.0.113.55
Mar 26 15:31:00 server sshd[5678]: Accepted password for user2 from 192.168.1.201 port 22 ssh2
Mar 26 15:32:10 server kernel: IN=eth0 OUT= MAC=00:1a:2b:3c:4d:5e:6f:7g:8h:9i:0j:1k SRC=192.168.1.200 DST=203.0.113.55 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54327 PROTO=TCP SPT=12347 DPT=53 FLAGS=S
You’re a SOC analyst at ThreatDefend Inc. A security alert has been triggered due to an unusual process execution on a critical server. The process appears to be running with elevated privileges and was executed from an unexpected location.
Your task is to analyze the logs, identify the suspicious activity, and determine if this is part of a security breach.
Log Data:
Mar 27 11:45:22 server auditd[123]: EXECVE /usr/bin/python3 pid=4567 uid=0 auid=0 ses=2 msg='op=execve exe="/usr/bin/python3" hostname=server1 addr=192.168.1.150 terminal=pts/0 res=success'
Mar 27 11:46:10 server kernel: IN=eth0 OUT= MAC=00:1a:2b:3c:4d:5e:6f:7g:8h:9i:0j:1k SRC=192.168.1.150 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54328 PROTO=TCP SPT=12348 DPT=22 FLAGS=S
Mar 27 11:47:05 server auditd[124]: USER_EXECUTED pid=4568 uid=0 auid=0 ses=2 msg='op=execve file=/usr/bin/python3 exe="/usr/bin/python3" hostname=server1 addr=192.168.1.150 terminal=pts/0 res=success'
You’re a SOC analyst at CyberFort Security. An alert has been triggered due to a login attempt that occurred at an unusual hour. The login was successful, but the source IP address is from an unexpected location.
Your job is to investigate the login logs, determine if this was a legitimate access or part of a potential credential compromise.
Log Data:
Mar 28 02:15:45 server sshd[1234]: Accepted password for admin from 203.0.113.75 port 22 ssh2
Mar 28 02:16:10 server kernel: IN=eth0 OUT= MAC=00:1a:2b:3c:4d:5e:6f:7g:8h:9i:0j:1k SRC=203.0.113.75 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54329 PROTO=TCP SPT=22 DPT=22 FLAGS=S
Mar 28 02:17:30 server auditd[5678]: USER_LOGIN pid=1235 uid=0 auid=0 ses=3 msg='op=login user=admin exe="/usr/sbin/sshd" hostname=server1 addr=203.0.113.75 terminal=pts/0 res=success'
You’re a SOC analyst at NetShield Technologies. A security alert has been triggered due to multiple failed login attempts from the same IP address. This could indicate a brute-force attack trying to guess user credentials.
Your task is to analyze the login logs, identify the suspicious activity, and determine if it’s part of a security incident.
Log Data:
Mar 29 18:03:12 server sshd[1234]: Failed password for invalid user admin from 198.51.100.45 port 22 ssh2
Mar 29 18:03:15 server sshd[1234]: Failed password for invalid user admin from 198.51.100.45 port 22 ssh2
Mar 29 18:03:17 server sshd[1234]: Failed password for invalid user admin from 198.51.100.45 port 22 ssh2
Mar 29 18:03:20 server sshd[1234]: Failed password for invalid user admin from 198.51.100.45 port 22 ssh2
Mar 29 18:03:23 server sshd[1234]: Failed password for invalid user admin from 198.51.100.45 port 22 ssh2
You’re a SOC analyst at SecureSys Inc. A network intrusion detection system (NIDS) has flagged a suspicious port scan originating from an internal server. This could indicate an internal reconnaissance attempt or an attacker probing for vulnerabilities.
Your task is to analyze the network logs, identify the suspicious activity, and determine if it’s part of a security incident.