Built Full SOC Lab from Scratch
Designed and deployed a fully operational SOC lab using PFSense, Splunk, Sysmon, Suricata, and Microsoft Active Directory. Enabled real-time threat detection, log correlation, and alerting workflows — replicating a Tier 1/2 SOC environment.
2. Threat Detection & Alerting Use Cases (Real-World Aligned)
Created 15+ custom SPL-based detections in Splunk for techniques like PowerShell abuse (T1059), scheduled task persistence (T1053), and lateral movement (T1021). Mapped alerts to MITRE ATT&CK for executive reporting.
3. Live Attack Simulation & DFIR Response
Executed controlled cyberattacks (e.g., mimikatz, malware dropper, and log deletion attempts) in the lab. Captured forensic artifacts using Volatility, detected lateral movement via Splunk dashboards, and completed full kill chain analysis.
4. SOC Process Automation (SOAR Integration)
Integrated Shuffle (SOAR platform) into lab workflow. Automated alert triage, enrichment via VirusTotal, and IOC tagging — reducing manual workload and demonstrating Tier 2 SOC workflows.
5. Incident Report Writing & Client-Side Simulation
Developed full incident reports for simulated ransomware attacks, including IOCs, root cause, impact assessment, and remediation recommendations. Report format mirrors Fortune 500 IR standards.
6. Threat Intelligence Integration
Correlated MITRE ATT&CK framework with observed lab data. Used external threat feeds to simulate alerting based on CVE-2023-23397, phishing header spoofing, and malicious EXE uploads.
7. Digital Forensics Achievement
Analyzed memory dumps using Volatility (pslist, malfind, netscan, dlllist). Identified malicious persistence injected via remote threads and recovered encoded payloads from dumped memory.
8. SOC Infrastructure Optimization
Structured indexes, sourcetypes, and parsing rules in Splunk to ensure accurate field extractions, event correlation, and fast dashboard performance even under large log volumes.
