SOC Analyst Cheat Sheet
Log analysis, threat hunting, and incident investigation quick reference.
Quick Reference
# Quick threat check
grep -E "Failed|Invalid|error" /var/log/auth.log | tail -50
journalctl -p err --since "1 hour ago"
ss -tuln | grep -v 127.0.0.1
# Active connections
netstat -an | grep ESTABLISHEDLog Analysis
Authentication Logs
# Failed logins
grep "Failed password" /var/log/auth.log
# Successful logins
grep "Accepted" /var/log/auth.log
# Brute force detection
grep "Failed password" /var/log/auth.log | \
awk '{print $11}' | sort | uniq -c | sort -rn | head -10
# Invalid users
grep "Invalid user" /var/log/auth.log
# SSH accepted by IP
grep "Accepted" /var/log/auth.log | \
awk '{print $11}' | sort | uniq -c | sort -rnSystem Logs
# Recent errors
journalctl -p err --since "1 hour ago"
# Specific service
journalctl -u sshd --since today
# Kernel messages
dmesg | tail -50
journalctl -k
# Boot logs
journalctl -bWeb Logs
# Apache/Nginx errors
tail -f /var/log/nginx/error.log
tail -f /var/log/apache2/error.log
# 4xx/5xx responses
awk '$9 ~ /^[45]/' /var/log/nginx/access.log | tail -50
# Top IPs
awk '{print $1}' /var/log/nginx/access.log | \
sort | uniq -c | sort -rn | head -20
# Suspicious requests
grep -E "../|<script|union.*select" /var/log/nginx/access.logThreat Indicators
Suspicious Patterns
# Port scans
grep -E "SYN|scan" /var/log/syslog
# SQL injection attempts
grep -iE "union.*select|or.*1=1|'--" /var/log/nginx/access.log
# Path traversal
grep -E "../" /var/log/nginx/access.log
# Command injection
grep -E "; *ls|; *cat|; *wget||.*bash" /var/log/nginx/access.logProcess Analysis
# Running processes
ps auxf
# Network connections by process
lsof -i -P -n
# Suspicious processes
ps aux | grep -E "nc |ncat|/tmp/|/dev/shm/"
# Process tree
pstree -p
# Open files by process
lsof -p PIDNetwork Analysis
Connections
# Active connections
ss -tuln
netstat -tulpn
# Established connections
ss -tn state established
# Connection count by IP
ss -tn | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn
# Listening services
ss -tuln | grep LISTENTraffic Analysis
# Capture traffic
tcpdump -i eth0 -w capture.pcap
# Filter by host
tcpdump -i eth0 host 192.168.1.1
# Filter by port
tcpdump -i eth0 port 443
# HTTP traffic
tcpdump -i eth0 port 80 -AIncident Response
Initial Triage
# System info
uname -a
uptime
who
# Recent logins
last -a | head -20
lastlog
# Running services
systemctl list-units --type=service --state=running
# Cron jobs
crontab -l
ls -la /etc/cron.*Evidence Collection
# Memory dump
sudo dd if=/dev/mem of=memory.dump
# Process memory
gcore PID
# Disk image
sudo dd if=/dev/sda of=disk.img
# Logs backup
tar -czvf logs_backup.tar.gz /var/log/SIEM Queries
Splunk
# Failed logins
index=auth "Failed password" | stats count by src_ip
# Top talkers
index=firewall | stats count by src_ip | sort -count
# Outbound connections
index=proxy action=allowed | stats count by dest_ipElastic/Kibana
{
"query": {
"bool": {
"must": [
{ "match": { "event.action": "failed_login" } }
],
"filter": [
{ "range": { "@timestamp": { "gte": "now-1h" } } }
]
}
}
}Indicators of Compromise
| IOC Type | Example |
|---|---|
| IP Address | Malicious IPs in connections |
| Domain | C2 domains in DNS logs |
| File Hash | Known malware hashes |
| User Agent | Suspicious UA strings |
| File Path | Unusual executables in /tmp |
Investigation Checklist
- Identify affected systems
- Collect logs and evidence
- Determine attack vector
- Identify IOCs
- Contain threat
- Eradicate malware
- Recover systems
- Document findings
- soc
- security operations
- threat hunting
- siem
- incident response