HxHippy

SOC Analyst Cheat Sheet

Log analysis, threat hunting, and incident investigation.

Last updated: 2025-01-15

SOC Analyst Cheat Sheet

Log analysis, threat hunting, and incident investigation quick reference.

Quick Reference

# Quick threat check
grep -E "Failed|Invalid|error" /var/log/auth.log | tail -50
journalctl -p err --since "1 hour ago"
ss -tuln | grep -v 127.0.0.1

# Active connections
netstat -an | grep ESTABLISHED

Log Analysis

Authentication Logs

# Failed logins
grep "Failed password" /var/log/auth.log

# Successful logins
grep "Accepted" /var/log/auth.log

# Brute force detection
grep "Failed password" /var/log/auth.log | \
  awk '{print $11}' | sort | uniq -c | sort -rn | head -10

# Invalid users
grep "Invalid user" /var/log/auth.log

# SSH accepted by IP
grep "Accepted" /var/log/auth.log | \
  awk '{print $11}' | sort | uniq -c | sort -rn

System Logs

# Recent errors
journalctl -p err --since "1 hour ago"

# Specific service
journalctl -u sshd --since today

# Kernel messages
dmesg | tail -50
journalctl -k

# Boot logs
journalctl -b

Web Logs

# Apache/Nginx errors
tail -f /var/log/nginx/error.log
tail -f /var/log/apache2/error.log

# 4xx/5xx responses
awk '$9 ~ /^[45]/' /var/log/nginx/access.log | tail -50

# Top IPs
awk '{print $1}' /var/log/nginx/access.log | \
  sort | uniq -c | sort -rn | head -20

# Suspicious requests
grep -E "../|<script|union.*select" /var/log/nginx/access.log

Threat Indicators

Suspicious Patterns

# Port scans
grep -E "SYN|scan" /var/log/syslog

# SQL injection attempts
grep -iE "union.*select|or.*1=1|'--" /var/log/nginx/access.log

# Path traversal
grep -E "../" /var/log/nginx/access.log

# Command injection
grep -E "; *ls|; *cat|; *wget||.*bash" /var/log/nginx/access.log

Process Analysis

# Running processes
ps auxf

# Network connections by process
lsof -i -P -n

# Suspicious processes
ps aux | grep -E "nc |ncat|/tmp/|/dev/shm/"

# Process tree
pstree -p

# Open files by process
lsof -p PID

Network Analysis

Connections

# Active connections
ss -tuln
netstat -tulpn

# Established connections
ss -tn state established

# Connection count by IP
ss -tn | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn

# Listening services
ss -tuln | grep LISTEN

Traffic Analysis

# Capture traffic
tcpdump -i eth0 -w capture.pcap

# Filter by host
tcpdump -i eth0 host 192.168.1.1

# Filter by port
tcpdump -i eth0 port 443

# HTTP traffic
tcpdump -i eth0 port 80 -A

Incident Response

Initial Triage

# System info
uname -a
uptime
who

# Recent logins
last -a | head -20
lastlog

# Running services
systemctl list-units --type=service --state=running

# Cron jobs
crontab -l
ls -la /etc/cron.*

Evidence Collection

# Memory dump
sudo dd if=/dev/mem of=memory.dump

# Process memory
gcore PID

# Disk image
sudo dd if=/dev/sda of=disk.img

# Logs backup
tar -czvf logs_backup.tar.gz /var/log/

SIEM Queries

Splunk

# Failed logins
index=auth "Failed password" | stats count by src_ip

# Top talkers
index=firewall | stats count by src_ip | sort -count

# Outbound connections
index=proxy action=allowed | stats count by dest_ip

Elastic/Kibana

{
  "query": {
    "bool": {
      "must": [
        { "match": { "event.action": "failed_login" } }
      ],
      "filter": [
        { "range": { "@timestamp": { "gte": "now-1h" } } }
      ]
    }
  }
}

Indicators of Compromise

IOC Type Example
IP Address Malicious IPs in connections
Domain C2 domains in DNS logs
File Hash Known malware hashes
User Agent Suspicious UA strings
File Path Unusual executables in /tmp

Investigation Checklist

  • Identify affected systems
  • Collect logs and evidence
  • Determine attack vector
  • Identify IOCs
  • Contain threat
  • Eradicate malware
  • Recover systems
  • Document findings
intermediate Security Roles Updated 2025-01-15
  • soc
  • security operations
  • threat hunting
  • siem
  • incident response