30-Day MyDFIR SOC Analyst Challenge

Home » 30-Day MyDFIR SOC Analyst Challenge

30-Day MyDFIR SOC Analyst Challenge

This 30-day challenge, designed by Steven from MyDFIR, guided me through the process of setting up a fully functional Security Operations Center (SOC) environment from scratch. This immersive hands-on experience allowed me to work with industry-standard tools and techniques used by SOC analysts to detect, respond to, and mitigate cybersecurity threats. By the end of the challenge, I had built a mini SOC that mimicked real-world security environments, strengthening my skills in log analysis, incident detection, and security automation.

Below, you will find a detailed breakdown of what I learned and accomplished each day of the challenge.

Day 1

Creating a logical diagram

As part of the 30-Day MyDfir SOC Analyst Challenge, I kicked off my journey by building a logical diagram of a hypothetical security operations center (SOC) environment. This diagram serves as a foundational blueprint, illustrating the interactions and data flow between various components.

Day 2

Introduction to ELK Stack

On Day 2, I learned about the ELK stack and how Elasticsearch, Logstash, and Kibana work together. This gave me insight into how data is ingested, stored, and visualized for effective log management and analysis.

Day 3

Spinning Up an ElasticSearch Instance

On Day 3 of the “30-Day SOC Analyst Challenge,” I set up a Virtual Machine on Vultr to install and configure ElasticSearch. I created a secure Virtual Private Cloud, logged in via SSH, installed ElasticSearch on Ubuntu, configured it for remote access, and secured it with custom firewall rules. This setup is a key step in building a functional SOC environment.

Day 4

Setting Up Kibana

**Excerpt:** On Day 4 of the 30-Day SOC Challenge, I successfully installed and configured Kibana on my virtual machine. This project involved setting up firewall rules, generating an enrollment token, and securing the Kibana instance for data visualization.

Day 5

Windows Server 2022 Installation

On Day 5 of the 30-Day SOC Analyst Challenge, I deployed a Windows Server 2022 virtual machine with RDP exposed to the internet. This server will later act as my target machine for monitoring log activity and analyzing network traffic.

Day 6

Elastic Agent and Fleet Server Introduction

Day 6 focused on mastering Elastic Agents and Fleet Server. These tools enable centralized management of multiple endpoints, significantly streamlining the monitoring and configuration process.

Day 7

Elastic Agent and Fleet Server Setup

On Day 7, I successfully set up Elastic Agent on my existing Windows Server 2022 and deployed a Fleet Server on an Ubuntu virtual machine. This allowed for centralized monitoring and management of multiple agents and log collection across both platforms, essential for a modern SOC environment.

Day 8

Introduction to Sysmon

On Day 8 of the challenge, I learned how to configure Sysmon to log key system events, such as process creation and network connections. This enhanced visibility will improve my ability to detect and investigate endpoint compromises efficiently.

Day 9

Installing and Configuring Sysmon on Windows Server

On Day 9, I successfully installed and configured Sysmon on my Windows Server. I set up Sysmon with a popular configuration file and confirmed that it was logging events correctly, paving the way for advanced monitoring and analysis.

Day 10

Ingesting Sysmon and Microsoft Defender Logs into Elasticsearch

On Day 10, I successfully ingested Sysmon and Microsoft Defender event logs into Elasticsearch. This involved configuring custom integrations, specifying relevant event IDs, and troubleshooting data ingestion issues. The process ensures that valuable security logs are centralized and accessible for in-depth analysis and monitoring.