Day 5: SOC & log awareness
Blue teams win with visibility. Today you learn how security operations centers detect suspicious activity, what SIEM and EDR mean in practice, and how to read alerts like a junior SOC analyst.
Today's outcome: You can describe what a SOC does, what SIEM logs show, and how analysts triage failed logins.
Week progress
Day 5 of 7
- 1
Security mindset & threat basics
- 2
Networking for security
- 3
Linux command line
- 4
Web security introduction
- 5
SOC & log awareness
You are here
- 6
First hands-on lab
- 7
Pick your career direction
Goals
Learning objectives
By the end of today you should be able to:
- Define SOC, SIEM, EDR, and alert triage in plain language
- Explain why failed login spikes matter
- Follow a failed-login investigation walkthrough
- Identify two log sources you would monitor on a Linux server
Schedule
Suggested schedule
Adjust timing to your pace — aim for one focused block per day.
- Tutorial~35 min
Complete SOC analyst foundation — alerts, triage, and documentation.
- Deep dive~15 min
Skim SIEM/monitoring tutorial (Wazuh, Splunk, or ELK overview).
- Scenario~15 min
Read failed login investigation article or tutorial section.
- Plan~10 min
List what evidence you would collect for a phishing alert.
Learn
Mapped learning resources
These links connect this day to tutorials, labs, roadmaps, and reference material on PentesterWorld.
SOC analyst foundation
SOC workflows, alert handling, phishing, and incident documentation.
Open resourceSecurity monitoring (SIEM overview)
Wazuh, Splunk, and ELK concepts for detection and response.
Open resourceSIEM glossary
What a SIEM does and how it fits in enterprise security.
Open resourceFailed login investigation guide
Practical Linux auth.log analysis patterns for SOC workflows.
Open resourceConcepts
Key terms for today
Notebook
Reflection prompts
Copy these into your learning notebook — answers become portfolio material later.
- What is the first question I ask when an alert fires?
- Which logs help prove a brute-force attempt vs a misconfigured app?
- How would I document an alert for a senior analyst?