Start here overview
Day 5 · Skills
60–75 min

Day 5: SOC & log awareness

Blue teams win with visibility. Today you learn how security operations centers detect suspicious activity, what SIEM and EDR mean in practice, and how to read alerts like a junior SOC analyst.

Today's outcome: You can describe what a SOC does, what SIEM logs show, and how analysts triage failed logins.

Week progress

Day 5 of 7

  1. 1

    Security mindset & threat basics

  2. 2

    Networking for security

  3. 3

    Linux command line

  4. 4

    Web security introduction

  5. 5

    SOC & log awareness

    You are here

  6. 6

    First hands-on lab

  7. 7

    Pick your career direction

Goals

Learning objectives

By the end of today you should be able to:

  • Define SOC, SIEM, EDR, and alert triage in plain language
  • Explain why failed login spikes matter
  • Follow a failed-login investigation walkthrough
  • Identify two log sources you would monitor on a Linux server

Schedule

Suggested schedule

Adjust timing to your pace — aim for one focused block per day.

  1. Tutorial~35 min

    Complete SOC analyst foundation — alerts, triage, and documentation.

  2. Deep dive~15 min

    Skim SIEM/monitoring tutorial (Wazuh, Splunk, or ELK overview).

  3. Scenario~15 min

    Read failed login investigation article or tutorial section.

  4. Plan~10 min

    List what evidence you would collect for a phishing alert.

Concepts

Key terms for today

SIEMAlertTriageFalse positiveIncidentLog sourceCorrelation

Notebook

Reflection prompts

Copy these into your learning notebook — answers become portfolio material later.

  • What is the first question I ask when an alert fires?
  • Which logs help prove a brute-force attempt vs a misconfigured app?
  • How would I document an alert for a senior analyst?

Up next: Day 6

First hands-on lab