๐ก๏ธSOC : Security Operation Center
The Ultimate Security Operations Center Knowledge Repository
๐ Live Repository Activity Dashboard
๐ Repository Metrics & Stats
๐ Metric
๐ Current Value
๐ Updated
โญ Stars
Real-time
๐ด Forks
Real-time
๐ฅ Contributors
Real-time
๐ Open Issues
Real-time
๐ Pull Requests
Real-time
๐ฆ Releases
Real-time
๐พ Repository Size
Real-time
๐ Last Commit
Real-time
"In the realm of cybersecurity, knowledge is your strongest defense."
๐ฅ What is SOC Bible?
SOC Bible is a comprehensive, end-to-end Security Operations Center cookbook that serves as the definitive guide for SOC analysts, security engineers, incident responders, and cybersecurity professionals. This repository contains curated knowledge, best practices, hunting queries, and industry-standard procedures to build, operate, and scale a world-class SOC.
โจ Why SOC Bible?
๐ฏ Battle-Tested Knowledge: Real-world scenarios and solutions from industry veterans
๐ Comprehensive Coverage: From SOC fundamentals to advanced threat hunting
๐ Ready-to-Use Queries: Pre-built detection rules and hunting queries for major SIEM platforms
๐ข Industry Standards: Aligned with NIST, MITRE ATT&CK, and other security frameworks
๐ Scalable Solutions: Designed for organizations of all sizes
๐ Open Source: Community-driven and constantly evolving
๐ Table of Contents
๐ Quick Start
# Clone the repository
git clone https://github.com/sivolko/soc-bible.git
# Navigate to the directory
cd soc-bible
# Explore the structure
ls -la๐ Repository Structure
soc-bible/
โโโ ๐ fundamentals/ # SOC basics and foundational knowledge
โโโ ๐ playbooks/ # Incident response and operational playbooks
โโโ ๐ hunting-queries/ # Threat hunting queries for various platforms
โโโ ๐ detection-rules/ # Custom detection rules and signatures
โโโ ๐ frameworks/ # Industry frameworks and methodologies
โโโ ๐ tools-configs/ # Configuration templates for security tools
โโโ ๐ compliance/ # Compliance guidelines and checklists
โโโ ๐ case-studies/ # Real-world incident case studies
โโโ ๐ automation/ # SOAR playbooks and automation scripts
โโโ ๐ training/ # Training materials and lab exercises
โโโ ๐ resources/ # Additional resources and references๐ฏ Core Components
๐ Threat Hunting Arsenal
KQL Queries: Advanced hunting queries for Microsoft Sentinel
Splunk SPL: Comprehensive search queries for Splunk environments
Elastic EQL: Event Query Language for Elasticsearch
Sigma Rules: Platform-agnostic detection rules
๐ SOC Playbooks
Incident Response: Step-by-step response procedures
Threat Intelligence: TI collection and analysis workflows
Malware Analysis: Safe analysis procedures and tools
Forensics: Digital forensics methodologies
๐ ๏ธ Operational Excellence
SOC Metrics: KPIs and measurement frameworks
Shift Handovers: Standardized communication templates
Escalation Procedures: Clear escalation matrices
Tool Integrations: Configuration guides for major security tools
๐ง Tools & Technologies
SIEM Platforms
Microsoft Sentinel / Azure Sentinel
Splunk Enterprise Security
IBM QRadar
Elasticsearch (ELK Stack)
Wazuh
LogRhythm
Threat Intelligence Platforms
MISP (Malware Information Sharing Platform)
OpenCTI
ThreatConnect
Anomali ThreatStream
SOAR Solutions
Phantom (Splunk)
Microsoft Power Automate
TheHive + Cortex
IBM Resilient
๐โโ๏ธ Getting Started
For SOC Analysts
Start with
fundamentals/soc-analyst-guide.mdReview common playbooks in
playbooks/Practice with hunting queries in
hunting-queries/
For SOC Managers
Check
fundamentals/soc-management.mdReview metrics and KPIs in
metrics/Explore automation opportunities in
automation/
For Security Engineers
Dive into
tools-configs/for setup guidesReview detection rules in
detection-rules/Check integration guides in
integrations/
๐ Documentation
SOC Fundamentals: Core concepts and principles
Threat Hunting Guide: Advanced hunting techniques
Incident Response: IR methodologies and procedures
Tool Configuration: Setup and configuration guides
API References: Integration and automation APIs
๐บ๏ธ Roadmap
๐ฏ Phase 1: Foundation (Q1 2025) โ
๐ Phase 2: Advanced Content (Q2 2025) โณ
๐ฎ Phase 3: Automation & AI (Q3 2025) ๐
๐ Phase 4: Community & Scale (Q4 2025) ๐
๐ฅ Phase 5: Next Generation SOC (Q1 2026) ๐ฎ
๐ฏ Featured Content
๐ฅ Most Popular Queries
Brute Force Detection: Multi-platform detection rules
Lateral Movement Hunting: Advanced TTPs identification
Data Exfiltration Monitoring: Comprehensive monitoring approaches
Privilege Escalation: Detection and response procedures
๐ค Contributing
We welcome contributions from the cybersecurity community! Here's how you can help:
Ways to Contribute
๐ Submit new hunting queries
๐ง Add tool configurations
๐ Improve documentation
๐ Report bugs and issues
๐ก Suggest new features
Contribution Process
Fork the repository
Create a feature branch (
git checkout -b feature/AmazingFeature)Commit your changes (
git commit -m 'Add some AmazingFeature')Push to the branch (
git push origin feature/AmazingFeature)Open a Pull Request
Guidelines
Follow the Contribution Guidelines
Ensure all queries are tested and documented
Include relevant MITRE ATT&CK mappings
Use clear, descriptive commit messages
๐ก๏ธ Security
This repository contains security-related content intended for defensive purposes only. Please use responsibly and in accordance with:
Your organization's security policies
Applicable laws and regulations
Ethical guidelines for cybersecurity professionals
๐ Community & Support
๐ฌ Discussions: GitHub Discussions
๐ Issues: Report Issues
๏ฟฝ LinkedIn: Shubhendu Shubham
๐ฆ Twitter: @sivolko
๐ Acknowledgments
Special thanks to:
The cybersecurity community for their continuous contributions
MITRE Corporation for the ATT&CK framework
NIST for cybersecurity guidelines
All contributors who make this project possible
๐ License
This project is licensed under the MIT License - see the LICENSE file for details.
โญ If this repository helped you, please consider giving it a star! โญ
Made with โค๏ธ by sivolko and the cybersecurity community
Last updated