🛡️SOC : Security Operation Center

The Ultimate Security Operations Center Knowledge Repository

License: MIT GitHub stars GitHub forks GitHub issues GitHub pull requests GitHub contributors GitHub last commit GitHub repo size GitHub release GitHub downloads GitHub workflow status Contributions Welcome

📊 Live Repository Activity Dashboard

GitHub Activity Graph

📈 Repository Metrics & Stats

📊 Metric

📈 Current Value

📅 Updated

⭐ Stars

GitHub Stars

Real-time

🍴 Forks

GitHub Forks

Real-time

👥 Contributors

GitHub Contributors

Real-time

📝 Open Issues

GitHub Issues

Real-time

🔄 Pull Requests

GitHub PRs

Real-time

📦 Releases

GitHub Release

Real-time

💾 Repository Size

Repo Size

Real-time

🕒 Last Commit

Last Commit

Real-time

"In the realm of cybersecurity, knowledge is your strongest defense."

🔥 What is SOC Bible?

SOC Bible is a comprehensive, end-to-end Security Operations Center cookbook that serves as the definitive guide for SOC analysts, security engineers, incident responders, and cybersecurity professionals. This repository contains curated knowledge, best practices, hunting queries, and industry-standard procedures to build, operate, and scale a world-class SOC.

✨ Why SOC Bible?

  • 🎯 Battle-Tested Knowledge: Real-world scenarios and solutions from industry veterans

  • 📚 Comprehensive Coverage: From SOC fundamentals to advanced threat hunting

  • 🔍 Ready-to-Use Queries: Pre-built detection rules and hunting queries for major SIEM platforms

  • 🏢 Industry Standards: Aligned with NIST, MITRE ATT&CK, and other security frameworks

  • 🚀 Scalable Solutions: Designed for organizations of all sizes

  • 🆓 Open Source: Community-driven and constantly evolving

📖 Table of Contents

🚀 Quick Start

📋 Repository Structure

🎯 Core Components

🔍 Threat Hunting Arsenal

  • KQL Queries: Advanced hunting queries for Microsoft Sentinel

  • Splunk SPL: Comprehensive search queries for Splunk environments

  • Elastic EQL: Event Query Language for Elasticsearch

  • Sigma Rules: Platform-agnostic detection rules

📘 SOC Playbooks

  • Incident Response: Step-by-step response procedures

  • Threat Intelligence: TI collection and analysis workflows

  • Malware Analysis: Safe analysis procedures and tools

  • Forensics: Digital forensics methodologies

🛠️ Operational Excellence

  • SOC Metrics: KPIs and measurement frameworks

  • Shift Handovers: Standardized communication templates

  • Escalation Procedures: Clear escalation matrices

  • Tool Integrations: Configuration guides for major security tools

🔧 Tools & Technologies

SIEM Platforms

  • Microsoft Sentinel / Azure Sentinel

  • Splunk Enterprise Security

  • IBM QRadar

  • Elasticsearch (ELK Stack)

  • Wazuh

  • LogRhythm

Threat Intelligence Platforms

  • MISP (Malware Information Sharing Platform)

  • OpenCTI

  • ThreatConnect

  • Anomali ThreatStream

SOAR Solutions

  • Phantom (Splunk)

  • Microsoft Power Automate

  • TheHive + Cortex

  • IBM Resilient

🏃‍♂️ Getting Started

For SOC Analysts

  1. Start with fundamentals/soc-analyst-guide.md

  2. Review common playbooks in playbooks/

  3. Practice with hunting queries in hunting-queries/

For SOC Managers

  1. Check fundamentals/soc-management.md

  2. Review metrics and KPIs in metrics/

  3. Explore automation opportunities in automation/

For Security Engineers

  1. Dive into tools-configs/ for setup guides

  2. Review detection rules in detection-rules/

  3. Check integration guides in integrations/

📚 Documentation

🗺️ Roadmap

🎯 Phase 1: Foundation (Q1 2025) ✅

🚀 Phase 2: Advanced Content (Q2 2025) ⏳

🔮 Phase 3: Automation & AI (Q3 2025) 📋

🌟 Phase 4: Community & Scale (Q4 2025) 📋

🔥 Phase 5: Next Generation SOC (Q1 2026) 🔮

🎯 Featured Content

🔥 Most Popular Queries

  • Brute Force Detection: Multi-platform detection rules

  • Lateral Movement Hunting: Advanced TTPs identification

  • Data Exfiltration Monitoring: Comprehensive monitoring approaches

  • Privilege Escalation: Detection and response procedures

🤝 Contributing

We welcome contributions from the cybersecurity community! Here's how you can help:

Ways to Contribute

  • 📝 Submit new hunting queries

  • 🔧 Add tool configurations

  • 📚 Improve documentation

  • 🐛 Report bugs and issues

  • 💡 Suggest new features

Contribution Process

  1. Fork the repository

  2. Create a feature branch (git checkout -b feature/AmazingFeature)

  3. Commit your changes (git commit -m 'Add some AmazingFeature')

  4. Push to the branch (git push origin feature/AmazingFeature)

  5. Open a Pull Request

Guidelines

  • Follow the Contribution Guidelines

  • Ensure all queries are tested and documented

  • Include relevant MITRE ATT&CK mappings

  • Use clear, descriptive commit messages

🛡️ Security

This repository contains security-related content intended for defensive purposes only. Please use responsibly and in accordance with:

  • Your organization's security policies

  • Applicable laws and regulations

  • Ethical guidelines for cybersecurity professionals

📞 Community & Support

🙏 Acknowledgments

Special thanks to:

  • The cybersecurity community for their continuous contributions

  • MITRE Corporation for the ATT&CK framework

  • NIST for cybersecurity guidelines

  • All contributors who make this project possible

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.

⭐ If this repository helped you, please consider giving it a star! ⭐

GitHub last commit
GitHub stars
GitHub forks
GitHub watchers

Made with ❤️ by sivolko and the cybersecurity community

NextTerminology

Last updated