# SOC : Security Operation Center ### *The Ultimate Security Operations Center Knowledge Repository* [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) [![GitHub stars](https://img.shields.io/github/stars/sivolko/soc-bible?style=for-the-badge\&logo=github\&logoColor=white\&labelColor=black\&color=gold)](https://github.com/sivolko/soc-bible/stargazers) [![GitHub forks](https://img.shields.io/github/forks/sivolko/soc-bible?style=for-the-badge\&logo=github\&logoColor=white\&labelColor=black\&color=blue)](https://github.com/sivolko/soc-bible/network) [![GitHub issues](https://img.shields.io/github/issues/sivolko/soc-bible?style=for-the-badge\&logo=github\&logoColor=white\&labelColor=black\&color=red)](https://github.com/sivolko/soc-bible/issues) [![GitHub pull requests](https://img.shields.io/github/issues-pr/sivolko/soc-bible?style=for-the-badge\&logo=github\&logoColor=white\&labelColor=black\&color=green)](https://github.com/sivolko/soc-bible/pulls) [![GitHub contributors](https://img.shields.io/github/contributors/sivolko/soc-bible?style=for-the-badge\&logo=github\&logoColor=white\&labelColor=black\&color=orange)](https://github.com/sivolko/soc-bible/graphs/contributors) [![GitHub last commit](https://img.shields.io/github/last-commit/sivolko/soc-bible?style=for-the-badge\&logo=github\&logoColor=white\&labelColor=black\&color=purple)](https://github.com/sivolko/soc-bible/commits/main) [![GitHub repo size](https://img.shields.io/github/repo-size/sivolko/soc-bible?style=for-the-badge\&logo=github\&logoColor=white\&labelColor=black\&color=teal)](https://github.com/sivolko/soc-bible) [![GitHub release](https://img.shields.io/github/v/release/sivolko/soc-bible?style=for-the-badge\&logo=github\&logoColor=white\&labelColor=black\&color=brightgreen)](https://github.com/sivolko/soc-bible/releases/latest) [![GitHub downloads](https://img.shields.io/github/downloads/sivolko/soc-bible/total?style=for-the-badge\&logo=github\&logoColor=white\&labelColor=black\&color=blueviolet)](https://github.com/sivolko/soc-bible/releases) [![GitHub workflow status](https://img.shields.io/github/actions/workflow/status/sivolko/soc-bible/ci.yml?branch=main\&style=for-the-badge\&logo=github-actions\&logoColor=white\&labelColor=black)](https://github.com/sivolko/soc-bible/actions) [![Contributions Welcome](https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=for-the-badge\&logo=open-source-initiative\&logoColor=white\&labelColor=black)](https://github.com/sivolko/soc-bible/blob/main/CONTRIBUTING.md) #### 📊 **Live Repository Activity Dashboard** ![GitHub Activity Graph](https://github-readme-activity-graph.vercel.app/graph?username=sivolko\&repo=soc-bible\&theme=github-compact\&hide_border=true) #### 📈 **Repository Metrics & Stats** | 📊 **Metric** | 📈 **Current Value** | 📅 **Updated** | | ------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | | ⭐ Stars | [![GitHub Stars](https://img.shields.io/github/stars/sivolko/soc-bible?style=for-the-badge\&logo=github\&logoColor=white\&labelColor=black\&color=gold)](https://github.com/sivolko/soc-bible/stargazers) | Real-time | | 🍴 Forks | [![GitHub Forks](https://img.shields.io/github/forks/sivolko/soc-bible?style=flat-square\&color=blue)](https://github.com/sivolko/soc-bible/network/members) | Real-time | | 👥 Contributors | [![GitHub Contributors](https://img.shields.io/github/contributors/sivolko/soc-bible?style=flat-square\&color=orange)](https://github.com/sivolko/soc-bible/graphs/contributors) | Real-time | | 📝 Open Issues | [![GitHub Issues](https://img.shields.io/github/issues/sivolko/soc-bible?style=flat-square\&color=red)](https://github.com/sivolko/soc-bible/issues) | Real-time | | 🔄 Pull Requests | [![GitHub PRs](https://img.shields.io/github/issues-pr/sivolko/soc-bible?style=flat-square\&color=green)](https://github.com/sivolko/soc-bible/pulls) | Real-time | | 📦 Releases | [![GitHub Release](https://img.shields.io/github/v/release/sivolko/soc-bible?style=flat-square\&color=brightgreen)](https://github.com/sivolko/soc-bible/releases) | Real-time | | 💾 Repository Size | [![Repo Size](https://img.shields.io/github/repo-size/sivolko/soc-bible?style=flat-square\&color=teal)](https://github.com/sivolko/soc-bible) | Real-time | | 🕒 Last Commit | [![Last Commit](https://img.shields.io/github/last-commit/sivolko/soc-bible?style=flat-square\&color=purple)](https://github.com/sivolko/soc-bible/commits/main) | Real-time | > *"In the realm of cybersecurity, knowledge is your strongest defense."* ## 🔥 What is SOC Bible? SOC Bible is a **comprehensive, end-to-end Security Operations Center cookbook** that serves as the definitive guide for SOC analysts, security engineers, incident responders, and cybersecurity professionals. This repository contains curated knowledge, best practices, hunting queries, and industry-standard procedures to build, operate, and scale a world-class SOC. ## ✨ Why SOC Bible? * 🎯 **Battle-Tested Knowledge**: Real-world scenarios and solutions from industry veterans * 📚 **Comprehensive Coverage**: From SOC fundamentals to advanced threat hunting * 🔍 **Ready-to-Use Queries**: Pre-built detection rules and hunting queries for major SIEM platforms * 🏢 **Industry Standards**: Aligned with NIST, MITRE ATT\&CK, and other security frameworks * 🚀 **Scalable Solutions**: Designed for organizations of all sizes * 🆓 **Open Source**: Community-driven and constantly evolving ## 📖 Table of Contents * [🚀 Quick Start](#-quick-start) * [📋 Repository Structure](#-repository-structure) * [🎯 Core Components](#-core-components) * [🔧 Tools & Technologies](#-tools--technologies) * [🏃‍♂️ Getting Started](#️-getting-started) * [📚 Documentation](#-documentation) * [🗺️ Roadmap](#️-roadmap) * [🤝 Contributing](#-contributing) * [📄 License](#-license) ## 🚀 Quick Start ```bash # Clone the repository git clone https://github.com/sivolko/soc-bible.git # Navigate to the directory cd soc-bible # Explore the structure ls -la ``` ## 📋 Repository Structure ``` soc-bible/ ├── 📁 fundamentals/ # SOC basics and foundational knowledge ├── 📁 playbooks/ # Incident response and operational playbooks ├── 📁 hunting-queries/ # Threat hunting queries for various platforms ├── 📁 detection-rules/ # Custom detection rules and signatures ├── 📁 frameworks/ # Industry frameworks and methodologies ├── 📁 tools-configs/ # Configuration templates for security tools ├── 📁 compliance/ # Compliance guidelines and checklists ├── 📁 case-studies/ # Real-world incident case studies ├── 📁 automation/ # SOAR playbooks and automation scripts ├── 📁 training/ # Training materials and lab exercises └── 📁 resources/ # Additional resources and references ``` ## 🎯 Core Components ### 🔍 **Threat Hunting Arsenal** * **KQL Queries**: Advanced hunting queries for Microsoft Sentinel * **Splunk SPL**: Comprehensive search queries for Splunk environments * **Elastic EQL**: Event Query Language for Elasticsearch * **Sigma Rules**: Platform-agnostic detection rules ### 📘 **SOC Playbooks** * **Incident Response**: Step-by-step response procedures * **Threat Intelligence**: TI collection and analysis workflows * **Malware Analysis**: Safe analysis procedures and tools * **Forensics**: Digital forensics methodologies ### 🛠️ **Operational Excellence** * **SOC Metrics**: KPIs and measurement frameworks * **Shift Handovers**: Standardized communication templates * **Escalation Procedures**: Clear escalation matrices * **Tool Integrations**: Configuration guides for major security tools ## 🔧 Tools & Technologies ### SIEM Platforms * Microsoft Sentinel / Azure Sentinel * Splunk Enterprise Security * IBM QRadar * Elasticsearch (ELK Stack) * Wazuh * LogRhythm ### Threat Intelligence Platforms * MISP (Malware Information Sharing Platform) * OpenCTI * ThreatConnect * Anomali ThreatStream ### SOAR Solutions * Phantom (Splunk) * Microsoft Power Automate * TheHive + Cortex * IBM Resilient ## 🏃‍♂️ Getting Started ### For SOC Analysts 1. Start with `fundamentals/soc-analyst-guide.md` 2. Review common playbooks in `playbooks/` 3. Practice with hunting queries in `hunting-queries/` ### For SOC Managers 1. Check `fundamentals/soc-management.md` 2. Review metrics and KPIs in `metrics/` 3. Explore automation opportunities in `automation/` ### For Security Engineers 1. Dive into `tools-configs/` for setup guides 2. Review detection rules in `detection-rules/` 3. Check integration guides in `integrations/` ## 📚 Documentation * [**SOC Fundamentals**](https://github.com/sivolko/soc-bible/blob/main/docs/fundamentals.md): Core concepts and principles * [**Threat Hunting Guide**](https://github.com/sivolko/soc-bible/blob/main/docs/threat-hunting.md): Advanced hunting techniques * [**Incident Response**](https://github.com/sivolko/soc-bible/blob/main/docs/incident-response.md): IR methodologies and procedures * [**Tool Configuration**](https://github.com/sivolko/soc-bible/blob/main/docs/tool-configs.md): Setup and configuration guides * [**API References**](https://github.com/sivolko/soc-bible/blob/main/docs/api-references.md): Integration and automation APIs ## 🗺️ Roadmap ### 🎯 Phase 1: Foundation (Q1 2025) ✅ * [x] Core SOC fundamentals documentation * [x] Basic hunting queries collection * [x] Essential playbooks development * [x] Tool configuration templates ### 🚀 Phase 2: Advanced Content (Q2 2025) ⏳ * [ ] Advanced threat hunting techniques * [ ] Machine learning integration guides * [ ] Advanced persistent threat (APT) playbooks * [ ] Cloud security monitoring guides ### 🔮 Phase 3: Automation & AI (Q3 2025) 📋 * [ ] SOAR automation templates * [ ] AI-powered threat detection guides * [ ] Custom AI prompts for SOC analysts * [ ] Automated report generation tools ### 🌟 Phase 4: Community & Scale (Q4 2025) 📋 * [ ] Community contribution portal * [ ] Interactive training modules * [ ] Mobile-friendly documentation * [ ] Multi-language support ### 🔥 Phase 5: Next Generation SOC (Q1 2026) 🔮 * [ ] Zero Trust architecture integration * [ ] Quantum-safe cryptography guidance * [ ] Extended Detection and Response (XDR) playbooks * [ ] Cloud-native security operations ## 🎯 Featured Content ### 🔥 Most Popular Queries * **Brute Force Detection**: Multi-platform detection rules * **Lateral Movement Hunting**: Advanced TTPs identification * **Data Exfiltration Monitoring**: Comprehensive monitoring approaches * **Privilege Escalation**: Detection and response procedures ## 🤝 Contributing We welcome contributions from the cybersecurity community! Here's how you can help: ### Ways to Contribute * 📝 Submit new hunting queries * 🔧 Add tool configurations * 📚 Improve documentation * 🐛 Report bugs and issues * 💡 Suggest new features ### Contribution Process 1. Fork the repository 2. Create a feature branch (`git checkout -b feature/AmazingFeature`) 3. Commit your changes (`git commit -m 'Add some AmazingFeature'`) 4. Push to the branch (`git push origin feature/AmazingFeature`) 5. Open a Pull Request ### Guidelines * Follow the [Contribution Guidelines](https://github.com/sivolko/soc-bible/blob/main/CONTRIBUTING.md) * Ensure all queries are tested and documented * Include relevant MITRE ATT\&CK mappings * Use clear, descriptive commit messages ## 🛡️ Security This repository contains security-related content intended for defensive purposes only. Please use responsibly and in accordance with: * Your organization's security policies * Applicable laws and regulations * Ethical guidelines for cybersecurity professionals ## 📞 Community & Support * 💬 **Discussions**: [GitHub Discussions](https://github.com/sivolko/soc-bible/discussions) * 🐛 **Issues**: [Report Issues](https://github.com/sivolko/soc-bible/issues) * � **LinkedIn**: [Shubhendu Shubham](https://www.linkedin.com/in/shubhendu-shubham/) * 🐦 **Twitter**: [@sivolko](https://twitter.com/sivolko) ## 🙏 Acknowledgments Special thanks to: * The cybersecurity community for their continuous contributions * MITRE Corporation for the ATT\&CK framework * NIST for cybersecurity guidelines * All contributors who make this project possible ## 📄 License This project is licensed under the MIT License - see the [LICENSE](https://github.com/sivolko/soc-bible/blob/main/LICENSE/README.md) file for details. *** **⭐ If this repository helped you, please consider giving it a star! ⭐** ![GitHub last commit](https://img.shields.io/github/last-commit/sivolko/soc-bible?style=social\&logo=github) ![GitHub stars](https://img.shields.io/github/stars/sivolko/soc-bible?style=social) ![GitHub forks](https://img.shields.io/github/forks/sivolko/soc-bible?style=social) ![GitHub watchers](https://img.shields.io/github/watchers/sivolko/soc-bible?style=social) Made with ❤️ by [sivolko](https://github.com/sivolko) and the cybersecurity community