I'm not the Xpert - SOC - 200 Use Cases Learning Resource for Cybersecurity Analysts! Part 1

I'm not the Xpert - SOC - 200 Use Cases Learning Resource for Cybersecurity Analysts! Part 1

TLDR;

I'm starting these learning posts to give back. I have been in the IT industry and have used many resources rewritten by fellows, which have helped me along my journey. I would leverage AI to generate the content, which can ease the pain of looking for information and help me learn faster than going through hundreds of hours of training and blogs.

In this post, I aim to bring Izzmier Izzuddin Zulkepli's work to life with an extra layer of accessibility and learning potential by integrating GenAI capabilities. For every one of the 200 must-know use cases for cybersecurity analysis, I’ve linked them to the MITRE ATT&CK framework—a treasure trove of techniques, tactics, and procedures (TTPs) that form the backbone of modern cybersecurity strategies.

By doing so, I hope to make it easier for cybersecurity professionals, whether you’re an L1 just starting or an experienced L2 or L3 analyst, to understand better how these use cases connect to real-world adversarial behaviour. This mapping also provides an opportunity to access curated learning resources, accelerating your ability to master each use case without wading through mountains of content.

What You’ll Find in This Resource:

  1. Actionable Use Cases: Each of the 200 use cases has been categorized and explained in detail, making them easy to reference during day-to-day operations or incident response.

  2. MITRE ATT&CK Integration: Each use case is mapped to specific ATT&CK techniques, offering a structured way to understand adversarial behaviour.

  3. Learning Resources: I’ve leveraged AI to generate summaries, link relevant blogs, courses, and documentation, and even include short AI-powered explainers where applicable.

Why This Matters:

In cybersecurity, context is king. The SOC environment is fast-paced, and analysts don’t always have the time to piece together how a particular alert or scenario ties back to a broader attack strategy. This resource gives you an all-in-one guide to deepen your knowledge and improve your analysis capabilities.

Example Use Case:

Let me give you a quick example of how this works:

Use Case #45: Detect Unauthorized Access to Cloud Resources

  • MITRE ATT&CK Techniques: T1078 (Valid Accounts), T1531 (Account Access Removal)

  • Description: This use case identifies unauthorized access or privilege escalation patterns in cloud environments like AWS or Azure.

  • Learning Resource: Links to AWS CloudTrail and Azure Monitor logs setup guides, a YouTube video explaining cloud security fundamentals, and a curated list of labs on platforms like TryHackMe or Hack The Box.

Collaboration and Feedback:

This post is not the end-all-be-all but a starting point. I welcome the community's feedback, additions, and suggestions to make this resource as comprehensive and helpful as possible.

I’ll share the first 20 use cases in this post and release more in the coming weeks. If you’re passionate about learning, cybersecurity, and giving back, let’s connect and collaborate to make the journey more manageable for the next wave of professionals.

1. Detection of Abnormal Device Enrollment in MDM


2. Detection of Unauthorized SSH Access to Cloud Instances


3. Detection of SQL Injection Attacks

  • MITRE Tactic: Initial Access

  • Technique ID: T1190

  • Technique Name: Exploit Public-Facing Application

  • Steps: Monitor weblogs for SQL payloads. Detect anomalies using threat intelligence. Alert and block malicious traffic.

  • Key Insight: Protects web applications from database exploitation attempts.

  • Resource: https://attack.mitre.org/techniques/T1190/


4. Detection of Phishing URLs in Emails


5. Detection of Unauthorized Script Execution


6. Detection of Encoded PowerShell Commands


7. Detection of Suspicious Browser Extensions

  • MITRE Tactic: Execution

  • Technique ID: T1059

  • Technique Name: Command and Scripting Interpreter

  • Steps: Monitor browser extension installations. Detect unauthorized or malicious ones. Alert and remove risky extensions.

  • Key Insight: Prevents malicious browser extensions from compromising sensitive data.

  • Resource: https://attack.mitre.org/techniques/T1059/


8. Detection of Unauthorized Remote Access Tools

  • MITRE Tactic: Execution

  • Technique ID: T1219

  • Technique Name: Remote Access Software

  • Steps: Monitor system installations for remote access tools. Detect unauthorized tools like AnyDesk or TeamViewer. Alert and block malicious activity.

  • Key Insight: Prevents lateral movement through unauthorized remote access tools.

  • Resource: https://attack.mitre.org/techniques/T1219/


9. Detection of Exploit Attempts on Web Servers


10. Detection of Unauthorized RDP Sessions


11. Detection of Suspicious Keylogging Tools


12. Detection of Network Enumeration Activities


13. Detection of Suspicious Log Deletions


14. Detection of Suspicious HTTP Traffic


15. Detection of Unauthorized Network Scans


16. Detection of Unauthorized File Modifications


17. Detection of Suspicious FTP Transfers


18. Detection of Unauthorized Cron Jobs


19. Detection of Suspicious File Encryption


20. Detection of Large Data Transfers to Cloud

  • MITRE Tactic: Exfiltration

  • Technique ID: T1567.002

  • Technique Name: Exfiltration Over Network Medium

  • Steps: Monitor upload sizes to cloud storage. Detect unusual spikes in transfer activity. Block unauthorized transfers and alert administrators.

  • Key Insight: Prevents data exfiltration through cloud applications.

  • Resource: https://attack.mitre.org/techniques/T1567/002/

Conclusion

The journey to mastering cybersecurity is never-ending, but having actionable resources makes all the difference. These 200 must-know use cases aim to bridge the gap between understanding and applying cybersecurity tactics in your daily SOC operations.

Next Steps:

  1. You can save this resource and explore the mapped MITRE ATT&CK tactics.

  2. Could you share your feedback in the comments to help improve and expand this effort?

  3. Spread the knowledge—share this with your team and peers.

What’s Coming Next: In the next post, I’ll share 20 more use cases, complete with MITRE ATT&CK mappings and practical learning resources. Follow me for updates, and let’s grow together as a community!

#CyberSecurity #SOC #ThreatDetection #CyberThreats #MITREATTACK #InfoSec #IncidentResponse #NetworkSecurity #CyberSecurityAnalyst #DataProtection #Tech #ArtificialIntelligence #GenAI #AIinCyberSecurity #ITInfrastructure #CloudSecurity #DigitalTransformation #Technology #CyberSecurityCommunity #LearningTogether #KnowledgeSharing #ProfessionalDevelopment #TeamWork #ContinuousLearning #Innovation #FutureOfWork #IT

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics