SOC Level 2

Course Duration

3 days

Audience

Employees of federal, state and local governments; and businesses working with the government.

Prerequisites

Strongly recommended to have completed SOC Level 1 (or equivalent). Prerequisites include: networking fundamentals, operating system fundamentals, security operations fundamentals, network traffic analysis, endpoint security monitoring, log analysis and SIEM, and basic digital forensics exposure.

Course Description

Security Operations (SOC) Level 2 is an advanced course designed to elevate your ability to detect, investigate, and respond to complex cyber threats at scale. Building on the foundational skills from SOC Level 1, this course focuses on developing an effective investigative methodology and mastering the responsibilities of an incident responder and threat hunter. Through hands-on labs and realistic scenarios, you will investigate sophisticated threats across enterprise environments, applying advanced techniques aligned with the MITRE ATT&CK framework. The curriculum emphasizes proactive threat hunting as part of a continuous detection and response cycle. By the end of the course, you will be equipped with the mindset, tools, and methodologies needed to confidently investigate incidents, trace root causes, and respond effectively to advanced adversaries. This course includes an Exam Voucher for TCM Security's Practical SOC Analyst Professional (PSAP) certification. Each exam voucher includes 1 exam attempt and is valid for 12 months from the course completion date or certification release date.

Learning Objectives

• Develop a robust investigator's mindset to approach incidents methodically
• Learn industry-standard methodologies and tools for detecting, hunting, and responding to cyber threats across enterprise environments
• Gain experience performing incident response and threat hunting at scale
• Investigate and identify advanced adversary tactics following the MITRE ATT&CK framework, including execution artifacts, lateral movement, credential theft, living-off-the-land techniques, persistence, defense evasion, command and control, and more
• Perform effective attack timeline analysis and guide incident response and remediation efforts
• Investigate the root cause of security incidents by uncovering the entry point

Course Outline

Day 1 – Threat Hunting Fundamentals

• Understanding the modern adversary
• Introduction to incident response and incident decision making
• Introduction to threat hunting: teams, data sources, and maturity models
• Cyber threat intelligence
• Exploring the MITRE ATT&CK Navigator
• Structured and unstructured threat hunting
• Data transformation techniques in the command-line, PowerShell, and Splunk
• Searching, aggregations, statistics, and visualizations

Day 2 – Anomaly Detection and Adversary Tactics

• Understanding and categorizing anomalies: masquerading, ambiguous identifiers, frequency and volume anomalies
• Temporal, location, environmental, structural, and format anomalies
• Absence and suppression anomalies and entropy analysis
• Dissecting threat reports and threat hunting labs
• Tracing an attack chain
• Hunting execution, malicious process trees, and persistence
• Hunting defense evasion, command and control, and lateral movement

Day 3 – Enterprise Collection and Forensics

• Collection at scale: WMI, PowerShell remoting, and remote collection frameworks
• Triage artifact collection with KAPE
• Incident response with Velociraptor
• Windows memory structures and the Volatility framework
• Process analysis, command line analysis, and network analysis
• Registry analysis