Blue Team & SOC — CYBY | CybyAI

FC-06

Monitoring, detection and response. Splunk, ELK, Sigma rules, Snort/Suricata, Velociraptor, MISP and Threat Hunting with MITRE ATT&CK. Requires FC-01 and FC-02.

50 lessons10 modulesIntermediate / Advanced4 themes

Start Learning ← All Courses

● LIVE — SOC MONITOR

ALERTS: 6

SEVRULE / HOSTTIME

CRITICAL

DCSync detected — LSASS dumpDC-01

14:02:31

HIGH

Suspicious PowerShell executionWS-042

14:02:44

MEDIUM

Port scan from internal hostSRV-WEB-03

14:03:01

HIGH

Phishing attachment openedEXCH-01

14:03:18

CRITICAL

Ransomware — mass file encryptionFS-SERVER

14:03:29

LOW

Failed login (5 attempts)192.168.1.55

14:03:47

2 CRITICAL

2 HIGH

Wazuh · Elastic SIEM

Why Blue Team is the backbone of cybersecurity

The numbers that explain everything

21 daysaverage time to detect a threat in SOC without automation

68%of attacks contain signs that SIEM should have caught earlier

$130K+annual salary of a Senior SOC Analyst / Threat Hunter in the US

4,500+SIGMA rules available for SIEM in open source repositories

After the course you will be able to

Not theory — hands-on practice in a real SOC stack with live attacks and incidents

🛡️Build a SOC from scratch: Splunk and ELK Stack, configure Sysmon and Wazuh agents

🔍Write Sigma rules for MITRE ATT&CK TTP detection — Detection-as-Code

🌐Configure IDS/IPS: Snort, Suricata, Zeek — real-time network detection

💻Deploy an EDR solution: Sysmon, Velociraptor, Wazuh for endpoint visibility

🧠Work with Threat Intelligence: MISP, OpenCTI, IoC feeds and the Pyramid of Pain

🕵️Conduct Threat Hunting: hypothesis-driven, LOLBins, PowerShell/WMI anomalies

🚨Investigate incidents using PICERL with TheHive + Cortex: playbooks for ransomware and phishing

⚡Automate response via SOAR: Shuffle playbooks and enrichment through API

Real incidents in the course

We analyze high-profile breaches from the Blue Team perspective — what was missed, how to respond properly

Incident case2022

Uber 2022 — SOC missed a social engineering attack

An attacker gained access to Slack, Confluence and AWS through MFA fatigue and social engineering. SOC failed to react to the first alerts. We break down how to properly build detection and response processes.

Lesson 12 · Detection Engineering and alerts

Threat Hunt case2023

APT29 — how a Threat Hunter found what SIEM missed

Microsoft's Threat Hunt team discovered APT29 presence through DNS traffic anomalies that didn't trigger any SIEM rule. We demonstrate the hypothesis-driven hunting methodology.

Lesson 28 · Threat Hunting from scratch

Career2024

How to become a Tier 3 SOC Analyst in 18 months

The story of an analyst who went from Tier 1 (L1 support) to Tier 3 Threat Hunter at a major European bank. From first SIEM alerts to independent Red Team hunt operations. A real career path.

Lesson 46 · Career in Blue Team

Course Program

10 modules · 50 lessons · 4 themes: SOC Basics, SIEM & Detection, Endpoint & Threat Intelligence, Response & Optimization

Where this course leads

FC-06 — the starting point for a Blue Team career and entry into enterprise defense

$6,000 — $15,000/mo

SOC Lead / Manager

Lead a team of SOC analysts, build detection and response processes for the organization.

SIEMSOARIR процессыTeam Lead

Track:FC-06 → MC-06 → SOC Lead

$4,500 — $11,000/mo

Threat Hunter

Actively search for threats in infrastructure before they become incidents. Hypothesis-driven hunting and TTP analysis.

KQL/SPLMITRE ATT&CKHuntingThreat Intel

Track:FC-06 → FC-07 → Threat Hunter

$3,500 — $9,000/mo

Incident Responder / IR Lead

Investigate incidents, coordinate response, write post-mortems and recommendations for strengthening defenses.

PICERLDFIRForensicsReporting

Track:FC-06 → FC-07 → IR Lead

Who this course is for

🛡️

Blue Team beginners

Want to enter the world of defensive security, understand how SOC works from the inside and master corporate monitoring tools from scratch

🔍

IT professionals

System administrators and network engineers who want to transition to SOC Analyst or IR specialist with proven skills

⚔️

After Red Team courses

Completed FC-05 and want to understand the other side — how Blue Team defends against attacks you studied. A unique dual perspective

Become a specialist
in defense
at enterprise level

52 hours of practice with Wazuh, Elastic SIEM, TheHive and Shuffle SOAR. Real incidents in a secure lab environment.

Start Learning ← All Courses

FC-06 — Blue Team & SOC

Defensive security

Lessons50

Modules10

LevelIntermediate / Advanced

Themes4

Splunk & ELK SIEM

Wazuh, Velociraptor EDR

3 real incident case studies

Career track after completion