SOC Analyst in Training

Nishant
Sharma

Building an enterprise-grade SOC lab from scratch — Active Directory, Elastic SIEM, Suricata IDS, TheHive SOAR, and AI-assisted threat detection. Pursuing SOC L1.

View Project Skills & Certs

Lab: Active

CDSA Exam: Preparing

Open to Opportunities

elastic-kibana — ssh

# SOC Lab Status Check

$ systemctl status elasticsearch

● elasticsearch.service — active (running)

$ curl localhost:5601/api/status

{"status":"green","alerts":3}

$ cat /var/log/suricata/fast.log | tail -2

[**] ET SCAN Nmap Stealth [**]

[**] LSASS memory access detected [**]

$ python3 ioc_enrich.py --ip 185.220.101.5

VT: 47 detections | Abuse: 98% | MALICIOUS

About me

Who I Am

I am a cybersecurity student at Parul University with 4 years of security study, now seriously pursuing a career in Security Operations for the last 6 weeks.

I built a fully functional enterprise SOC home lab from scratch — dual domain controllers, multi-subnet AD environment, hybrid cloud connectivity via Tailscale, and a full detection stack using Elastic SIEM, Suricata IDS, Zeek, TheHive SOAR, and Sysmon.

I operate both the red and blue sides of my lab — I run attack simulations using Atomic Red Team and Kali Linux, then investigate and document every detection as a formal incident report. I understand attacks from both the attacker's and defender's perspective.

Currently preparing for the HTB CDSA exam and CompTIA Security+. Targeting a SOC Analyst L1 role.

Skill Proficiency

Active Directory & Windows Server85%

Elastic SIEM / KQL Detection Rules75%

Network Security / OPNsense / Suricata70%

Incident Response / SOAR / TheHive65%

Python Scripting for SOC Automation40%

Certifications

HTB CDSA

⟳ Exam prep — path complete

CompTIA Security+

⟳ 98% course done

CompTIA CySA+

◌ Planned — Month 3

Microsoft SC-200

◌ Planned — Month 5

CompTIA Network+

⟳ Studied — Udemy course

Quick Facts

📍 Vadodara, Gujarat, India

🎓 Parul University — Cybersecurity

🎯 Target role: SOC Analyst L1

⏱ Seriously studying: 6 weeks

🖥 Lab VMs: 6+ (on-prem + Azure cloud)

📋 Incident reports written: 10+

Infrastructure

Lab Architecture

A real enterprise simulation — multi-subnet AD environment connected to hybrid Azure cloud, with full-stack detection from host to network layer.

On-Premises Network — 3 Subnets

OPNsense

Gateway + Firewall
DHCP Relay + Routing
Suricata IDS + Zeek

DC01 (Primary)

Domain Controller
AD DS + DNS
192.168.10.10

DC02 (Backup)

Backup DC
AD Replication
192.168.10.11

SRV-DHCP/DNS

DHCP Server
DNS Resolver
192.168.20.1

FILE-SRV01

File Server
Shared folders
GPO mapped drives

KALI-ELASTIC

Elastic + Kibana
SIEM + Detection
Bridge network

Azure Cloud — Hybrid

WIN-AZURE

Windows Server
Fleet Agent + Sysmon
Tailscale connected

UBUNTU-HIVE

TheHive + Cortex
SOAR + IOC enrichment
VirusTotal / AbuseIPDB

TAILSCALE VPN

Cloud ↔ On-Prem
Encrypted mesh tunnel

VMs Deployed

Network Subnets

15+

Detection Rules

10+

Attack Simulations

IR Playbooks

SIEM Platforms

Expertise

Technical Skills

🛡

SIEM & Detection

Built 15+ custom Elastic detection rules mapped to MITRE ATT&CK. KQL/EQL query writing, dashboard design, alert triage workflow.

Elastic SIEM KQL Kibana Microsoft Sentinel Logstash

🏢

Active Directory

Designed and operate dual DC environment. GPO management, OU structure, DHCP/DNS, Kerberos/NTLM authentication, AD attack surface knowledge.

AD DS GPO Kerberos DNS/DHCP NTLM

🌐

Network Security

OPNsense firewall/router with multi-subnet routing. Suricata IDS with ET Open rules. Zeek network metadata logging. Tailscale VPN mesh.

OPNsense Suricata Zeek Tailscale Firewall Rules

🔴

Attack Simulation

Ran 10+ MITRE ATT&CK technique simulations using Atomic Red Team and Kali Linux tools. Operated both red and blue sides of every scenario.

Atomic Red Team Kali Linux Mimikatz CrackMapExec Responder

📋

Incident Response

Built 5 IR playbooks in TheHive. Full SOC workflow: alert → auto-case → IOC enrichment → investigation → formal incident report → closure.

TheHive Cortex PICERL VirusTotal API AbuseIPDB

🤖

AI-Assisted SOC

Elastic AI Assistant for alert investigation. LLM-assisted KQL writing and IR report drafting. Understanding UEBA and behavioral analytics concepts.

Elastic AI MS Sentinel Copilot UEBA LLM for SOC

Portfolio

The Project

One main project — an enterprise SOC environment built and operated entirely by me, from network design to threat detection to incident response.

Enterprise SOC Home Lab

Multi-subnet AD + Hybrid Cloud + Full Detection Stack + SOAR

Active Expanding

Built a fully functional enterprise-grade security operations environment from scratch. Designed the network topology, deployed all infrastructure, configured detection tools, ran attack simulations, and documented every finding as formal incident reports.

AD Environment

Dual DC, DHCP, DNS, File Server, multi-subnet, GPO

✓ Complete

SIEM Stack

Elastic + Kibana + Sysmon + Fleet Agent on all hosts

✓ Complete

Cloud Integration

Azure VMs connected via Tailscale VPN mesh

✓ Complete

Detection Rules

15+ KQL rules mapped to MITRE ATT&CK framework

⟳ In progress

SOAR Integration

TheHive + Cortex + Elastalert2 auto-case creation

⟳ In progress

Network Detection

Suricata + Zeek on OPNsense, logs to Elastic

→ Next up

Threat Intel

AbuseCh feeds + VirusTotal API + MISP

→ Planned

Defender XDR

Microsoft Defender for Endpoint + Identity on DCs

→ Planned

Attack Simulations Documented

MITRE ID	Technique	Tool Used	Detection
T1003.001	LSASS Credential Dump	Mimikatz	Elastic Event ID 10 rule
T1110.001	Password Spray	CrackMapExec	Brute force rule — TheHive case
T1021.002	Lateral Movement SMB	PsExec	Event ID 7045 + network log
T1557.001	LLMNR Poisoning	Responder	Zeek DNS + Suricata alert
T1059.001	PowerShell Encoded Cmd	Atomic Red Team	Encoded command KQL rule
T1053.005	Scheduled Task Persistence	Atomic Red Team	Event ID 4698 detection

Roadmap

Currently Learning

Skills and tools I am actively studying or planning to implement next in my lab.

Microsoft Defender XDR

Defender for Endpoint + Defender for Identity on my AD environment. Learning SC-200 exam content alongside implementation.

Active

HTB CDSA Exam

Completed the full Certified Defensive Security Analyst path on HackTheBox. Currently revising and preparing to sit the exam.

Active

Python for SOC

Building IOC enrichment scripts using VirusTotal, AbuseIPDB, and Shodan APIs to automate threat intelligence lookups.

Active

Threat Hunting

Using MITRE ATT&CK Navigator to identify detection gaps, then building KQL hunting queries to search for uncovered techniques.

Soon

Elastic ML & UEBA

Enabling anomaly detection jobs in Elastic for behavioral baselines — login time analysis, data volume anomalies, process behavior.

Soon

CompTIA CySA+

SOC analyst specific certification. Planning to sit this exam after CDSA and Security+ are complete — target Month 3.

Planned

Microsoft SC-200

Microsoft Security Operations Analyst certification covering Sentinel, Defender XDR, and KQL. Target Month 5.

Planned

Velociraptor / DFIR

Digital forensics and live endpoint investigation using Velociraptor. Real incident responders use this for active investigations.

Planned

NishantSharma

Who I Am

Lab Architecture

Technical Skills

The Project

Currently Learning

Nishant
Sharma