SOC Analyst Toolkit
Intermediate ยท 10 tools
A curated stack for security operations center analysts handling detection, triage, and incident response. Covers real-time monitoring and alerting, log analysis with detection rule frameworks, and forensic triage for endpoint investigation. Built around open source tools that integrate well together.
Detection & Monitoring
Deploy continuous monitoring across your environment. Wazuh provides host-based intrusion detection and SIEM capabilities, Sigma gives you portable detection rules that work across platforms, and osquery lets you query endpoint state using SQL syntax for real-time visibility.
Log Analysis
Process and analyze Windows event logs and system artifacts at speed. Hayabusa and Chainsaw parse EVTX files against Sigma rules for rapid threat hunting, while Plaso creates super timelines from multiple artifact sources to reconstruct incident sequences.
Forensic Triage
Collect and analyze endpoint artifacts for incident response. Velociraptor enables remote endpoint interrogation at scale, YARA rules identify malware by pattern matching, Timesketch correlates timeline data collaboratively, and capa detects malware capabilities through static analysis.
