SYSTEM ONLINE — SOC ANALYST PORTFOLIO — ROUTETOROOT

Eric Ellison

// SOC Analyst | Blue Team | Detection Engineering

29 hands-on cybersecurity labs demonstrating real-world SOC analyst skills — from packet capture and log analysis to SIEM detection engineering, GRC compliance, threat hunting, and cloud security across Elastic, Splunk, and Microsoft Sentinel.

⬡ GITHUB PROFILE ✉ CONTACT ▶ YOUTUBE

29 Labs Completed

3 SIEM Platforms

6 GRC Frameworks

100% Evidence-Based

// 01 — ABOUT

Portfolio Narrative

This portfolio documents a complete, self-directed journey into cybersecurity from the ground up. Every lab is evidence-based with real tool output, screenshots, and ServiceNow-style incident tickets — the same documentation format used in enterprise SOC environments. The labs follow a logical progression from foundational networking to advanced detection engineering and compliance.

TRAFFIC CAPTURE → LOG ANALYSIS → SIEM DETECTION → THREAT HUNTING → RISK & COMPLIANCE → CLOUD SECURITY

// 02 — LABS

All 29 Labs

PHASE 1 — SOC FUNDAMENTALS (Labs 01–10)

Packet Capture Basics

Captured and analyzed live network traffic to identify protocols, endpoints, and packet structure.

Network Path Analysis

ping, traceroute

Mapped network paths and identified routing hops to understand traffic flow and latency.

DNS Resolution and Caching

Analyzed DNS query/response cycles and caching behavior to detect anomalous resolution patterns.

SSH Authentication Detection

Monitored SSH authentication events in system logs to identify successful and failed login attempts.

Linux Log Analysis & Security Monitoring

Performed structured log analysis across multiple Linux log sources to identify security-relevant events.

Port Scan Detection

Nmap, Wireshark

Executed and detected TCP port scans, identifying scan patterns and IOCs in packet captures.

Suspicious DNS Traffic Analysis

Identified anomalous DNS query patterns consistent with C2 beaconing and data exfiltration attempts.

HTTP Traffic Analysis

Wireshark, curl

Captured and dissected HTTP GET/response cycles to establish baseline normal web traffic behavior.

Suspicious HTTP Traffic Analysis

Wireshark, curl

Detected anomalous User-Agent strings (MSIE 6.0, obsolete since 2014) as indicators of malicious tooling.

HTTPS & TLS Traffic Analysis

Wireshark, curl

Analyzed TLS handshake, Client Hello, SNI, and encrypted Application Data in TLSv1.3 sessions.

PHASE 2 — ELASTIC SIEM (Labs 11–14)

Elastic SIEM Setup

Elastic Cloud, Elastic Agent

Deployed Elastic Cloud Serverless SIEM, enrolled Elastic Agent on Kali Linux, and confirmed log ingestion.

Elastic Detection Rules

Installed built-in detection rules and created a custom SSH authentication failure rule using KQL.

Elastic Attack Simulation & Alerting

Elastic SIEM, SSH

Simulated SSH brute force and identified a persistent detection gap — auth logs not ingested. Gap resolved in Lab 21.

Threat Hunting in Kibana

Kibana Discover

Conducted proactive hunts identifying 16 DEGRADED component state transitions and confirming detection gaps.

PHASE 3 — GRC COMPLIANCE (Labs 15–20)

GRC: Log Retention Policy

Mapped 5 log sources to NIST AU controls, identified 3 retention gaps, and proposed remediation.

GRC: Incident Response Compliance

NIST CSF, ISO 27001

Mapped the Lab 13 SSH brute force incident to NIST CSF and ISO 27001 response requirements.

GRC: Risk Assessment

Identified 4 risks (3 rated High) against the lab environment and mapped mitigating controls.

GRC: Access Control Review

Identified 6 access control gaps (4 rated High) and mapped to NIST AC and IA control families.

GRC: Audit Simulation

Tested 14 controls — 4 pass, 4 partial, 6 fail — with a full evidence package (E-001 through E-010).

GRC: Policy & Technical Enforcement

NIST SP 800-53, Elastic

Authored 8 security policy requirements and documented technical enforcement in Elastic SIEM and Linux.

REMEDIATION & SPLUNK (Labs 21–25)

SSH Detection Gap Remediation

rsyslog, Elastic SIEM

Resolved a persistent detection gap across 8 labs — installed rsyslog, enabled log forwarding, confirmed 31 alerts.

Splunk Setup & Log Ingestion

Splunk Enterprise 10.2.2

Installed Splunk Enterprise on Kali Linux, configured auth.log monitoring, and confirmed 180 events ingested.

Splunk Detection Rules

Created a real-time SSH brute force detection rule using SPL, validated against 75 existing events.

Splunk Attack Simulation & Alerting

Simulated SSH brute force and confirmed 15 real-time Splunk alerts fired — end-to-end detection validated.

Threat Hunting in Splunk

Conducted 4 proactive hunts identifying 125 auth failures and two distinct attack windows via timechart.

PHASE 4 — CLOUD SIEM (Lab 26+)

Cloud SIEM Detection with Microsoft Sentinel

Microsoft Sentinel, KQL, Azure

Deployed Sentinel in Azure, configured AMA data pipeline, wrote KQL detection rule, simulated brute force, and confirmed 7 incidents in Defender XDR.

Nessus Vulnerability Scan

Nessus Essentials, CVSS

Installed Nessus Essentials, ran a Basic Network Scan against localhost, identified 24 unique findings across 111 instances, and documented results in incident report format.

Python Security Automation

Python 3, AbuseIPDB API

Built 3 Python scripts to automate SOC triage — log parsing detected 6 failed SSH logins across 3 source IPs, IP reputation checked via AbuseIPDB API, and alert summary report generated with ranked offenders and recommended actions.

// 03 — SKILLS

Technical Skills

Elastic SIEM

Detection Engineering

Splunk Enterprise

Detection Engineering

Microsoft Sentinel

Cloud SIEM

KQL / SPL

Query Languages

Wireshark

Network Analysis

Linux / Bash

System Administration

Log Analysis

Threat Detection

NIST SP 800-53

GRC / Compliance

Incident Response

SOC Operations

Threat Hunting

Proactive Defense

Risk Assessment

GRC / Compliance

Microsoft Azure

Cloud Platform