ทวีตที่ปักหมุด
🛡️ SOC Analyst (Tier 1) | Building in Public
What 28 days of real blue-team work looks like:
🔍 Splunk · SIEM · Log Analysis
🧠 MITRE ATT&CK · Threat Detection
💻 Kali · Ubuntu · Windows lab
📜 ISC2 Certified in Cybersecurity
English
William · SOC Analyst (Tier 1)
21.3K posts
William · SOC Analyst (Tier 1)
@WilliamInCyber
SOC Analyst (Tier 1) | Splunk · SIEM · MITRE ATT&CK | 28 hands-on labs | SA-based, UK/Gulf timezone overlap | Open to remote roles
Johannesburg, South Africa เข้าร่วม Mart 2020
991 กำลังติดตาม916 ผู้ติดตาม
5/5
Learn the patterns and you'll understand any tool they put in front of you.
Chase tools and you'll always feel one step behind.
What tool are you learning right now?
English
4/5
A brute-force attempt looks the same whether you're staring at Splunk or Sentinel.
Learn what the attack looks like first.
The tool is just the window you watch it through.
English
SOC analyst advice I wish I'd heard sooner.
Stop chasing tools. Start understanding behaviour 🧵
English
5/5
If you're learning SOC or Linux from scratch, bookmark it now.
ss64.com
What command do you Google every time, no matter how long you've been at this?
English
4/5
The trick isn't memorising commands.
It's knowing exactly where to look the instant you need one.
Then repetition builds the muscle memory for you.
English
Most people asks me how I remember all the Linux commands.
I don't.
I keep this one site open in a tab during every single lab 🧵
English
This is exactly why IP reputation alone fails a residential proxy looks like a home user until you enrich it. In my CorpOps lab the lesson was the same: the IP is a starting point, not a verdict. You need ASN, geo, and behavior context before deciding the traffic is clean.
The Hacker News@TheHackersNews
A clean-looking IP can still hide a real attack. VPNs and residential proxies now appear in nearly every security incident, according to a Spur study of 200+ security practitioners. The problem: many teams still lack the context to know who is behind the traffic — and what to do next. Read the full story ➝ thehackernews.com/2026/06/survey…
English
The Arc control plane is underrated for SOC work too I used Arc to push the AMA and a DCR onto a Windows endpoint to land Event ID 4104 logs into Sentinel for a PowerShell hunt. Same single pane that does patching and CIS baselines also gets your detection telemetry off-Azure bad
Microsoft Mechanics@MSFTMechanics
AVD, off-Azure. Azure Virtual Desktop for hybrid environments turns any Azure Arc-enabled Windows VM or physical server into a session host. Get started. youtu.be/JDx8blnt5Aw Manage every server, container, and Kubernetes cluster you run — on-prem, in AWS, in GCP, at the edge — from a single Azure Arc control plane. Patch Windows and Linux together with Azure Update Manager, enforce CIS benchmarks and Azure Security Baselines through Azure Policy, and pull consistent inventory, tags, and RBAC across your whole estate. #AzureArc #Microsoft #Azure #MicrosoftAzure #AzureVirtualDesktop #HybridCloud
English
@CyberSamuraiDev This is the kind of detail that separates a real investigation from a surface one skip the .LOG1/.LOG2 replay and you miss the most recent activity entirely. The "small preprocessing step, big difference" lesson is universal. Saving the guide. Appreciate you documenting it.
English
Spent some time documenting a workflow that's easy to overlook in Windows Registry forensics, fixing dirty hives. If you analyze a registry hive without replaying its transaction logs (.LOG1/.LOG2), you could miss some of the most recent system activity, including program execution, USB insertions and configuration changes.
Put together a practical guide covering acquisition with FTK Imager and replaying logs with Registry Explorer.
Small preprocessing steps can make a big difference in an investigation. Link attached.
drive.google.com/file/d/1fmbR2z…
English
The detection angle is the painful part a CLI spray hides in normal Entra auth noise until you filter on ResultType and AppDisplayName, like that KQL. Built an AD spray detection in my lab: it's low-and-slow, so you hunt the pattern across accounts, not one login.
Ru Campbell@rucam365
Who else is seeing an increase in Azure CLI targeted Entra password sprays, among other things?
English
The last line is the SOC version of this VTP propagation is a feature and an attack path. A rogue switch with a higher revision number can overwrite the whole VLAN database. "Configure once, sync everywhere" cuts both ways. The blue-team risk jumped out while studying for Net+.
𝐇𝐚𝐦𝐳𝐚 | Network Engineer (Aspiring)@Hamzaonchain
Managing VLANs across multiple switches can become a nightmare. Without VTP, every VLAN has to be created manually on every switch. More switches = more chances for mistakes, mismatched VLANs, and wasted time. VTP (VLAN Trunking Protocol) solves this by letting you create VLANs once on a VTP Server and automatically distribute them to other Cisco switches over trunk links. Think of it as "configure once, sync everywhere." Just remember: a bad VTP configuration can spread across the entire network just as fast as a good one.
English
"Just you and the red text" felt that. My PowerShell hunt failed for hours because Event ID 4688 was gated and nothing showed. Wanted to close everything. The fix came from pivoting to 4104 script-block logging the breakthrough was right on the other side of almost quitting.
XXIII@Maskoff023
The silence after failing a lab hits differently. you just stare at the screen. no music. no movement. just you and the red text. I've been there more times than I can count. and every single time, I wanted to close everything. but I didn't. and that's the only reason I'm here today. not skill. just stubbornness.
English
The most underrated take in cyber. My whole lab is UTM VMs on a Mac and Proxmox on an 8GB ThinkPad every detection I've built came from the thinking, not the specs. SSH brute-force hunt, PowerShell script-block logging, all on modest hardware. The reasoning is the lab.
XXIII@Maskoff023
I used to think I needed a homelab with 3 servers and enterprise switches. meanwhile, I was running VirtualBox on a laptop with 8GB RAM. you know what I learned? breaches don't care about your hardware. they care about your thinking. start with what you have. think with what you have. the fancy stuff comes later.
English
Everyone is learning tools right now.
Almost nobody is learning how to think about how AI systems actually fail.
Full STRIDE breakdown on GitHub.
Day 4 tomorrow the full incident report.
github.com/WiLL75G/soc-ai…
English
What I built:
- Defined the scenario and trust boundaries
- Applied all 6 STRIDE categories
- Built a visual attack path diagram
- Wrote 3 testable detection hypotheses using telemetry that already exists
Pure analytical work. No new tooling required.
English
Day 3 of my SOC lab had zero code.
No Python. No Splunk. No terminal.
Just STRIDE applied to an AI agent most security teams have never threat modelled.
Here is what broke 🧵
English