SYSTEM ONLINE — SOC ANALYST PORTFOLIO — ROUTETOROOT

Eric Ellison

// SOC Analyst  |  Blue Team  |  Detection Engineering

25 hands-on cybersecurity labs demonstrating real-world SOC analyst skills — from packet capture and log analysis to SIEM detection engineering, GRC compliance, and threat hunting across Elastic and Splunk.

⬡ GITHUB PROFILE ✉ CONTACT
25 Labs Completed
2 SIEM Platforms
6 GRC Frameworks
100% Evidence-Based
// 01 — ABOUT

Portfolio Narrative

This portfolio documents a complete, self-directed journey into cybersecurity from the ground up. Every lab is evidence-based with real tool output, screenshots, and ServiceNow-style incident tickets — the same documentation format used in enterprise SOC environments. The labs follow a logical progression from foundational networking to advanced detection engineering and compliance.

TRAFFIC CAPTURE LOG ANALYSIS SIEM DETECTION THREAT HUNTING RISK & COMPLIANCE REMEDIATION
// 02 — LABS

All 25 Labs

PHASE 1 — SOC FUNDAMENTALS (Labs 01–10)
LAB 01
Packet Capture Basics
Wireshark
Captured and analyzed live network traffic to identify protocols, endpoints, and packet structure.
LAB 02
Network Path Analysis
ping, traceroute
Mapped network paths and identified routing hops to understand traffic flow and latency.
LAB 03
DNS Resolution and Caching
Wireshark
Analyzed DNS query/response cycles and caching behavior to detect anomalous resolution patterns.
LAB 04
SSH Authentication Detection
System Logs
Monitored SSH authentication events in system logs to identify successful and failed login attempts.
LAB 05
Linux Log Analysis & Security Monitoring
System Logs
Performed structured log analysis across multiple Linux log sources to identify security-relevant events.
LAB 06
Port Scan Detection
Nmap, Wireshark
Executed and detected TCP port scans, identifying scan patterns and IOCs in packet captures.
LAB 07
Suspicious DNS Traffic Analysis
Wireshark
Identified anomalous DNS query patterns consistent with C2 beaconing and data exfiltration attempts.
LAB 08
HTTP Traffic Analysis
Wireshark, curl
Captured and dissected HTTP GET/response cycles to establish baseline normal web traffic behavior.
LAB 09
Suspicious HTTP Traffic Analysis
Wireshark, curl
Detected anomalous User-Agent strings (MSIE 6.0, obsolete since 2014) as indicators of malicious tooling.
LAB 10
HTTPS & TLS Traffic Analysis
Wireshark, curl
Analyzed TLS handshake, Client Hello, SNI, and encrypted Application Data in TLSv1.3 sessions.
PHASE 2 — ELASTIC SIEM (Labs 11–14)
LAB 11
Elastic SIEM Setup
Elastic Cloud, Elastic Agent
Deployed Elastic Cloud Serverless SIEM, enrolled Elastic Agent on Kali Linux, and confirmed log ingestion.
LAB 12
Elastic Detection Rules
Kibana, KQL
Installed built-in detection rules and created a custom SSH authentication failure rule using KQL.
LAB 13
Elastic Attack Simulation & Alerting
Elastic SIEM, SSH
Simulated SSH brute force and identified a persistent detection gap — auth logs not ingested. Gap resolved in Lab 21.
LAB 14
Threat Hunting in Kibana
Kibana Discover
Conducted proactive hunts identifying 16 DEGRADED component state transitions and confirming detection gaps.
PHASE 3 — GRC COMPLIANCE (Labs 15–20)
LAB 15
GRC: Log Retention Policy
NIST SP 800-53
Mapped 5 log sources to NIST AU controls, identified 3 retention gaps, and proposed remediation.
LAB 16
GRC: Incident Response Compliance
NIST CSF, ISO 27001
Mapped the Lab 13 SSH brute force incident to NIST CSF and ISO 27001 response requirements.
LAB 17
GRC: Risk Assessment
NIST SP 800-53
Identified 4 risks (3 rated High) against the lab environment and mapped mitigating controls.
LAB 18
GRC: Access Control Review
NIST SP 800-53
Identified 6 access control gaps (4 rated High) and mapped to NIST AC and IA control families.
LAB 19
GRC: Audit Simulation
NIST SP 800-53
Tested 14 controls — 4 pass, 4 partial, 6 fail — with a full evidence package (E-001 through E-010).
LAB 20
GRC: Policy & Technical Enforcement
NIST SP 800-53, Elastic
Authored 8 security policy requirements and documented technical enforcement in Elastic SIEM and Linux.
REMEDIATION & SPLUNK (Labs 21–25)
LAB 21
SSH Detection Gap Remediation
rsyslog, Elastic SIEM
Resolved a persistent detection gap across 8 labs — installed rsyslog, enabled log forwarding, confirmed 31 alerts.
LAB 22
Splunk Setup & Log Ingestion
Splunk Enterprise 10.2.2
Installed Splunk Enterprise on Kali Linux, configured auth.log monitoring, and confirmed 180 events ingested.
LAB 23
Splunk Detection Rules
Splunk, SPL
Created a real-time SSH brute force detection rule using SPL, validated against 75 existing events.
LAB 24
Splunk Attack Simulation & Alerting
Splunk, SSH
Simulated SSH brute force and confirmed 15 real-time Splunk alerts fired — end-to-end detection validated.
LAB 25
Threat Hunting in Splunk
Splunk, SPL
Conducted 4 proactive hunts identifying 125 auth failures and two distinct attack windows via timechart.
// 03 — SKILLS

Technical Skills

Elastic SIEM
Detection Engineering
Splunk Enterprise
Detection Engineering
KQL / SPL
Query Languages
Wireshark
Network Analysis
Linux / Bash
System Administration
Log Analysis
Threat Detection
NIST SP 800-53
GRC / Compliance
Incident Response
SOC Operations
Threat Hunting
Proactive Defense
Risk Assessment
GRC / Compliance
ServiceNow (Simulation)
Ticketing / ITSM
VMware Workstation
Virtualization