SOC Casefiles

This directory contains SOC-style incident investigation writeups demonstrating real-world security analysis workflows. Each casefile follows a structured format showing:

• Alert/Event: What triggered the investigation
• Triage: Initial assessment and prioritization
• Investigation: Evidence gathering and analysis
• Findings: What was discovered
• Resolution: Actions taken and recommendations
• Ticket Notes: Documentation suitable for a ticketing system

Casefiles

001 - Phishing Email Triage

Status: Template
Skills Demonstrated: Email header analysis, URL/IP reputation checks, IOC extraction

002 - Brute Force Login Attempts

Status: Template
Skills Demonstrated: Authentication log analysis, IP geolocation, threat intelligence enrichment

003 - Malware/EDR Alert

Status: Template
Skills Demonstrated: Endpoint detection analysis, file hash verification, containment procedures

004 - Impossible Travel Detection

Status: Template
Skills Demonstrated: Identity event correlation, geolocation analysis, user behavior analytics

005 - Splunk Failed Login Triage ⭐

Status: Real Evidence
Skills Demonstrated: Splunk query development, SIEM dashboard analysis, log correlation
Uses Actual Evidence: References real Splunk dashboard and queries from Log-Analysis project

Playbooks

See _Playbooks/ for reusable security playbooks covering common incident types.

How to Use These Casefiles

1. For Hiring Managers: These demonstrate practical SOC analyst skills and documentation standards
2. For Learning: Each casefile shows a complete investigation workflow from alert to resolution
3. For Practice: Use these as templates for documenting your own lab investigations

---

Note: These casefiles are based on lab environments and public sample data. They demonstrate methodology and documentation skills rather than actual production incidents.