SOC Analyst Operations Kit

<div class="glance-card">
<h3>Overview</h3>
<p>The SOC Operations Kit is a library of deployable assets for security teams working in Microsoft 365 environments. It is not a training course — it is the operational output you would have if you had spent months building a mature SOC from scratch.</p>
<p>Each scenario pack contains five layers: detection rules (ARM/JSON templates you import into Sentinel), investigation playbooks (step-by-step procedures with embedded KQL), containment procedures (exact commands and decision trees), report templates (pre-structured for CISO-level reporting), and hardening checklists (with verification steps).</p>
<p>Every KQL query is tested. Every ARM template is importable. Every playbook has been used in real incident response. This is infrastructure, not documentation.</p>
</div>
<div class="glance-card">
<h3>Audience profile</h3>
<p>You are a SOC analyst, security engineer, or MSSP consultant who needs to stand up detection and response capabilities quickly. You do not want to spend three months writing KQL queries from scratch when someone has already built and tested them.</p>
<p>Or you are a security manager building out your team's capabilities and you need a framework — detection rules that are MITRE ATT&CK mapped, playbooks your junior analysts can follow, and report templates that save hours on every incident.</p>
<p>The kit pairs with our training course, but stands alone. If you already know how to investigate incidents and you just need the tools, this is what you want.</p>
</div>
<div class="glance-card full-width">
<h3>What is included</h3>
<div class="kit-contents">
<div class="kit-section">
<h4>6 Scenario Operating Packs</h4>
<p>Each pack covers a specific threat scenario end-to-end:</p>
<div class="kit-packs">
<div class="kit-pack"><strong>AiTM Credential Phishing</strong> — detection rules for proxy-based credential theft, session token anomalies, inbox rule creation, and lateral phishing. Investigation playbook from initial alert through containment.</div>
<div class="kit-pack"><strong>Business Email Compromise</strong> — vendor impersonation detection, payment diversion indicators, mailbox forwarding rules, and evidence collection procedures for law enforcement referral.</div>
<div class="kit-pack"><strong>Consent Phishing</strong> — OAuth app registration monitoring, excessive permission detection, malicious app identification, and remediation procedures.</div>
<div class="kit-pack"><strong>Token Replay</strong> — non-interactive sign-in anomalies, conditional access bypass detection, session token abuse indicators, and token revocation procedures.</div>
<div class="kit-pack"><strong>Ransomware Pre-Encryption</strong> — early-stage indicators including lateral movement, credential dumping, shadow copy deletion, and automated containment triggers.</div>
<div class="kit-pack"><strong>Insider Threat</strong> — data exfiltration patterns, departing employee monitoring, DLP alert correlation, and evidence preservation for HR/legal proceedings.</div>
</div>
</div>
<div class="kit-section">
<h4>Cross-Scenario Assets</h4>
<div class="kit-packs">
<div class="kit-pack"><strong>KQL Master Library</strong> — 35+ detection queries and 20+ investigation queries, all MITRE ATT&CK mapped with documented thresholds and tuning guidance.</div>
<div class="kit-pack"><strong>Sentinel Deployment Pack</strong> — importable ARM templates for analytics rules, automation rules, and workbooks.</div>
<div class="kit-pack"><strong>IR Report Template Set</strong> — pre-structured report templates for different incident types and audience levels.</div>
<div class="kit-pack"><strong>M365 Security Baseline Checklist</strong> — comprehensive hardening checklist with verification steps for each control.</div>
</div>
</div>
</div>
</div>
</div>