<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=325921436538399&amp;ev=PageView&amp;noscript=1">
Skip to the main content.
Contact Us Join our Discord
Contact Us Join our Discord
Facebook Instagram Linkedin X YouTube Medium

SOC200

ALERTS TO ADVERSARIES

Strategic SOC Training for Tomorrow’s Threats.

"As someone who's worked side-by-side with Jonny his consistent ability to communicate nuanced security concepts sets him apart. His talks blend Windows internals, contagious enthusiasm, and actionable detection content. After each talk I left feeling smarter and better equipped to approach my own work. I can’t recommend Jonny’s trainings enough for anyone with the opportunity."
Brandon Dalton
@PartyD0lphin
"Jonathan brings his years of Windows expertise and experience developing defensive solutions to the forefront in his teaching. The breadth of his background and care towards each student creates a positive learning environment for anyone who takes his course."
Evan McBroom
@mcbroom_evan
"Jonathan Johnson’s content is the perfect blend of deep technical research and real-world program-building wisdom. He not only demystifies adversarial tradecraft and telemetry, but also shows how to translate detection concepts into a scalable, strategic vision for maturing security programs. It’s rare to find someone who can bridge that gap so effectively."
Andrew Schwartz
@4ndr3w6s
"Jonny and I taught dozens of classes together over several years. Jonny is an adept instructor with excellent communication skills with students, often spending time after class to continue chatting about topics of interests or in-depth questions. Even during overnight or off-hours classes, Jonny brings an unparalleled level of enthusiasm and deep research background to every session. In addition to instructing, Jonny has background and experience in content creation and development, both in slide and long-form-blog format. I wouldn't hesitate to teach with him again, and cannot recommend him enough as a resource for learning in the future."
Luke Paine
(@v3r5ace)

1st Live Cohort is June 16 - 19

Seats are limited to 25 students, and will be provided first come, first served.

Course Description

This is an advanced SOC analyst course that goes beyond basic alert triage and incident handling, equipping you with advanced techniques for host and network-based triage and adversary tracking.

By the end of this course, you will be able to:

  • Analyze and correlate security events to detect sophisticated cyber threats.

  • Leverage threat intelligence for proactive defense and adversary profiling.

  • Leverage advanced analysis tools for host, binary, and network analysis.

  • Understand MITRE ATT&CK, TTPs, and adversary emulation for predictive defense.

  • Understand strategic methodologies for building and advancing SOC teams.

  • Understand advanced SOC analytical practices for improved analysis efficiency.

Introductions

Course Goals/Setup

Lab 1: Setup

SOC Methodology

Alert Classification

SOC and Detection Lifecycle

Lab 2: Discovering MITRE ATT&CK

Detection Engineering

Operational Drift

SOC Maturity Model

Lab 3: Walkthrough a SOC Maturity Model

Lab 4: Build Your Own SOC Maturity Model

Introduction to Alert Investigation

Alert Fatigue

Classification Bias

Lab 5: Microsoft Sentinel Setup

Host-Based Alerting

Introduction into Processes

Lab 6: Discovering Processes

Lab 7: Process Examination via ProcMon

Examining Processes

Lab 8: Investigate a Process-Based Alert

Introduction into Threads

Thread Actions

Lab 9: Thread Examination via ProcMon

Lab 10: Investigate a Thread-Based Alert

Introduction into Files

Lab 11: File Examination via ProcMon

Introduction into the Registry

Lab 12: Registry Examination via ProcMon

Lab 13: Investigate a Registry Alert

Introduction into Scripting

Lab 14: Analyzing a Script-Based Alert

Network-Based Alerting

Networking Basics

Lab 15: Examining Network Data via ProcMon

Host-Based Network Logs

Network Directions

Lab 16: Analyzing North to South Traffic

Lab 17: Analyzing East to West Traffic

Introduction into Correlation

Interprocess Communication

Lab 18: Investigate a Named Pipe Alert

Correlation Types

Parent/Child Correlation

Logon Session Correlation

Transitional Correlation

Lab 19: Identify the Bad Outside of the Alert

Advanced SOC Processes

Alert Correlation & Playbooks

Feedback Loops

Lab 20: Bad Alert Feedback

Scenario

Alert Classification Submission

Other Activity Submission

Detection Logic Submission

Playbook Submission

Containment Strategy Submission

Note - completing the capstone and receiving the certification of completion is optional.

Students that complete the capstone will be awarded a Certification after successfully completing Capstone: Project SOC Endgame.

Students will be faced with multiple alerts from various sources. They will need to:

  1. Correlate and classify alerts

  2. Find other malicious activity that did not fire alerts

  3. Write-up Incident:

    • Maliciously Classified Alerts

    • Other activity identified

    • Detection Logic

    • Feedback (new and existing)

    • Playbook Generation Ideas

    • Containment Strategy

Live instruction is capped to 25 students maximum.

Each day of class will be 7-8 hours including breaks. You will go through lectures and labs. The days will be very practical lab heavy.

Please plan accordingly.

You will retain access for 1 week after the live course ends.

A full time table will be provided closer to the start date.

This course is targeted at SOC Tier 1 Analysts and up, as well as Technical Leadership that is supporting, managing, or any role adjacent to Security Operations.

At a technical level we recommend to have at least completed:

And to be familiar with the content at a minimum in:

Help is provided during class and in your private Discord channels for the duration of your training and up to 1 week after.

Your channel will be in the Level Effect Discord community.

$2500

CDA Live or On-Demand students receive a $250 discount, paying $2250. 

You invest, we invest.

Your Instructor - Jonny Johnson 

Founder of Johnson Security Research LLC and Principal EDR Product Researcher at Huntress.

Formerly: 

  • Sr. Detection Engineering Consultant at SpecterOps

  • Sr. Threat Researcher  at RedCanary

  • Sr. Threat Researcher at BinaryDefense 

Interests: Windows Internals, Extracting and Exposing Telemetry, Reverse Engineering, Detection Engineering


Open-Source Author/Contributor: Atomic Test Harnesses, The Defender’s Guide, MSRPC-To-ATT&CK, TelemetrySource, JonMon

CleanShot 2025-03-24 at 14.39.20@2x

 

Zone identifier analysis
Forensic threat intelligence artifact analysis showing metadata related to a downloaded file specifically the Zone.Identifier alternate data stream (ADS).
Process and threat creation analysis
Process Monitor (ProcMon) can be used to track process creation events, highlighting a PowerShell process spawning cmd.exe with detailed event metadata like command line, PID, and timestamp.
Sential Dumping LSASS
A high-severity incident alert in Microsoft Sentinel titled "Suspected Dumping LSASS," indicating potential credential dumping activity using tools like procdump or rundll32 comsvcs.dll.
Classification BIAS
A cognitive bias where SOC analysts approach alerts with a predetermined conclusion (malicious or benign), which can distort evidence interpretation and lead to misclassification.
Examining Processes
Process creation activity showing that jkli.exe (from C:\Temp) with a network connection spawned rundll32.exe, which in turn launched whoami /all, suggesting suspicious process behavior chaining.

FAQ