Bab X SOC L1 & L2 Analyst

Apa itu SIEM?

SIEM adalah otak dari SOC. SIEM mengumpulkan, menormalisasi, dan mengkorelasikan log dari seluruh infrastruktur (firewall, server, endpoint, aplikasi) untuk mendeteksi ancaman secara real-time. SIEM menggunakan correlation rules untuk menghasilkan alert ketika pola mencurigakan terdeteksi.

Cara Kerja SIEM: Log Sources → Collection → Normalization → Correlation → Alert → Dashboard

SIEM Populer di Industri

SIEM	Vendor	Query Language	Keunggulan
Splunk	Splunk/Cisco	SPL	Sangat powerful, marketplace apps luas
IBM QRadar	IBM	AQL	Offense-based detection, OOTB use cases
Microsoft Sentinel	Microsoft	KQL	Cloud-native, integrasi Azure/M365
ELK Stack	Elastic	Lucene/KQL	Open-source, sangat fleksibel
Google Chronicle	Google	YARA-L	Petabyte-scale, fixed pricing

Contoh Query SIEM

          // SPLUNK SPL Cari failed login di Windows:
          index=windows
          sourcetype=WinEventLog:Security
          EventCode=4625 |
          stats count
          by src_ip, Account_Name |
          where count >
          10 |
          sort -count
        

          // MICROSOFT SENTINEL KQL Brute force detection:
          SecurityEvent
          | where EventID ==
          4625 |
          summarize FailedAttempts =
          count()
          by TargetAccount, IpAddress,
          bin(TimeGenerated,
          5m) |
          where FailedAttempts >
          10
        

          // IBM QRadar AQL Top talkers by traffic:
          SELECT sourceip,
          SUM(bytes)
          as total_bytes
          FROM flows
          WHERE
          INOFFENSE(offense_id)
          GROUP BY sourceip
          ORDER BY total_bytes
          DESC LAST
          24 HOURS
        

Fitur	IDS (Detection)	IPS (Prevention)
Mode	Passive hanya monitoring	Inline bisa memblokir traffic
Aksi	Mendeteksi & alert	Mendeteksi, alert, & DROP/BLOCK
Posisi	Out-of-band (mirror/SPAN port)	In-line (di antara traffic flow)
Risiko	Bisa miss real-time blocking	False positive bisa block traffic legit

Detection Methods

Signature-based: Cocokkan traffic dengan database signature yang diketahui (cepat, tapi tidak bisa deteksi ancaman baru/zero-day)
Anomaly-based: Bandingkan dengan baseline normal, alert jika menyimpang (bisa deteksi zero-day, tapi banyak false positive)
Heuristic: Kombinasi keduanya menggunakan rules dan behavior analysis

Contoh Snort Rule

          # Deteksi koneksi ke port 4444 (Metasploit default):
          alert tcp any any -> any
          4444 (msg:"Possible Metasploit Reverse Shell"; flow:established; sid:1000001;
          rev:1;)

          # Deteksi SQL injection attempt:
          alert tcp any any -> any
          80 (msg:"SQL Injection Attempt"; content:"' OR 1=1"; nocase; http_uri;
          sid:1000002; rev:1;)
        

Tools populer: Snort, Suricata (multi-threaded, lebih cepat), Zeek/Bro (network analysis framework)

EDR adalah solusi keamanan yang dipasang di endpoint (laptop, server, workstation) untuk mendeteksi, menginvestigasi, dan merespons ancaman di level endpoint. Berbeda dengan antivirus tradisional, EDR memberikan visibility penuh terhadap aktivitas endpoint.

Kemampuan EDR

Process Monitoring: Merekam semua proses, parent-child relationship, command line arguments
File Monitoring: Track file creation, modification, deletion
Network Connection: Log semua koneksi outbound/inbound dari endpoint
Registry Changes: Monitor perubahan registry (Windows)
Threat Response: Isolate host, kill process, quarantine file
Threat Intelligence: Cocokkan IOC dengan database threat intel

EDR Solution	Vendor	Fitur Kunci
CrowdStrike Falcon	CrowdStrike	Cloud-native, threat graph, OverWatch MDR
Carbon Black	VMware	On-prem/cloud, behavioral EDR, audit & remediation
SentinelOne	SentinelOne	AI-driven, autonomous response, Storyline tracking
Microsoft Defender for Endpoint	Microsoft	Integrasi M365, automated investigation
Elastic EDR	Elastic	Open-source base, integrasi ELK stack

Tips SOC L1: Saat investigasi alert EDR, selalu perhatikan: parent process (siapa yang menjalankan?), command line (apa yang dieksekusi?), dan network connection (terhubung ke mana?).

Firewall

Tipe	Cara Kerja	Layer
Packet Filtering	Filter berdasarkan IP, port, protocol (stateless)	Layer 3-4
Stateful Inspection	Track state koneksi (established, new, related)	Layer 3-4
NGFW	Deep packet inspection, application awareness, IPS built-in	Layer 3-7

Vendors: Palo Alto, Fortinet FortiGate, Cisco ASA/FTD, Check Point, pfSense (open source)

WAF Web Application Firewall

WAF khusus melindungi aplikasi web dari serangan Layer 7 seperti SQL Injection, XSS, CSRF, dan OWASP Top 10. WAF bisa bersifat cloud-based (Cloudflare, AWS WAF) atau on-premise (ModSecurity, F5). WAF bekerja dengan menginspeksi HTTP request/response dan memblokir yang cocok dengan rules.

Threat Intelligence Platform (TIP)

Threat Intelligence adalah informasi tentang ancaman yang digunakan untuk memahami motivasi, target, dan perilaku attacker. Sebagai SOC L1, kamu akan menggunakan TIP untuk memeriksa IOC (IP, domain, hash).

Platform	Tipe	Kegunaan
VirusTotal	Free/Commercial	Cek hash, URL, IP, domain terhadap 70+ AV engine
AbuseIPDB	Free	Cek reputasi IP address
Shodan	Free/Paid	Search engine untuk device yang terekspos internet
AlienVault OTX	Free	Community threat intel, pulses, IOC sharing
MISP	Open Source	Threat intel sharing platform, IOC management
URLhaus / MalwareBazaar	Free	Database URL & malware samples

SOAR Security Orchestration, Automation and Response

SOAR mengotomasi dan mengorkestrasikan response terhadap alert. Contoh: saat SIEM mendeteksi IP malicious, SOAR otomatis meng-query VirusTotal, memblokir IP di firewall, dan membuat tiket.

Splunk SOAR (Phantom): Playbook visual, 300+ app integrations
Palo Alto XSOAR (Demisto): War room collaboration, marketplace
IBM Resilient: Case management, workflow automation
Shuffle: Open-source SOAR alternative

Windows Security Event IDs Yang Wajib Dihafal

Event ID	Kategori	Deskripsi	Kenapa Penting?
4624	Logon	Successful logon	Verifikasi login legitimate vs suspicious
4625	Logon	Failed logon	Brute force detection
4648	Logon	Logon with explicit credentials	Credential theft, pass-the-hash
4672	Privilege	Special privileges assigned	Privilege escalation monitoring
4720	Account	User account created	Unauthorized account creation
4732	Group	Member added to security group	Privilege escalation via group membership
4688	Process	New process created	Track process execution (butuh audit policy)
7045	Service	New service installed	Malware persistence via service
1102	Audit	Audit log cleared	Anti-forensics! Attacker menghapus jejak
4698	Task	Scheduled task created	Persistence mechanism
4776	Auth	NTLM authentication	Credential validation (DC)
4768	Kerberos	TGT requested	Kerberoasting detection

Logon Type pada Event 4624/4625

Type	Nama	Penjelasan
2	Interactive	Login fisik di konsol
3	Network	Akses via network (SMB, mapped drive)
4	Batch	Scheduled task execution
5	Service	Service startup
7	Unlock	Workstation unlock
10	RemoteInteractive	RDP login

Linux Logs Penting

File Log	Isi	Contoh Pencarian
`/var/log/auth.log`	Authentication events (SSH, sudo)	`grep "Failed password" auth.log`
`/var/log/syslog`	System events umum	`grep "error" syslog`
`/var/log/apache2/access.log`	Web server access log	`grep "404\\|500" access.log`
`/var/log/kern.log`	Kernel messages	Firewall drops, driver errors
`/var/log/cron`	Cron job execution	Monitoring persistence via cron

Sysmon Enhanced Windows Logging

Sysmon (System Monitor) dari Sysinternals memberikan logging jauh lebih detail dari Windows Event Log default:

Event ID	Nama	Kegunaan
1	Process Creation	Full command line, parent process, hash file
3	Network Connection	Track koneksi dari setiap proses
7	Image Loaded	DLL loading (DLL injection detection)
8	CreateRemoteThread	Process injection detection
11	File Created	Track file creation
13	Registry Value Set	Registry modification tracking
22	DNS Query	DNS lookup dari setiap proses

Wireshark adalah network protocol analyzer yang menangkap dan menganalisis traffic jaringan pada level packet. Kamu harus bisa membaca PCAP file dan memfilter traffic yang relevan.

Display Filter yang Sering Dipakai

          # Filter berdasarkan protokol:
          http
          # Hanya HTTP traffic
          dns
          # Hanya DNS traffic
          tcp
          # Hanya TCP
          tls
          # Hanya TLS/SSL

          # Filter berdasarkan IP:
          ip.addr ==
          192.168.1.100
          # Traffic dari/ke IP tertentu
          ip.src ==
          10.0.0.5
          # Source IP tertentu
          ip.dst ==
          8.8.8.8
          # Destination IP tertentu

          # Filter berdasarkan port:
          tcp.port ==
          443
          # HTTPS traffic
          tcp.dstport ==
          4444
          # Possible reverse shell

          # Filter konten:
          http.request.method ==
          "POST"
          # HTTP POST requests
          dns.qry.name contains
          "evil"
          # DNS query tertentu
          frame contains
          "password"
          # Cari string di packet

          # Kombinasi:
          http &&
          ip.src ==
          192.168.1.100 &&
          http.request.method ==
          "POST"
        

Yang harus dicari saat analisis PCAP: Koneksi ke IP/domain mencurigakan, DNS query tidak biasa, traffic di port non-standar, data berukuran besar keluar jaringan (exfiltration), plaintext credentials.

Menganalisis email header adalah skill krusial untuk investigasi phishing. Header email mengungkapkan jalur pengiriman sebenarnya dan bisa mendeteksi spoofing.

Field Penting di Email Header

Field	Yang Dilihat	Red Flag
From:	Pengirim yang ditampilkan	Bisa di-spoof jangan langsung percaya
Return-Path / Envelope-From	Actual sender address	Berbeda dari display "From:"
Received:	Rute email (baca dari bawah ke atas)	IP/domain yang tidak sesuai organisasi pengirim
X-Originating-IP	IP asal pengirim	IP dari negara yang tidak expected
SPF	Sender Policy Framework result	`spf=fail` → email mungkin spoofed
DKIM	DomainKeys Identified Mail	`dkim=fail` → email mungkin dimanipulasi
DMARC	Domain-based Message Auth	`dmarc=fail` → kebijakan domain dilanggar
Reply-To:	Kemana balasan dikirim	Berbeda dari "From:" → classic phishing trick

// Contoh header email mencurigakan: From: "IT Support" <[email protected]> Reply-To: [email protected] ← RED FLAG: Reply-To berbeda! Return-Path: <[email protected]> ← RED FLAG: Bukan domain company! Received: from mail.evil-domain.xyz [185.234.xx.xx] Authentication-Results: spf=fail ← RED FLAG: SPF gagal! dkim=none ← RED FLAG: Tidak ada DKIM! dmarc=fail ← RED FLAG: DMARC gagal!

Tools untuk Email Analysis: MXToolbox Header Analyzer, Google Admin Toolbox, PhishTool, emailheaders.net

BAB 2 TOOLS & TEKNOLOGI SOC

SIEM Security Information and Event Management

Apa itu SIEM?

SIEM Populer di Industri

Contoh Query SIEM

IDS/IPS Intrusion Detection & Prevention

Detection Methods

Contoh Snort Rule

EDR Endpoint Detection and Response

Kemampuan EDR

Firewall & WAF