Learning SQL through hands-on SOC analysis - notes, structured practice, and investigative projects built around real attack scenarios.
Simulated investigation of a credential brute force attack against internal systems. Uses authentication logs and threat intelligence data to identify attackers, confirm breaches, and assess lateral movement.
- Multi-table queries with JOIN and subqueries
- Threat intel enrichment via cross-referencing
- Full findings report with IOCs and recommendations
Simulated investigation of DNS-based data exfiltration from a compromised internal host. Uses Zeek-style DNS query logs to detect encoded subdomains, beaconing intervals, and C2 communication patterns.
- Behavioral detection without simple pass/fail indicators
- Window functions (LAG) for beaconing interval analysis
- String parsing with SUBSTR and INSTR for domain extraction
- Full findings report with IOCs, recommendations, and detection limitations
SELECT WHERE GROUP BY COUNT ORDER BY LIMIT DISTINCT
INNER JOIN LEFT JOIN Subqueries CASE WHEN Aggregate Functions
Window Functions LAG SUBSTR INSTR LENGTH
soc-simulations- attack simulations documented in a controlled virtual labpython-soc- Python automation tools for SOC workflows