In course 6, I learned how to detect and respond to security incidents by combining packet analysis, IDS rules, and SIEM searches. I practiced the full incident lifecycle—from spotting malicious traffic to documenting findings and triaging alerts in real-time.
I explored the steps of the incident lifecycle—detection, analysis, containment, and recovery—and learned the roles and responsibilities of a response team. Becoming familiar with the key tools and documentation practices prepared me for hands-on investigations.
Using packet-sniffing tools, I captured and filtered live traffic to identify source and destination IPs, protocols in use, and payload details. This module solidified my skills in tcpdump and Wireshark to gather the evidence needed for incident triage.
I investigated a suspicious file hash with VirusTotal, mapped artifacts to the Pyramid of Pain, and practiced updating alert tickets following a phishing playbook. These exercises taught me how to combine evidence gathering with structured playbooks for consistent and effective responses.
I wrote custom Suricata rules to trigger alerts on pcap data, reviewed fast.log and eve.json outputs, and performed searches in Splunk Cloud to pinpoint failed SSH attempts. I also tried Google Chronicle queries, gaining confidence in SIEM-driven threat hunting.
By applying these detection and response techniques across multiple platforms, I now have a complete, tool-driven workflow for analyzing network traffic, investigating incidents, and documenting findings. I’m ready to bring these skills to a SOC environment.