A complete Blue Team study & reference guide focused on:
- Detection engineering
- SOC operations
- Incident response
- Threat hunting
- Defensive maturity & metrics
Designed for:
- SOC analysts
- Detection engineers
- Incident responders
- Blue Team & Purple Team practitioners
- Blue Team Foundations
- SOC Operations
- Telemetry & Logging
- Detection Engineering
- Threat Hunting
- Incident Response
- Endpoint Security
- Network Security Monitoring
- Cloud & Identity Defense
- Metrics & Reporting
- Blue Team Labs & Practice
- Checklists
- Roadmaps
- Recommended Learning (YouTube & Online)
- Common Mistakes
- What is Blue Teaming: https://www.sans.org/blog/blue-team/
- NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
- MITRE ATT&CK (Defensive use): https://attack.mitre.org/
- Blue Team Field Manual: https://github.com/infosecn1nja/Blue-Teaming-Toolkit
- Awesome Blue Team: https://github.com/fabacab/awesome-cybersecurity-blueteam
- SOC roles & workflows
- Alert triage & escalation
- Shift handovers & documentation
- SOC operations guide: https://www.sans.org/blog/soc-operations/
- Alert triage best practices: https://www.elastic.co/what-is/security-operations-center
- Logging strategy & coverage
- What must be logged to detect attacks
- Windows logging recommendations: https://learn.microsoft.com/windows/security/threat-protection/auditing/basic-audit-policy-recommendations
- Sysmon: https://learn.microsoft.com/sysinternals/downloads/sysmon
- Cloud logging (Azure): https://learn.microsoft.com/azure/azure-monitor/
- Detection hypotheses
- Signal vs noise
- False positive reduction
- Detection engineering guide: https://detection.fyi/
- Sigma rules: https://github.com/SigmaHQ/sigma
- Elastic detection rules: https://github.com/elastic/detection-rules
- Splunk security content: https://github.com/splunk/security_content
- Hypothesis-driven hunting
- Baselines & anomalies
- Threat hunting mindset: https://www.sans.org/blog/threat-hunting/
- Threat Hunter Playbook: https://github.com/Cyb3rWard0g/ThreatHunter-Playbook
- IR lifecycle
- Containment & eradication
- Lessons learned
- NIST IR guide (SP 800-61): https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
- DFIR resources: https://dfir.blog/
- EDR fundamentals
- Endpoint telemetry
- Microsoft Defender for Endpoint: https://learn.microsoft.com/microsoft-365/security/defender-endpoint/
- Elastic Endpoint Security: https://www.elastic.co/security
- Network telemetry
- DNS, proxy, firewall logs
- Zeek Network Security Monitor: https://zeek.org/
- Suricata IDS: https://suricata.io/
- IAM protection
- Cloud control-plane monitoring
- Microsoft Entra security: https://learn.microsoft.com/entra/
- AWS security monitoring: https://docs.aws.amazon.com/security/
- Mean Time To Detect (MTTD)
- Mean Time To Respond / Contain (MTTR / MTTC)
- Detection coverage by ATT&CK
- ATT&CK metrics: https://attack.mitre.org/resources/
- Blue Team Labs Online: https://blueteamlabs.online/
- CyberDefenders: https://cyberdefenders.org/
- DetectionLab: https://github.com/clong/DetectionLab
➡️ See: BLUETEAM-CHECKLIST.md
➡️ See: BLUETEAM-ROADMAP.md
- John Hammond: https://www.youtube.com/c/JohnHammond010
- Black Hills InfoSec: https://www.youtube.com/c/BlackHillsInformationSecurity
- IppSec (defensive lessons): https://www.youtube.com/c/IppSec
- PortSwigger Web Security Academy: https://portswigger.net/web-security
- OWASP Top 10: https://owasp.org/www-project-top-ten/
- Alert fatigue ignored
- Measuring volume instead of quality
- No retesting after fixes
- Poor documentation
- Blame culture
For defensive and educational purposes only.