SOC Architecture Interactive Guide

The Visibility & Response Puzzle

Modern environments generate huge volumes of logs, endpoint events, and network traffic. No single tool covers everything efficiently. Security Operations Centers (SOCs) rely on a combination of technologies to solve different parts of this puzzle. Use the interactive chart below to compare how each technology contributes to the overall security posture.

Technology Comparison Matrix

SIEM

Centralized log collection & correlation.

EDR

Deep endpoint telemetry & process isolation.

XDR

Integrated detection across endpoints, cloud, & identity.

NDR

Network traffic analysis & anomaly detection.

MDR

Managed service providing 24/7 human expertise.

SOAR

Automated playbooks & orchestration.

SIEM (Security Information and Event Management)

Focus: Log Collection & Analysis

SIEM centralizes logs from servers, firewalls, and apps into a single platform ("single pane of glass"). It uses correlation rules to flag suspicious patterns, such as multiple failed login attempts followed by a success.

Log Ingestion Volume

Correlation Engine Status: Monitoring

Sysadmin Task: Log Shipping

bash - /etc/rsyslog.d/60-siem.conf

# Install rsyslog if needed
sudo apt-get install -y rsyslog

# Edit config to forward auth logs
sudo nano /etc/rsyslog.d/60-siem.conf

# Add this line to forward to SIEM
auth,authpriv.* @@siem.example.com:514

# Restart service
sudo systemctl restart rsyslog

EDR (Endpoint Detection and Response)

Focus: Monitoring Workstations & Servers

EDR monitors process creations, file changes, and registry operations on the endpoint itself. Unlike antivirus, it records history, allowing you to investigate "what happened" and remotely isolate infected machines.

Endpoint Threat Distribution

Workstation-04

HEALTHY

PowerShell: Process Hunting

PowerShell - Threat Hunt

# Find processes with TCP connections
Get-NetTCPConnection | ForEach-Object {
   $p = Get-Process -Id $_.OwningProcess
   [PSCustomObject]@{
      Process = $p.ProcessName
      PID     = $p.Id
      Remote  = $_.RemoteAddress
   }
}

XDR (Extended Detection and Response)

Focus: Integration of Multiple Layers

XDR expands beyond the endpoint to correlate data from email, cloud workloads, network, and identity. It connects the dots: Phishing Email → Endpoint Compromise → Cloud Login.

Attack Story Construction

EMAIL GATEWAY

Malicious Attachment Delivered

ENDPOINT (EDR)

Process spawned from Outlook

CLOUD IDENTITY

Suspicious Login from New IP

Python: Cross-Layer Correlation

Python3 - Analytics.py

web_ips = set(extract_ips("web.log"))
auth_ips = set(extract_ips("auth.log"))

# Find intersection (correlation)
suspicious = web_ips & auth_ips

for ip in suspicious:
    print(f"Suspicious IP in both: {ip}")
    trigger_response(ip)

XDR automates this logic: "If IP scans Web AND fails SSH, create ONE high-fidelity incident."

MDR (Managed Detection and Response)

Focus: Service & Human Expertise

MDR is not just software; it's a service. You outsource the "eyes on glass" to a team of experts who monitor your environment 24/7, hunt for threats, and respond to incidents, reducing alert fatigue for your internal team.

Internal vs. Managed Workload

Scenario: 3:00 AM Alert. Your team is asleep.

Status: Unmonitored...

Integration: Sending Data to MDR

bash - DailyUpload.sh

YESTERDAY=$(date -d "yesterday" +"%Y%m%d")

# Compress logs
tar czf /tmp/fw-$YESTERDAY.log.tar.gz /var/log/fw.log

# Ship to MDR Intake
scp /tmp/fw-$YESTERDAY.log.tar.gz \
    mdr-intake@example-mdr.com:/incoming/

# Cleanup
rm /tmp/fw-$YESTERDAY.log.tar.gz

Note: Modern MDRs often use APIs or Agents, but this demonstrates the concept of data transfer.

NDR (Network Detection and Response)

Focus: Network Traffic & Unmanaged Devices

NDR analyzes traffic packets and flows to spot anomalies, like a database sending massive data to an unknown IP. It is crucial for spotting threats on devices that can't run EDR agents (IoT, Printers, Legacy Systems).

Network Anomaly Detection

Outbound Threshold (MB/hr)

Sensitive 80 MB Loose

Python: Flow Analysis

Python3 - TrafficCheck.py

threshold = 10 * 1024 * 1024 # 10 MB

totals = {}
for f in flows:
   totals[f["src"]] += f["bytes"]

for src, total in totals.items():
   if total > threshold:
      print(f"High outbound: {src} -> {total} bytes")

This logic catches data exfiltration that EDR misses because the "malware" might just be a legitimate tool (like curl) used maliciously.

SOAR (Security Orchestration, Automation and Response)

Focus: Workflow Automation

SOAR connects your tools together. Instead of manually copying an IP from SIEM to Firewall, SOAR runs a "Playbook" to do it automatically. It ensures consistency and speed.

Phishing Response Playbook

Ingest Email

Analyze Attachments

Block Sender & Delete

Python: Auto-Block Script

Python3 - BlockIP.py

malicious_ips = ["203.0.113.5", "203.0.113.10"]

with open("blocklist.rules", "w") as f:
    f.write("# Auto-generated block rules\n")
    for ip in malicious_ips:
        f.write(f"deny ip any {ip}\n")

print("Wrote firewall block rules.")

Result: Turns a 30-minute manual task into a 3-second script execution.