Competencies: Security > Defensive Security

Defensive Security

Body of Knowledge

Topic Description Relevance Career Tracks

SIEM Fundamentals

Log aggregation, correlation rules, alerting, dashboards, use cases, data normalization, retention policies.

Critical

SOC Analyst, Security Engineer, SIEM Administrator

Splunk

SPL queries, indexes, sourcetypes, dashboards, alerts, apps, deployment architecture, performance tuning.

High

SOC Analyst, SIEM Administrator, Security Engineer

Microsoft Sentinel

Cloud-native SIEM, KQL queries, analytics rules, workbooks, SOAR playbooks, data connectors, cost management.

High

SOC Analyst, Cloud Security Engineer

Wazuh/OSSEC

Open-source SIEM, agent deployment, rules, decoders, file integrity monitoring, vulnerability detection, MITRE mapping.

Medium

Security Engineer, SOC Analyst

Endpoint Detection & Response (EDR)

Behavioral analysis, process monitoring, threat hunting, automated response, CrowdStrike, SentinelOne, Defender.

Critical

Endpoint Security, SOC Analyst, Security Engineer

Extended Detection & Response (XDR)

Cross-domain correlation, unified visibility, automated investigation, network+endpoint+cloud integration.

High

Security Engineer, SOC Analyst, Security Architect

Network Detection & Response (NDR)

Network traffic analysis, anomaly detection, encrypted traffic analysis, Zeek/Suricata, threat hunting.

High

SOC Analyst, Security Engineer

Vulnerability Management

Scanning programs, CVSS scoring, CVE tracking, prioritization, remediation workflows, patch management, risk acceptance.

Critical

Vulnerability Analyst, Security Engineer

Threat Hunting

Hypothesis-driven hunting, IOC/IOA, TTP-based hunting, MITRE ATT&CK mapping, hunting playbooks, purple teaming.

High

Threat Hunter, SOC Analyst, Security Engineer

Security Orchestration (SOAR)

Automated playbooks, case management, enrichment, Phantom, XSOAR, Shuffle, incident response automation.

High

Security Engineer, SOC Analyst

Threat Intelligence

IOC feeds, threat intelligence platforms (MISP, OpenCTI), STIX/TAXII, intelligence lifecycle, threat actor tracking.

High

Threat Intelligence Analyst, SOC Analyst

Log Analysis

Log parsing, pattern recognition, baseline establishment, anomaly detection, common attack patterns in logs.

Critical

SOC Analyst, Security Engineer

Personal Status

Topic Level Evidence Active Projects Gaps

SIEM Operations (Wazuh)

Intermediate

Wazuh deployment on home lab — agent enrollment, rule customization, file integrity monitoring, log collection; evaluated for CHLA use

SIEM Operations

No production SIEM at scale, no custom decoder development

KQL / Sentinel

Beginner

Basic KQL queries during CHLA Sentinel evaluation; understand table schema, where/project/summarize operators

CyberOps Associate Study Guide

No advanced KQL — no joins, no custom analytics rules, no workbook creation

Endpoint Security

Intermediate

Wazuh FIM, ISE endpoint profiling; understand EDR concepts from Security+ and CISSP study

Security+ Study Guide

No CrowdStrike/SentinelOne/Defender ATP hands-on

Vulnerability Management

Intermediate

Patch management awareness from CHLA operations; CISSP study covers vulnerability lifecycle; understand CVSS scoring, CVE tracking

CISSP Study Guide

No Nessus/Qualys/Rapid7 scanning experience, no vulnerability program ownership