Introduction to Security Operations

beginner30 minWriteup

Understanding SOC structure and operations

Learning Objectives

  • Understand SOC tiers
  • Learn SOC workflows
  • Know essential SOC tools
  • Understand alert triage

A Security Operations Center (SOC) is the nerve center of an organization's cybersecurity defense. It's where analysts monitor, detect, analyze, and respond to security incidents 24/7. Think of it as the ER for cybersecurity - always staffed, always watching, ready to respond.

If the attackers are burglars trying to break into a building, the SOC team is the security guards watching all the cameras, sensors, and alarms. They don't just respond when something breaks - they proactively look for suspicious behavior like someone casing the place.

SOC Team Motto

"We sleep so you can sleep" - SOC analysts work around the clock so that when something bad happens at 3 AM, someone is there to catch it and respond.

SOC Structure & Tiers

1SOC Analyst Tiers:
2 
3┌─────────────────────────────────────────────────────────────────┐
4│  TIER 1: Alert Monitoring (Entry Level)                        │
5├─────────────────────────────────────────────────────────────────┤
6│  • First responders to alerts                                  │
7│  • Monitor dashboards and queues                               │
8│  • Initial triage: Is this real or false positive?            │
9│  • Follow runbooks and playbooks                               │
10│  • Escalate to Tier 2 if complex                              │
11│  • Skills: Basic networking, log reading, tool usage          │
12└─────────────────────────────────────────────────────────────────┘
13                            ↓ Escalation
14┌─────────────────────────────────────────────────────────────────┐
15│  TIER 2: Incident Response (Experienced)                       │
16├─────────────────────────────────────────────────────────────────┤
17│  • Deep investigation of escalated alerts                      │
18│  • Correlate multiple data sources                             │
19│  • Determine scope and impact                                  │
20│  • Contain and remediate threats                               │
21│  • Develop new detection rules                                 │
22│  • Skills: Forensics, malware analysis, advanced tools        │
23└─────────────────────────────────────────────────────────────────┘
24                            ↓ Escalation
25┌─────────────────────────────────────────────────────────────────┐
26│  TIER 3: Threat Hunting / Expert (Senior)                      │
27├─────────────────────────────────────────────────────────────────┤
28│  • Proactive threat hunting                                    │
29│  • Advanced malware reverse engineering                        │
30│  • Develop and tune detection capabilities                     │
31│  • Threat intelligence integration                             │
32│  • Mentor junior analysts                                      │
33│  • Skills: Deep technical expertise, threat research          │
34└─────────────────────────────────────────────────────────────────┘
35 
36Not every SOC has all tiers - smaller teams may combine roles!

Career Progression

Most SOC analysts start at Tier 1, gaining experience with alerts and tools. After 1-2 years, they move to Tier 2 for deeper investigations. Tier 3 requires 5+ years and specialized skills. The path: monitor → investigate → hunt.

Essential SOC Tools

1Core SOC Technology Stack:
2 
3SIEM (Security Information & Event Management)
4├── Splunk, Microsoft Sentinel, Elastic SIEM, QRadar
5├── Collects logs from all sources
6├── Correlates events and generates alerts
7└── Central dashboard for monitoring
8 
9EDR (Endpoint Detection & Response)
10├── CrowdStrike, Carbon Black, Microsoft Defender
11├── Monitors endpoint behavior
12├── Detects malware and suspicious activity
13└── Enables remote response actions
14 
15SOAR (Security Orchestration, Automation & Response)
16├── Phantom, Demisto (XSOAR), Swimlane
17├── Automates repetitive tasks
18├── Orchestrates tools together
19└── Runs playbooks automatically
20 
21NETWORK SECURITY MONITORING
22├── Zeek/Bro, Suricata, Snort
23├── Captures network traffic
24├── Detects network-based attacks
25└── Provides PCAP for analysis
26 
27THREAT INTELLIGENCE PLATFORMS
28├── MISP, OpenCTI, ThreatConnect
29├── Manages IOCs and threat data
30├── Enriches alerts with context
31└── Shares intel with community
32 
33TICKETING SYSTEM
34├── ServiceNow, Jira, TheHive
35├── Tracks incidents end-to-end
36├── Documents investigation steps
37└── Metrics and reporting

Alert Lifecycle

1From Alert to Closure:
2 
31. GENERATION
4   └── Detection rule triggers
5   └── Log patterns match known bad behavior
6   └── Threat intel IOC match
7   └── EDR behavioral detection
8 
92. TRIAGE (Tier 1)
10   ├── Is this a true positive or false positive?
11   ├── What's the severity? P1, P2, P3?
12   ├── Is immediate response needed?
13   └── Time goal: < 15 minutes initial review
14 
15   Questions to ask:
16   ├── Who/what is affected?
17   ├── What triggered the alert?
18   ├── Is this expected behavior?
19   └── Has this happened before?
20 
213. INVESTIGATION (Tier 1/2)
22   ├── Gather additional context
23   ├── Check related alerts
24   ├── Query logs for timeline
25   ├── Check threat intelligence
26   └── Determine scope and impact
27 
284. CONTAINMENT (if malicious)
29   ├── Isolate affected systems
30   ├── Block malicious IPs/domains
31   ├── Disable compromised accounts
32   └── Prevent further spread
33 
345. ERADICATION & RECOVERY
35   ├── Remove malware
36   ├── Patch vulnerabilities
37   ├── Reset credentials
38   └── Restore from backups if needed
39 
406. CLOSURE & DOCUMENTATION
41   ├── Document findings
42   ├── Update detection rules
43   ├── Lessons learned
44   └── Close ticket with resolution
45 
467. REPORTING
47   ├── Metrics for management
48   ├── Trend analysis
49   └── Improvement recommendations

Alert Triage in Practice

1Triage Example: Suspicious PowerShell Alert
2 
3ALERT: 606070;">#a5d6ff;">"Encoded PowerShell execution detected"
4─────────────────────────────────────────────
5 
6Initial Data:
7├── Host: WORKSTATION-42
8├── User: john.smith
9├── Time: 2024-01-15 14:32:07
10├── Process: powershell.exe -EncodedCommand JABzAD0A...
11├── Parent: OUTLOOK.EXE
12└── Severity: Medium
13 
14Triage Questions:
15 
161. Is this user's role likely to use encoded PowerShell?
17   └── Check: IT? Developer? Finance?
18   └── Finance user → Unusual!
19 
202. What's the parent process?
21   └── OUTLOOK.EXE → Email attachment or link clicked
22   └── Very suspicious pattern!
23 
243. Has this user done this before?
25   └── Check historical data
26   └── Never → First time behavior
27 
284. What does the encoded command do?
29   └── Decode: echo JABzAD0A... | base64 -d
30   └── Downloads file from external URL → Malicious!
31 
325. Is the external URL known bad?
33   └── Check threat intel
34   └── Known malware C2 → Confirmed malicious!
35 
36VERDICT: True Positive - Escalate to Tier 2!
37ACTION: Isolate workstation, block URL, preserve evidence

Don't Rush Triage

False positive fatigue is real. But don't let that make you dismiss alerts too quickly. The one you skip might be the real attack. When in doubt, investigate further or escalate.

Runbooks and Playbooks

1Runbooks = Standard Operating Procedures for Alerts
2 
3Example Runbook: 606070;">#a5d6ff;">"Brute Force Authentication Alert"
4════════════════════════════════════════════════════
5 
6TRIGGER: >10 failed logins from same source in 5 minutes
7 
8STEP 1: Identify the Source
9├── Internal IP? → Check which user/system
10├── External IP? → Check reputation (VirusTotal, AbuseIPDB)
11└── VPN connection? → Check VPN logs
12 
13STEP 2: Check Target Account
14├── Service account? → Higher priority
15├── Admin account? → Higher priority
16├── Regular user? → Standard priority
17└── Does account exist? → Invalid = spray attack
18 
19STEP 3: Determine Context
20├── Is there a successful login after failures?
21│   └── Yes → Account may be compromised, escalate!
22│   └── No → Attack failed, monitor
23├── Is source IP associated with known user?
24│   └── Yes → Probably forgot password
25│   └── No → Suspicious, investigate
26 
27STEP 4: Response Actions
28├── If malicious:
29│   ├── Block source IP at firewall
30│   ├── Reset password if any success
31│   ├── Enable MFA if not already
32│   └── Document and escalate
33├── If false positive:
34│   └── Note in ticket, close as false positive
35 
36STEP 5: Document
37├── Record all findings
38├── Note IOCs found
39└── Close or escalate with summary

Playbooks vs Runbooks

Runbooks are step-by-step procedures for specific alerts. Playbooks are broader strategies for incident types (like "Ransomware Response Playbook"). Runbooks are tactical, playbooks are strategic.

SOC Metrics

1Key SOC Performance Metrics:
2 
3EFFICIENCY METRICS
4─────────────────────────────────────────────────
5│ Metric                    │ Target           │
6├───────────────────────────┼──────────────────┤
7│ Mean Time to Detect (MTTD)│ < 1 hour         │
8│ Mean Time to Respond (MTTR)│ < 4 hours       │
9│ Mean Time to Contain      │ < 24 hours       │
10│ Alert to Triage Time      │ < 15 minutes     │
11│ False Positive Rate       │ < 50% (ideally)  │
12└───────────────────────────┴──────────────────┘
13 
14VOLUME METRICS
15├── Alerts per day/week/month
16├── Incidents per analyst
17├── Tickets closed per analyst
18└── Escalation rate
19 
20QUALITY METRICS
21├── Reopened tickets (should be low)
22├── Customer satisfaction
23├── Audit findings
24└── Detection coverage (% of ATT&CK)
25 
26606070;">#a5d6ff;">"What gets measured gets improved"
27Track these to show SOC value to leadership!

A Day in the Life

1Typical SOC Analyst Day (Tier 1):
2 
308:00 - SHIFT START
4├── Review handoff notes from night shift
5├── Check critical alerts from overnight
6├── Log into all tools and dashboards
7└── Read threat intelligence briefings
8 
908:30 - ALERT MONITORING
10├── Monitor alert queue
11├── Triage incoming alerts
12├── Close false positives
13├── Escalate true positives
14└── Document everything!
15 
1612:00 - LUNCH BREAK (coverage continues!)
17 
1813:00 - INVESTIGATIONS
19├── Deep dive on escalated alerts
20├── Correlate data across sources
21├── Write up findings
22└── Collaborate with Tier 2
23 
2415:00 - PROACTIVE WORK
25├── Review detection rules
26├── Update runbooks
27├── Training and certification study
28└── Threat hunting exercises
29 
3016:30 - END OF DAY
31├── Complete open tickets
32├── Write handoff notes for next shift
33├── Attend team standup
34└── Log off (or hand off to night shift)
35 
36The reality: Expect interruptions!
37A P1 alert can derail your whole day (that's okay).

Becoming a SOC Analyst

1Skills for SOC Analysts:
2 
3TECHNICAL SKILLS
4├── Networking fundamentals (TCP/IP, DNS, HTTP)
5├── Operating systems (Windows and Linux)
6├── Log analysis and pattern recognition
7├── Basic scripting (Python, PowerShell)
8├── SIEM query languages (SPL, KQL)
9├── Security tools (Wireshark, etc.)
10└── Understanding of attack techniques
11 
12SOFT SKILLS
13├── Attention to detail
14├── Communication (written and verbal)
15├── Critical thinking
16├── Time management
17├── Working under pressure
18├── Continuous learning
19└── Teamwork
20 
21CERTIFICATIONS (Entry Level)
22├── CompTIA Security+
23├── CompTIA CySA+
24├── Splunk Core Certified User
25├── SC-200 (Microsoft Security Operations)
26└── Blue Team Level 1 (BTL1)
27 
28WAYS TO GET STARTED
29├── Home lab practice
30├── TryHackMe / HackTheBox SOC paths
31├── Volunteer for IT/Security tasks
32├── Internships
33└── Entry-level IT → SOC transition

Home Lab Ideas

Set up a free Elastic Stack or Splunk (limited license) at home. Generate logs from a Windows VM, simulate attacks with tools like Atomic Red Team, and practice investigating. Nothing beats hands-on experience!

SOC Workflow

Alert Handling Workflow

1
Receive AlertAlert appears in queue from SIEM/EDR
2
Initial TriageQuick assessment - real or false positive?
3
InvestigateGather context, check logs, correlate data
4
Determine SeverityAssign priority based on impact
5
RespondContain threat, escalate if needed
6
DocumentRecord all findings and actions
7
Close/EscalateClose if resolved, escalate if complex

Knowledge Check

Quick Quiz
Question 1 of 3

What is the primary role of a Tier 1 SOC analyst?

Challenges

Build a Triage Checklist

Challenge
🌱 beginner

Create a 10-step triage checklist for evaluating a suspicious login alert. Think about what questions you'd ask and what data sources you'd check.

Need a hint? (4 available)

Key Takeaways

  • SOC is the 24/7 nerve center for detecting and responding to threats
  • Tier 1 monitors and triages, Tier 2 investigates, Tier 3 hunts and mentors
  • Core tools include SIEM, EDR, SOAR, and network monitoring
  • Alert triage asks: Is this real? How severe? What's affected?
  • Runbooks provide step-by-step procedures for consistent response
  • Key metrics: MTTD (detect fast), MTTR (respond fast), false positive rate