SOC Analysts

One-liner: Cybersecurity professionals who monitor, detect, investigate, and respond to security threats within a Security Operations Center (SOC).

🎯 What Is It?

SOC Analysts are the frontline defenders in a SOC, responsible for monitoring security alerts, investigating potential incidents, and coordinating responses to cyber threats. They work in tiered levels based on experience and responsibility.

🏆 SOC Analyst Tiers

Tier 1: Alert Triage Analyst

Focus: Monitor and triage

Responsibilities:

• Monitor SIEM dashboards 24/7
• Perform initial Alert Triage on incoming alerts
• Distinguish False Positive from true positive
• Document findings in ticketing system
• Escalate confirmed threats to Tier 2
• Basic log analysis

Skills Required:

• Understanding of CIA Triad, Kill Chain
• Basic networking (TCP Three-Way Handshake, ports, protocols)
• Windows Event Logs, Sysmon event IDs
• SIEM query basics (Splunk, Elastic)
• Report writing

Tier 2: Incident Responder

Focus: Investigate and respond

Responsibilities:

• Deep-dive investigations into escalated alerts
• Incident Response coordination
• Containment and eradication of threats
• Malware Analysis (basic to intermediate)
• Threat hunting based on IOCs
• Forensic evidence collection
• Incident documentation and Alert Reporting

Skills Required:

• MITRE ATT&CK framework knowledge
• EDR tools investigation
• Network forensics (pcap analysis, Zeek, Wireshark)
• Memory and disk forensics
• Scripting (Python, PowerShell)
• Incident Response lifecycle (NIST, SANS)
• Chain of Custody for evidence

Tier 3: Threat Hunter / Senior Analyst

Focus: Proactive hunting and advanced analysis

Responsibilities:

• Proactive threat hunting without alerts
• Advanced Malware Analysis and reverse engineering
• Detection Engineering — creating new detection rules
• Threat intelligence research and integration
• Mentoring junior analysts
• Red/Purple Teaming collaboration
• Tabletop Exercise design and execution

Skills Required:

• Deep understanding of attacker TTPs
• Advanced scripting and automation
• Sigma, Yara, Snort rule writing
• Behavioral analysis and baselining
• Threat actor profiling
• Advanced persistent threat (APT) tracking
• Forensics expertise

📋 Daily SOC Analyst Workflow

Tier 1 Day-in-the-Life

08:00 - Shift handoff, review overnight alerts
08:30 - Triage queue: 47 new alerts
09:00 - Investigate potential phishing email
09:30 - Mark 12 alerts as false positives
10:00 - Escalate suspicious lateral movement to Tier 2
11:00 - Document findings in SIEM case
12:00 - Lunch
13:00 - Monitor real-time dashboard
14:00 - Investigate failed login spikes (brute force?)
15:00 - Weekly team training on new TTPs
16:00 - Update SOPs, close tickets

Tier 2 Investigation Example

1. Receive escalation: "Suspicious PowerShell execution"
2. Pivot to EDR for full process tree
3. Check parent process, command line arguments
4. Extract IOCs: IP, domain, file hash
5. Search threat intel feeds
6. Check MITRE ATT&CK: T1059.001 (PowerShell)
7. Contain: Isolate endpoint
8. Eradicate: Remove persistence mechanism
9. Document: Write incident report
10. Share IOCs with team

🛠️ Essential Tools

• SIEM: Splunk, Elasticsearch, Kibana
• EDR: CrowdStrike, Carbon Black, Microsoft Defender
• Network Monitoring: Zeek, Wireshark, RITA
• Threat Intel: VirusTotal, MISP, AlienVault OTX
• Ticketing: TheHive Project, Jira, ServiceNow
• Analysis: Cyberchef, strings, PEStudio

📈 Career Path

Junior SOC Analyst (Tier 1)
       ↓
SOC Analyst (Tier 2)
       ↓
Senior SOC Analyst / Threat Hunter (Tier 3)
       ↓
   ↙       ↘
SOC Manager   Detection Engineer

🎤 Interview Angles

Q: Walk me through how you would triage a phishing alert.

STAR Example:
Situation: Received alert for suspicious email with attachment sent to 50 users.
Task: Determine if phishing and scope of impact.
Action:

• Checked sender domain (typosquatting)
• Analyzed attachment hash in VirusTotal (flagged as malicious)
• Searched email logs for who clicked/downloaded
• Isolated affected endpoints via EDR
  Result: Confirmed phishing, prevented Malware execution on 48/50 systems, documented IOCs.

Q: How do you stay current with threats?

• Follow threat intel feeds (CISA, US-CERT)
• Read MITRE ATT&CK updates
• Practice on TryHackMe, HackTheBox
• Engage in Purple Teaming exercises
• Attend webinars, conferences (BSides, DEF CON)

🔗 Related Concepts

• Security Operations Center (SOC) — The team structure
• Alert Triage — Primary Tier 1 responsibility
• Incident Response — Core Tier 2 function
• Detection Engineering — Creating the alerts
• [[MITRE ATT&CK]] — Threat knowledge framework