Skip to main content
HashnodeSOC Level 1SOC Level 1

Command Palette

Search for a command to run...

Security Operation Center - Level 1

Updated
5 min read
M
Mohd Kashif
Aspiring SOC Analyst with hands-on experience in VAPT, firewall configuration, IDS/IPS setup, Windows log monitoring, and network analysis.
Part of seriesSOC Learning Day 1

SOC L1 is the first line of defence in an organization.

SOC exists to minimize "Dwell Time" (the time an attacker stays hidden in the network or system without SOC breaches are discovered by customers and secret services that cause massive reputation and financial loss.

monitoring network 24x7 to detect, analyze and respond to these threats before they cause catastrophic damage

SOC vs NOC vs IR Team

  • SOC- Security Operations Center (Security Guard)

  • NOC- Network Operations Center (Ensure everything working perfectly)

  • IR Team- Incident Response (They intervene during emergencies or cyber attacks)

Duties of SOC, NOC, IR

SOC- Monitors security events, detect threats, analyze alerts.

NOC- Monitor network performance, uptime, bandwidth containment.

IR- Respond to confirmed incidents, perform forensics.

SOC L1 analysts spends most of the time on 'Alert Triage (filtering false positives)'.

Triage Process (L1 Loop)-

  1. Alert (SEIM triggered)

  2. Analysis (check ip, hash, user)

  3. Decision (False positive vs True positive)

  4. Action (close or Escalate to L2 analyst)

    Note

    Don't Ignore alerts even if its nothing & document everything.

Important things to understand-

  • SEIM (Splunk/Sentinel)

  • EDR (Crowdstrike)

  • Ticketing (Service Now/Jira)

  • Email Security

  • Network Logs (Firewall)

  • Threat Intel (Virus Total)

SEIM (Security Information and Envent Managment)- Collect logs

EDR/XDR- It watches the endpoint

Ticketing (The logbook)- For documenting

Daily Duties-

  1. Detect and prevent a data stealer infection on a cowerker's laptop.

  2. Analyze and stop a phishing campaign targeting the financial team.

  3. Participate in bigger incidents, such as a full scale ransomware attack.

  4. Team up with your teamates to build detection rules and automations.

  5. Go beyond cybersecurity and understand how company operates from the inside.

  6. monitor, triage, escalate/close and document every single alert.

People Process Technology [PPT]

A team of professional indivisuals working on state-of-the art security tools in the presence of proper processes is what makes a mature SOC environment.

3 Pillars of SOC-

  1. People - Soc level 1, Level 2, Level 3 Anslyst, IR, Security Engineer, SOC Manager.

  2. Process - Phase 1, Phase 2, Phase 3

  3. Technology - SIEM, EDR/XDR, NDR and Traffic Analysis, SOAR, TIP, Ticketing Software.

1. People (Security Department)

Soc level 1, Level 2, Level 3 Anslyst, IR, Security Engineer, SOC Manager.

  1. Mini company - Handles security by IT team.

  2. Small to Medium - Generic information security team that handles all.

  3. Big company - CISO, multiple security team (Red team, Blue team, GRC) CIRT - Cyber Incident Response Team also called CSIRT/CERTIN.

2. Processes (Important Phases of SOC L1)

Phase 1-

Alert triage is the basis of the SOC team, the first response to any alert is to perform the triage.

Scenario:

  • We need to answer 5W

Alert: Malware detected on Host:Harry PC

  1. What- A malicious file was detected on one of the host inside the organization's network.

  2. When- The file was detected at 13:20 on April 5, 2026.

  3. Where- The file was detected in the directory of the host "Harry PC".

  4. Who- The file was detected for the user Harry.

  5. Why- After the investigation, it was found that the file was downloaded from a pirated software selling website. The investigation with the user revealed that they downloaded the file as they wanted to use a software for free.

Phase 2-

The phase 2 is reporting.

  • The detected harmful alerts need to be escalated to higher level analysts for a timely response and resolution.

  • Escalated as tickets and assigned to the relevent people.

  • Report should discuss all 5W's along with a throughout analysis and screenshot should be used as evidence of the activity.

Phase 3-

The phase 3 is incident response and forensics.

  • Sometimes, reporting highly malicious activity (critical) in this scenario high level teams initiate an IR.

  • A few times, a detailed forensics activity also needed to be performed, this forensics determine the incident's root cause.

3. Technology

  • Having right people, processes not enough without security solutions for detection and response.

  • Technology in SOC pillar = SOC Solutions.

  • These solutions minimize SOC teams maual efforts to detect and respond to threats.

  1. SEIM - It is a popular tool used in every SOC environment. This tool collects logs from various network devices, referred to as log sources. Detection rules configured in SEIM (contains login to identify suspecious).

  2. EDR - Provides the SOC team with detailed real time and historical visiblity of the device's activity. It operates on the endpoint level and can carryout automatic response & response in few clicks.

  3. Firewall - For network security, It acts as a barrier between internal and external networks (Internet). Monitors incoming and outgoing traffic & filters any unauthorized traffic.

  4. XDR - Same as EDR but instead of focuses on monitoring and securing indivisual device it secure entire technology ecosystem.

  5. IDS, IPS, SOAR, TIP etc.

21 views

Comments

Join the discussion

No comments yet. Be the first to comment.

SOC Learning Day 1

Part 1 of 4

This is my first day of learning SOC.

Up next

The SOC operating models

1. In-House (Internal) SOC- A company builds and runs its own SOC internally using its people, tools and processes. 2. Outsourced/Managed SOC (MSP/MSSP)- Third party security company(MSSP) provides

More from this blog

S

SOC Level 1

4 posts

This is my learning of SOC Level 1 Study.