Skip to main content

SOC L1, L2 & L3 Analyst Responsibilities

 What is SOC? - Go to Introduction to SOC

SOC L1 Analyst Responsibilities:

  • Monitoring SIEM tool and detecting incidents.
  • Monitoring resources and assets, analyzing log data to identify any anomalies.
  • Identifying true positives and false positives.
  • Report incident to SOC and any other relevant teams.
  • Escalating the incidents when SLA's are not met.
  • Assisting SOC L2 & L3 Analysts in incident detection, workflow, remediations and resolutions.
  • Communicate with the external teams for proper incident resolution.
  • Monitoring SIEM health status.
  • Follow up on escalated incidents.

SOC L2 Analyst Responsibilities:

    • Validating the incidents escalated by L1 Analysts.
    • In depth investigation on the incidents.
    • Recommending mitigation strategies to resolve the incident.
    • Manage SIEM tool and updating the log baselines.
    • Generating and delivering daily, weekly, and monthly reports on time.
    • Incident knowledge base.
    • Communicating with external entities to resolve any queries on the raised incidents.
    • On time alert escalations when SLA's are not met.
    • Follow up on escalated incidents.

    SOC L3 Analyst Responsibilities:

    • Leading SOC team and maintaining SOC.
    • Managing the containment, remediation, reporting the incidents.
    • Performing Root Cause Analysis on the escalated incidents.
    • Providing guidance on post-incident risk reduction.
    • Investigate and follow up on escalated events / incidents.
    • Guiding on corrective measures in resolving the incidents compromising security.
    • Recommending preventive measures.
    • Supporting threat hunting, forensics and threat intelligence.
    • Maintaining SOC architecture and incident response plans.

    Comments

    Popular posts from this blog

    SOC Types and Roles

      Types of SOC Models Each organization has its own requirements and budget allocated to SOC. So, there are several types of SOC based on those requirements and budget: In-House SOC – Organization builds their own cybersecurity team. But such organization should have a budget to support the survival of the SOC team. Virtual SOC – SOC team does not have their own facility and works often from remote locations. Co-Managed SOC – Organization’s internal SOC team works with an external Managed Security Service Provider (MSSP). In this model, communication and coordination between internal and external teams is important. Command SOC – Senior and experienced SOC team overseeing the smaller SOCs in a large region. Major telecom providers and defense agencies operate on this model. SOC – People, Processes, and Technology A strong coordination between people, processes, and technologies is required to build a strong, capable and successful SOC. People – SOC needs highly trained employees...

    What is SIEM? - Overview

    SIEM - Security Information and Event Management, a security solution to address security threats and vulnerabilities which can interfere with organization's business operations. SIEM tool helps the organization's security team to detect any anomalies in its network and alerts the SOC team. Most recent SIEM tools have incorporated artificial intelligence (AI) which can help in automating most of the manual processes related to threat detection and incident response increasing productivity. SIEM = SIM + SEM SIM - Security Information Management SEM - Security Event Management SIEM is the combination of SIM and SEM, enabling the real-time monitoring and analysis of security events along with tracking and logging of security data for compliance / auditing.  SIEM has evolved over the years and embedded UEBA - User & Entity Behavior Analytics along with many other security analytics and features like AI and machine learning to identify any abnormal or anomalous user behaviors wh...