📊 SOC Operations
Security Operations Center workflows — SIEM, SOAR, incident response, threat hunting, detection engineering, and alert triage processes.
Overview
The Security Operations Center (SOC) is the nerve center of an organization's security posture. It combines people, processes, and technology to continuously monitor, detect, analyze, and respond to cybersecurity incidents. Modern SOCs leverage SIEM for log correlation, SOAR for automated response, EDR/XDR for endpoint visibility, and threat intelligence for proactive defense.
Key Concepts
SIEM
Security Information & Event Management — aggregates, normalizes, and correlates logs from across the environment. Powers alerting, dashboards, and compliance reporting. Tools: Splunk, Sentinel, QRadar, Elastic.
SOAR
Security Orchestration, Automation & Response — automates incident response playbooks, integrates tools, and reduces MTTR. Enables tier-1 automation for high-volume, low-complexity alerts.
Incident Response (IR)
Structured process: Preparation → Detection → Containment → Eradication → Recovery → Lessons Learned. Follows NIST SP 800-61 framework.
Threat Hunting
Proactive, hypothesis-driven searching for threats that evade automated detection. Uses MITRE ATT&CK for hunt hypotheses and techniques.
Detection Engineering
Building, testing, and maintaining detection rules and analytics. Uses SIGMA rules, YARA signatures, and correlation logic. Measures detection coverage against MITRE ATT&CK.
SOC Tiers
Tier 1: Alert triage and initial analysis. Tier 2: Deep investigation and incident handling. Tier 3: Advanced threat hunting, malware analysis, and detection engineering.
SOC Workflow Architecture
SOC Incident Lifecycle
From log ingestion to incident resolution and continuous improvement
Interview Preparation
Walk me through how you would investigate a suspicious alert.
1) Review the alert details — source, destination, timestamp, rule triggered. 2) Check for false positive patterns and historical context. 3) Pivot on IOCs — query IP/domain in TI feeds, check file hashes. 4) Examine endpoint telemetry (EDR) for process trees, file modifications. 5) Check lateral movement indicators — unusual auth events across hosts. 6) Determine scope and impact. 7) If confirmed threat: escalate, contain (isolate host, block IP), document in IRP, and begin eradication.
What is the difference between EDR and XDR?
EDR (Endpoint Detection & Response) focuses on endpoint visibility — process monitoring, file integrity, threat detection, and automated response on individual hosts. XDR (Extended Detection & Response) extends this across multiple security layers — endpoints, network, email, cloud, identity — providing correlated detection and unified investigation. XDR reduces alert fatigue by connecting related events across the entire attack surface into a single incident view.
Framework Mapping
| Framework | Relevant Controls |
|---|---|
| NIST | SP 800-61 (IR Guide), SP 800-92 (Log Mgmt), CSF DE.CM (Continuous Monitoring), CSF RS (Respond) |
| MITRE | Full ATT&CK Matrix for detection mapping, D3FEND for defensive techniques |