Professional Documents
Culture Documents
02-SC SOC Analyst - Workflow
02-SC SOC Analyst - Workflow
SOC Analysts:
Workflow
Subtitle / Date
Initial Workflow
© 2021 Stellar Cyber, Inc. 3|
Traditional SOC Workflow
1. Collect Triggered Rules
2. Automated Analysis
SOC N
Escalate
Lv 1
3. Validation & Manual Analysis
SOC N N
Escalate Respond
4. Create Case Lv 2
Case Case
5. Respond SOC Lv 3
Respond
Close
6. Document
7. Improve the process
N N
SOC Escalate Respond
▪ Case Tracking system useful for
tracking and coordinating activities Case Case
across teams
SOC
Escalation
Close
Underlying Attack
▪ Assign It
• Create a User as a Queue?
▪ Adjust Priority (if needed)
▪ When Analysis begins, set Status to In Progress
▪ Description for notes
▪ Consider policy for renaming Incidents
▪ Consider policy for when to mark
Resolved / Cancelled
• Too soon, no grouping
▪ Close Alert
• Define your policy
• Status: Ignored – no actions taken
• Status: Closed – actions taken
• Track Recovery Phase in Case
▪ Everything grouped
▪ Quick pivot to related details
▪ Diagram of Observables (artifacts)
• User • URL
• Host • File
• External_host • Process
• Service • Registry
▪ Focus on Alerts
▪ icon for Alert Detail window