What You'll Learn
- Understand the purpose and mission of a Security Operations Center (SOC)
- Identify the three analyst tiers (L1, L2, L3) and what each one does daily
- Explain how 24/7 shift coverage and handoffs work in real SOC environments
- Trace the path of a security alert from data source to analyst action
- Understand where you fit in the SOC as a new analyst
What Is a SOC?
A Security Operations Center (SOC) is the central nervous system of an organization's cybersecurity defense. It's a dedicated team — and often a physical room — where security professionals monitor, detect, analyze, and respond to cyber threats around the clock.
Think of it this way: if a company's network is a city, the SOC is the police headquarters. It has surveillance cameras everywhere (log sources), a central dispatch system (the SIEM), and officers at different ranks (analyst tiers) who respond to incidents based on severity.
Every modern organization with valuable digital assets operates a SOC, whether in-house, outsourced to a Managed Security Service Provider (MSSP), or as a hybrid model. The SOC's mission is simple but critical:
Detect threats early. Respond fast. Minimize damage.
The SOC's Core Functions
| Function | What It Means | Example |
|---|---|---|
| Monitoring | Watching for suspicious activity 24/7 | An alert fires for 50 failed logins in 2 minutes |
| Detection | Identifying real threats vs. noise | Determining the failed logins came from a foreign IP, not a user who forgot their password |
| Investigation | Digging deeper into confirmed alerts | Checking if the IP has been seen in threat feeds, what other systems it touched |
| Response | Taking action to contain and fix | Blocking the IP at the firewall, resetting the targeted account, opening an incident case |
| Reporting | Documenting everything | Writing an incident report with timeline, IOCs, and recommendations |
Real-World Context: A typical enterprise SOC handles anywhere from 500 to 10,000+ alerts per day. The vast majority (80-95%) are false positives or low-priority noise. The SOC analyst's core skill is rapidly separating the real threats from the noise — a skill you'll practice extensively in Module 4.
The Three Analyst Tiers
Not every alert needs the same level of expertise. SOCs organize their analysts into tiers, each with distinct responsibilities and skills. Understanding this structure is essential because it tells you exactly what's expected of you at each career stage.
Tier 1 — Alert Analyst (Where You Start)
The L1 analyst is the frontline defender. You're the first human eyes on every alert that the SIEM generates. Your job is speed and accuracy:
- Monitor the alert queue — new alerts arrive constantly, and they need to be acknowledged
- Initial triage — is this alert a True Positive (real threat) or False Positive (noise)?
- Classify and prioritize — assign severity, tag the alert type (malware, brute force, phishing, etc.)
- Escalate or close — if it's beyond your scope, escalate to L2 with context; if it's a false positive, document why and close it
Day in the life of an L1: You arrive at your shift. There are 47 unacknowledged alerts in the queue. You open each one, check the source IP, destination, rule that triggered, and cross-reference with recent threat feeds. In 2 hours you've triaged 30 alerts — 26 false positives, 3 true positives (escalated to L2), and 1 you're still investigating.
Career Tip: L1 is not a permanent position — it's a launchpad. Most analysts spend 6-18 months at L1 before moving to L2. The analysts who advance fastest are the ones who don't just close alerts — they document why they made each decision, learn the patterns, and proactively ask L2/L3 analysts questions.
Tier 2 — Incident Responder
When L1 escalates an alert, it lands on the L2 analyst's desk. The L2 takes over and performs a deep investigation:
- Root cause analysis — how did the attacker get in? What vulnerability was exploited?
- Scope assessment — are other systems affected? Is this an isolated event or part of a campaign?
- Containment — isolate compromised endpoints, block malicious IPs, disable compromised accounts
- Evidence collection — gather forensic artifacts (memory dumps, disk images, network captures)
- Incident documentation — build a timeline, map to MITRE ATT&CK, write the incident report
L2 analysts need deeper technical skills: memory forensics, network packet analysis, reverse engineering basics, and strong familiarity with the entire tool stack.
Tier 3 — Threat Hunter & Engineer
L3 is the most proactive tier. Instead of waiting for alerts, L3 analysts go looking for threats that slipped past the automated detections:
- Threat hunting — hypothesis-driven searches through logs and telemetry for hidden adversary activity
- Detection engineering — writing new SIEM rules (Sigma, YARA) to catch threats that weren't previously detected
- Tool development — building automations, playbooks, and custom scripts to improve SOC efficiency
- Adversary emulation — simulating attacks to test the SOC's detection capabilities
- Mentoring — guiding L1 and L2 analysts, reviewing escalations, sharing threat intelligence
Important: These tiers are not rigid walls. In smaller SOCs (3-5 people), one analyst might wear all three hats. In large enterprise SOCs (20-50+ people), the tiers are clearly separated with dedicated teams. The skills you learn in this course span all three tiers — you'll start at L1 and build toward L3 capabilities.
How SOC Shifts Work
Attackers don't work 9-to-5. Neither does the SOC. Most SOCs operate on a 24/7/365 rotation, ensuring there's always at least one pair of eyes on the alert queue.
Common Shift Models
| Model | Schedule | Pros | Cons |
|---|---|---|---|
| 3x8 | Three 8-hour shifts (Day, Swing, Night) | Standard work hours, less fatigue | Requires 3 full teams |
| 2x12 | Two 12-hour shifts (Day, Night) | Fewer handoffs, simpler scheduling | Long shifts cause fatigue |
| 4x10 + Weekend | Four 10-hour weekdays + weekend rotation | Good work-life balance on weekdays | Complex scheduling |
The Handoff: Most Critical Moment
The shift handoff is where incidents fall through the cracks if done poorly. A good handoff includes:
- Open incidents — status, current actions, what's pending
- Escalated alerts — anything waiting on L2/L3 response
- Ongoing investigations — where you left off, what to check next
- System/tool issues — "Suricata was down for 20 minutes, we may have gaps in network logs"
- Notable observations — "Seeing unusual DNS queries from the marketing subnet, not confirmed malicious yet"
Most SOCs use a shared handoff document, a dedicated Slack/Teams channel, or a 15-minute verbal briefing at the start of each shift.
Critical Lesson: The #1 cause of missed incidents in real SOCs is poor handoff communication. An L1 analyst notices something suspicious but doesn't document it. Their shift ends. The next analyst starts fresh with no context. By the time someone re-discovers the activity, the attacker has been inside for 12 hours. Always document your observations — even hunches.
The SOC Data Flow
Understanding how data flows through the SOC is fundamental. Every tool you'll learn in this course sits somewhere in this pipeline:
Step-by-Step Flow
1. Data Sources Generate Logs
Everything in the environment produces logs: Windows endpoints write Event Logs, firewalls log allowed/blocked connections, email gateways log incoming messages, DNS servers log every domain query, and cloud services log API calls.
2. Logs Are Collected and Normalized
Agents (like the Wazuh agent) or syslog forwarders ship these logs to a central location. Raw logs come in many different formats — Windows XML, JSON, CEF, plain text. The collection layer normalizes them into a consistent format so they can be searched and correlated.
3. The SIEM Correlates and Alerts
The SIEM (in our platform, Wazuh) applies thousands of detection rules against the incoming log stream. When a rule matches — say, "5 failed logins followed by a successful login from the same IP within 10 minutes" — it generates an alert.
4. Alerts Enter the Queue
Alerts are prioritized by severity (Critical, High, Medium, Low, Informational) and appear in the analyst's dashboard. This is where your work begins.
5. Analyst Investigates
You open the alert, examine the raw logs, check the source against threat intelligence (MISP), investigate the endpoint (Velociraptor), and make a decision: close as false positive, or escalate.
6. Incident Response
If confirmed malicious, a case is opened in TheHive, containment actions are taken, and the full incident lifecycle begins. Automation tools like Shuffle can accelerate repetitive steps.
Where You Fit In
As you begin this course, you're training for the L1 Alert Analyst role — the most in-demand position in cybersecurity. Here's what that means:
| What You'll Do | What You Need |
|---|---|
| Triage 50-200 alerts per shift | Speed + accuracy in classification |
| Determine TP vs. FP | Knowledge of common attack patterns |
| Document your findings | Clear, concise technical writing |
| Escalate with context | Understanding of what L2 needs from you |
| Learn the tools | Hands-on practice (that's what the labs are for) |
By the end of this course, you won't just know what a SOC is — you'll have the skills of an analyst who's been working in one. Every module builds directly on this foundation.
Key Takeaways
- A SOC is the 24/7 command center for detecting and responding to cyber threats
- L1 analysts triage alerts, L2 investigates and responds, L3 hunts and engineers
- Shift handoffs are critical — poor communication = missed incidents
- Data flows from sources → collection → SIEM → alert queue → analyst → response
- You're training for the most in-demand role in cybersecurity: the SOC analyst
What's Next
Now that you understand the SOC structure and how it operates, the next lesson dives into The Attack Landscape — the adversary's perspective. You'll learn the frameworks (Kill Chain, Diamond Model) that SOC analysts use to understand and categorize the attacks they see every day. Understanding the attacker's playbook is essential for recognizing their moves in the alert queue.
Knowledge Check: Inside the SOC
10 questions · 70% to pass
What is the primary mission of a Security Operations Center (SOC)?
Which tier is responsible for initial alert triage and classification?
An L1 analyst finds evidence of a compromised endpoint but can't determine the full scope of impact. What should they do?
Why is the shift handoff considered the most critical moment in SOC operations?
In the SOC data flow, what happens immediately AFTER logs are collected and normalized?
Which SOC function involves writing new SIEM rules and building automation playbooks?
A typical enterprise SOC handles 500-10,000+ alerts per day. What percentage are usually false positives or low-priority noise?
What does the SIEM do when it detects a pattern matching a detection rule — for example, '5 failed logins followed by a successful login from the same IP within 10 minutes'?
In Lab 1.1, you investigated your first real Wazuh alert — an SSH brute force attack against linux-web-01. Which Wazuh rule ID triggered for this brute force detection?
During Lab 1.1, the SSH brute force alert showed source IP 185.220.101.42 targeting the root account on linux-web-01. Based on the SOC data flow from this lesson, what was the correct sequence of events that produced this alert?
0/10 answered