SOC Analyst 1

SOC L1 Analyst Roles & Responsibilities
• As a SOC L1 Analyst, you are responsible for monitoring, detecting, and responding to security incidents. You will work closely with other SOC teams and support team members to ensure the security of the organization's IT infrastructure.

Monitoring and Incident Triage
• Continuously monitor alerts from security tools such as Microsoft Sentinel and Cortex XDR in the Oracle Right Now ticket portal.
• Investigate and analyze the source of alerts and potential incidents (e.g., analyzing source IPs, timestamps, network traffic, etc.).
• Validate whether alerts generated by tools like Cortex XDR or Microsoft Sentinel require further investigation or if they can be safely closed.
• Evaluate potential false positives by checking various threat intelligence sources such as VirusTotal and AbuseIPDB for any indications of malicious activity.

Threat Hunting and Analysis
• Conduct proactive searches for potential threats within the environment based on known indicators of compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs).
• Review historical logs, security events, and other telemetry data from different tools (e.g., Cortex XDR, Palo Alto Panorama) to identify unusual patterns or malicious activities.
• Check alerts against known false positives, especially for alerts related to tools like Cortex XDR and Microsoft Sentinel.
• For repeated alerts, suggest white-listing those alerts to the Support or SecEng team based on past historical data

Threat Response
• Respond to detected incidents by following the predefined Standard Operating Procedures (SOPs).
• For incidents that require further action, escalate to higher-level SOC analysts (SOC L2 or SOC L3) for deeper analysis or containment.
• When alerts require whitelisting or other configuration adjustments, escalate incidents to SOC L2 teams for further action.
• Escalate unresolved alerts to the CSM (Customer Success Manager) when a customer has not responded to alerts over an extended period.
• Open manual tickets in the Oracle RightNow ticket portal if Sentinel automation fails to generate the required incident tickets.
• Ensure all relevant incident data, including the nature of the alert, any investigation steps, and actions taken, is logged accurately for tracking purposes.

Coordination and Communication
• Coordinate with the Security Engineering (SecEng) team or other teams if misconfiguration alerts are detected or if a new configuration task is required to address potential vulnerabilities.
• If a customer has not responded to alerts or incidents, reach out to the CSM (Customer Success Manager) for further engagement and communication with the customer.
• Suggest and share any relevant findings or insights with the SOC team to enhance investigations and improve incident response

Configuration Management and Automation
• Report any issues with automated systems or configurations that may impact alert accuracy or effectiveness.
• If automation (e.g., Sentinel automation) fails to generate tickets or does not trigger appropriate actions, escalate the issue to the team responsible for fixing the automation pipeline.
• Work with L2 or SecEng team to white-list alerts regarding Cortex XDR and Microsoft Sentinel

Documentation and SOP Adherence
• Ensure that all activities are in line with SOC Standard Operating Procedures (SOPs), and follow established processes for escalation, investigation, and resolution.

Tools and Technologies

Security Monitoring Tools:
• Microsoft Sentinel
• Cortex XDR
• Palo Alto Panorama
• Grafana (for dashboarding and visualizing security data)

Threat Intelligence Sources:
• Virus Total
• Cisco Talos
• AbuseIPDB
• Criminal IP

Incident Management:
• Oracle RightNow Ticket Portal

Other Tools:
• CMDB (for asset management and finding assets related to incidents)
• Threat Intelligence Platforms for investigating and verifying suspicious IP addresses, domains, and files.
• MX Toolbox: Email header analysis