Splunk Admin/Developer

Triage: Monitoring security alerts generated by security tools (e.g., SIEM, IDS/IPS) and performing initial analysis to determine their severity.

Identification: Identifying potential security incidents and escalating confirmed incidents to L2 or L3 for further investigation.

Incident Response: Executing predefined incident response playbooks and basic mitigation steps to contain and remediate minor incidents.

Documenting incident details, response actions taken, and maintaining an incident log for future reference.

Access Management: Handling user access requests to SOC tools and systems, such as granting access to analysts and updating permissions.

Incident Handling: Investigating escalated incidents from L1, performing a deeper analysis to determine the extent of compromise, and implementing necessary remediation measures.

Hunting: Proactively searching for signs of advanced threats or indicators of compromise (IOCs) within the network environment.

Analysis: Conducting preliminary analysis of suspicious files and malware to understand their behavior and potential impact.

Analysis: Collecting and preserving evidence from security incidents for further investigation or potential legal actions.

Tool Management: Configuring and fine-tuning security tools like SIEM, EDR, and firewalls to improve detection capabilities.

Threat Analysis: Conducting detailed analysis of sophisticated and advanced threats, including advanced persistent threats (APTs).

Architecture and Design: Designing and implementing security solutions, including network segmentation, security policies, and access controls.

Coordination: Coordinating with external parties such as law enforcement, incident response teams, or vendors in the case of significant security incidents.

Intelligence and Research: Keeping up with the latest threat intelligence and researching emerging threats to enhance the SOC's detection and response capabilities.

Investigation: Performing in-depth forensic investigations to understand the timeline of an incident, the techniques used by attackers, and the scope of the compromise.

Improvement: Identifying areas for process improvement, developing new tools or scripts for automation, and implementing best practices to enhance SOC efficiency.