L2/L2.5 Security Operations Center

Position Overview

We are seeking a skilled and detail-oriented L2/L2.5 Security Operations Center (SOC) Analyst to join our Security Operations team. This role sits at the critical intersection of threat detection, incident investigation, and escalation management. The successful candidate will be responsible for identifying, investigating, and responding to security threats while mentoring L1 analysts and collaborating with senior security teams.

Position Type: Full-time

Location: [On-site / Hybrid / Remote]

Experience Level: 8 years in cybersecurity/SOC operations.

Key Responsibilities

Tier 2 Incident Analysis & Investigation (45%)

Alert Triage & Investigation:

· Analyze and investigate alerts/incidents escalated from L1 analysts

· Determine incident severity, scope, and impact on business operations

· Conduct root cause analysis for security events and anomalies

· Perform deep-dive forensic analysis on suspicious activities

· Create detailed incident investigation reports with findings and recommendations

Threat Assessment:

· Classify and categorize threats (malware, ransomware, APT, credential theft, data exfiltration, etc.)

· Evaluate threat credibility and validate true positives vs. false positives

· Assess threat actor capabilities, tactics, techniques, and procedures (TTPs)

· Determine data exposure and potential impact on organization

Incident Containment & Response:

· Execute immediate containment measures to prevent threat propagation

· Isolate affected systems from network when necessary

· Coordinate with IT Operations for system remediation and recovery

· Recommend and implement mitigation strategies

· Participate in incident response playbook execution

SIEM & Security Tool Management (25%)

SIEM Platform Operations:

· Monitor and manage SIEM (Security Information and Event Management) platform

· Create, modify, and optimize detection rules and correlation searches

· Develop custom dashboards and reports for security monitoring

· Tune alert thresholds to reduce false positives while maintaining detection sensitivity

· Maintain SIEM data integrity and log ingestion from all security sources

Security Tool Administration:

· Manage and maintain EDR (Endpoint Detection & Response) solutions

· Monitor firewall logs, IDS/IPS alerts, and network anomalies

· Review and escalate VPN access anomalies and unusual traffic patterns

· Manage DLP (Data Loss Prevention) incidents and policy violations

· Monitor and respond to vulnerability scanner findings and exploit attempts

Log Analysis & Threat Hunting:

· Perform manual log analysis to identify suspicious patterns and anomalies

· Conduct proactive threat hunting campaigns based on threat intelligence

· Search for indicators of compromise (IOCs) across infrastructure

· Analyze logs from Windows/Linux systems, applications, and network devices

· Create hunt packages and queries for recurring threat patterns

Escalation & Ticket Management (15%)

Alert Routing & Escalation:

· Escalate incidents to L3 analysts and specialized teams (incident response, forensics, threat intelligence)

· Determine appropriate escalation path based on incident severity and type

· Provide clear handoff documentation to specialized teams

· Monitor ticket status through resolution

· Perform quality assurance on closed tickets

Ticket Management:

· Document all investigations in ticketing system with comprehensive notes

· Maintain incident timeline and evidence chain of custody

· Update incident status and metrics tracking

· Meet SLA requirements for investigation and escalation (typically 4-8 hours for critical incidents)

· Generate metrics reports for team and management review

L1 Analyst Support & Mentoring (10%)

Knowledge Transfer:

· Mentor L1 analysts on investigation techniques and procedures

· Review L1 investigations and provide feedback for improvement

· Create runbooks and playbooks for common incident types

· Conduct training sessions on new threats, tools, and procedures

· Share threat intelligence and best practices with SOC team

Quality Assurance:

· Review L1 alert dispositions and investigation quality

· Identify gaps in L1 knowledge and provide targeted training

· Validate that proper procedures are followed

· Suggest process improvements based on L1 experiences

Technical Competencies

Required Skills (Must Have)

Security Operations:

· 3-5 years experience in SOC, threat detection, or incident response

· Proficiency with SIEM platforms (Splunk, ArcSight, QRadar, or similar)

· Hands-on experience with EDR solutions (CrowdStrike, Microsoft Defender, SentinelOne)

· Strong understanding of security frameworks (MITRE ATT&CK, NIST Cybersecurity Framework)

· Knowledge of incident response processes and procedures

· Experience with security monitoring tools and techniques

Technical Knowledge:

· Strong understanding of networking (TCP/IP, DNS, HTTP/HTTPS, VPN, firewalls)

· Windows and Linux system administration fundamentals

· Knowledge of common attack vectors and threat landscape

· Ability to read and interpret logs (Windows Event Logs, Syslog, firewall logs, web logs)

· Understanding of malware analysis concepts (static vs. dynamic analysis)

· Basic scripting knowledge (Python, Bash, or PowerShell) for automation tasks

Analytical Skills:

· Excellent analytical and problem-solving abilities

· Strong attention to detail and accuracy

· Ability to work through complex investigations methodically

· Data-driven decision making

· Pattern recognition and anomaly detection capabilities

Communication & Documentation:

· Excellent written communication for incident reports and escalations

· Ability to clearly explain technical findings to non-technical stakeholders

· Strong documentation and note-taking practices

· Clear verbal communication with team members and other departments

Desired Skills (Nice to Have)

· Threat Intelligence: Experience consuming and applying threat intelligence

· Advanced Forensics: Digital forensics or malware analysis experience

· Automation: Experience with Python, Ansible, or similar for playbook automation

· Cloud Security: Experience with AWS, Azure, or GCP security monitoring

· Certifications: GIAC Security Essentials (GSEC), CEH, Security+, CISSP, or similar

· Incident Response: Prior incident response team experience

· Vulnerability Management: Experience with vulnerability assessment and remediation

· Compliance: Knowledge of compliance frameworks (PCI-DSS, HIPAA, SOC 2, ISO 27001