Soc Analyst

The L1, L2 SOC Analyst leads advanced investigations, coordinates major incident responses and performs threat hunting, detection engineering and forensics. This role is also responsible for mentoring junior analysts, refining SOC processes and ensuring continuous improvement of detection and response capabilities.

KRAs

1. Critical Incident Leadership

2. Lead full lifecycle of P1/P2 incidents across customer environments.

3. Act as Incident Commander coordinating SOC, client, legal and business units.
4. Guide containment, eradication and recovery efforts.

5. Own timeline, documentation and RCA for major breaches.

6. Advanced Threat Detection & Adversary Emulation

7. Develop complex detection logic/use cases for evolving threats (APT, ransomware, 0-days).

8. Perform detection gap analysis using MITRE ATT&CK.

9. Work with Red Team to simulate adversarial behaviour and tune detections accordingly.

10. Proactive Threat Hunting & Hypothesis Testing

11. Plan and execute strategic, hypothesis driven threat hunts.

12. Build detection artifacts from telemetry (Windows logs, DNS, Proxy, EDR, cloud, etc.).
13. Document hunt assumptions, queries, outcomes and recommendations.

14. Automate repeated hunts using scripting or SOAR.

15. Digital Forensics (Intermediate to Advanced)

16. Extract and analyse endpoint/memory/disk/network artifacts.

17. Perform timeline analysis, file carving, binary inspection and log correlation.
18. Support or lead forensic investigations in collaboration with DFIR teams.

19. Preserve evidence per legal and chain of custody standards.

20. SIEM & EDR Content Engineering

21. Author and optimize correlation rules across

multiple SIEMs (Splunk, QRadar, Sentinel, etc.).

• Write and maintain threat detection rules (KQL, SPL, Sigma, AQL, etc.).
• Develop parsers, normalization logic, dashboards and data models.

• Tune rules to reduce false positives while maintaining efficacy.

• SOAR & Automation Development

• Architect advanced SOAR playbooks for IR, enrichment and notification.

• Write custom integrations using APIs or scripts (Python, PowerShell).
• Work with DevSecOps teams to expand automation coverage.

• Validate automated actions comply with customer SOPs and SLAs.

• Threat Intelligence Fusion

• Ingest and operationalize IOC, TTP and threat actor data from TI feeds (commercial + OSINT).

• Create enriched detection content using threat intel.
• Profile threat actors impacting customers and track campaigns.

• Recommend strategic threat mitigations based on actor behaviours.

• Detection & Visibility Gap Management

• Maintain matrix of covered vs uncovered attack techniques.

• Recommend log source onboarding for visibility improvement.
• Track telemetry coverage per customer and per data source.
• Maintain detection backlog based on threat landscape.

Security Architecture

Support

• Guide customers on optimal log source

configurations.

• Provide detection engineering input during

SIEM, EDR, cloud security deployments.

• Review and advise on network and endpoint

visibility architecture.

• Recommend sensor placement, retention,

parsing strategies.

1. Customer Facing Technical Leadership

2. Participate in high profile incident calls with customer security teams and executives.

3. Present RCA findings, containment status and future recommendations.
4. Customize threat detection based on customer assets, regulatory needs and threat models.

5. Attend monthly or quarterly review meetings as SME.

6. Policy, Compliance & Governance Support

7. Map detections to compliance needs (e.g., ISO 27001, PCI DSS, NIST

8. Create incident documentation suitable for audits.
9. Guide clients on SOC2 readiness, log retention, SIEM evidence practices.

10. Support regulator mandated reporting and breach notifications.

11. Tool Evaluation, Customization & Integration

12. Evaluate new tools: EDR, NDR, SOAR, UEBA, sandbox, threat intel.

13. Recommend based on detection maturity and integration capability.
14. Develop custom scripts, queries or API integrations.

15. Participate in POC testing and ROI analysis.

16. Shift Oversight & L2/L1 Mentorship

17. Act as escalation lead for complex investigations.

18. Review L2 work for quality, completeness and accuracy.
19. Mentor junior analysts, deliver training and coaching.
20. Approve playbooks, rule updates and escalation paths.

21. Maintain escalation documentation and shift SOPs.

22. Metrics, Reporting & RCA Documentation

.Generate detection performance metrics (MTTD, MTTR, FP rate, missed attack rate).

• Document full RCAs, timelines, attack chains and remediation plans.
• Develop and refine metrics dashboards for SOC leadership and customers.
• Participate in regular performance and maturity reviews.

15 Scripting & DevSecOps Automation

• Write scripts and tools to aid triage, data enrichment and detection tuning.
• Use Python, Bash, PowerShell for custom tooling.
• Integrate SOAR/SIEM with APIs, DBs, threat intel and asset systems.

16 Cloud Security Monitoring

• Analyse cloud native logs (AWS CloudTrail, Azure Activity, GCP logs).
• Implement and monitor cloud specific detections and misconfiguration alerts.
• Recommend CSPM configuration and visibility improvements.

• Map cloud events to MITRE ATT&CK (cloud tactics).

• MITRE ATT&CK & Threat Modeling

• Maintain and evolve ATT&CK Navigator heatmaps for customers.

• Use ATT&CK to map detection rules and hunting priorities.

• Track adversary behaviours to improve detection maturity.

• Ransomware & APT Readiness

• Develop response guides and detections for

ransomware families (example- Ryuk, Lockbit, etc.).

• Track APT actor campaigns and IOC sets.

• Lead tabletop exercises for ransomware/Apt preparedness.

• Threat Landscape Intelligence & Briefings

• Provide monthly/quarterly customer specific threat briefings.

• Summarize threat trends and emerging attacker TTPs.

• Recommend defences aligned with risk profile and industry.

• Knowledge Management & Documentation

• Contribute to internal runbooks, SOPs, playbooks and threat reports.

• Maintain shared knowledge base for advanced attacks.
• Update IR templates, hunt notebooks and detection libraries.

Category Skills / Tools

SIEM Platforms: Splunk, Microsoft Sentinel, QRadar, Elastic SIEM

Endpoint Detection & Response (EDR) CrowdStrike, Defender, SentinelOne, Carbon Black

SOAR & Automation: Cortex XSOAR, Splunk SOAR, Swimlane, ServiceNow

Threat Intelligence Platforms: (TIPs) MISP, Recorded Future, ThreatConnect, Anomali

Forensics & Analysis: Velociraptor, Autopsy, FTK Imager, Wireshark

Network Detection & Monitoring (NDR): Zeek, Suricata, Darktrace, Vectra, Corelight

Cloud Security Monitoring: AWS GuardDuty, Azure Defender, GCP SCC, Wiz

MITRE ATT&CK & Threat Modelling: ATT&CK Navigator, Atomic Red Team, CALDERA

Ticketing / Workflow Systems: ServiceNow, Jira, RTIR, Remedy

Reporting & Dashboarding: Kibana, Power BI, Grafana, Tableau

Scripting & Automation: Python, PowerShell, Bash, APIs, Regex

Data Formats & Parsing: JSON, XML, Syslog, CEF, LEEF

Security Framework Knowledge: MITRE ATT&CK, NIST CSF, ISO 27001, CIS

Soft Skills & Leadership Technical writing, RCA presentation, mentoring

Threat Hunting: Query building, behavioural analytics

Adversary Simulation / Purple Team: Atomic Red Team, Caldera, SCYTHE