This project is an introduction to understanding and triaging SOC alerts, which are notifications generated by a security solution when a specific event or sequence of events occurs.
The life cycle of an alert begins with an event, such as a user login, process launch, or file download, which is then logged by the system and shipped to a security solution.
SOC L1 analysts, who are the first line of defence, review the alerts and distinguish between bad and good ones, notifying L2 analysts of any real threats.
SOC L2 analysts receive the alerts escalated by L1 analysts and perform deeper analysis and remediation.
Prioritizing alerts is crucial for timely detection of threats, and the most common approach is to filter and sort them by severity and date.
After reviewing the details of the alert, including its name, description, and key indicators, the analyst must determine if the alert is a true positive or a false positive.
This involves understanding the context, reviewing surrounding events, and using threat intelligence platforms or other resources to verify thoughts.
Closing the alert with a detailed comment explains the analysis steps and verdict reasoning before moving it to the closed status.