Hi @splunky_diamond , the normal activity flow for a SOC Analyst is the following: there a defined monitoring perimeter and some Correlation Searches that monitor the above perimeter to find some ...
See more...
Hi @splunky_diamond , the normal activity flow for a SOC Analyst is the following: there a defined monitoring perimeter and some Correlation Searches that monitor the above perimeter to find some possible threat, if one or more CS thigger an alert, it creates a Notable, I think that an eMail notification can be useful only for night monitoring because during the day, the SOC Analysts should be aways connected to ES, when a Notable is triggered (a Notable is one or more events that match a condition to check, not a securty indicent!), a SOC Analyst takes in care the Notable ana ivestigate using the investigation panels and eventually its own searches, He/she could also use the other ES dashboards, even if I never saw this! based on the investigation the SOC Analyst defines if: it's a real security incident, it's a false positive, the Notable requires an escalation for adeeper check, if it's a false positive THE SOC Analist closes the case ,eventualy adding a suppression rule, if the Notable requires an escalation check, the SOC Analyst passes to case following the indication of the related playbook, if it's a real security indicent, the SOC Analyst apply the predefined playbook actions or passes the activity to the colleagues enabled to intervene. This is a general fow, and it depends on the internal processes of the SOC. Only one additional information: if (as usual) in your SOC there are few SOC Analysts, it could be a good idea, doesn't associate to a Correlation Search a Notable but a Risk Score addition; in this way the SOC Analyst is informed in delay of a threat, but the SOC has to manage less Notables, in other words, if there are three SOC Analysts and the SOC receive 10,000 Notables/day they cannot check a of them. Ciao. Giuseppe