SOC Operations Language

6 exercise sets · Day-to-day SOC analyst vocabulary: SIEM operations, alert triage, threat hunting, threat intelligence, SOAR automation, and team communication.

Frequently Asked Questions

What does "alert triage" mean in a SOC context?

Alert triage is the process of reviewing incoming security alerts, determining their severity and validity, and deciding the appropriate response. A SOC analyst classifies each alert as a true positive, false positive, or benign true positive before escalating or closing the ticket.

What is a SIEM and what language do analysts use when working with it?

A SIEM (Security Information and Event Management) platform aggregates and correlates log data from across an organisation's infrastructure. Analysts speak of "onboarding log sources", "tuning correlation rules", "reducing false positive rates", and "raising detections" when discussing day-to-day SIEM operations.

How do SOC analysts describe the threat hunting process in English?

Threat hunters typically say they are "forming a hypothesis", "pivoting on an IOC (Indicator of Compromise)", "mapping TTPs to the MITRE ATT&CK framework", and "documenting hunt findings". A completed hunt cycle ends with a hunt report that either confirms or refutes the initial hypothesis.

What is the difference between an IOC and an IOA?

An Indicator of Compromise (IOC) is evidence that a system has already been breached — such as a malicious IP address or file hash. An Indicator of Attack (IOA) describes attacker behaviour in progress, focusing on intent and technique rather than artefacts left behind.

What English phrases are used during incident escalation?

Common escalation phrases include "I'm escalating this to Tier 2 due to lateral movement indicators", "this meets our P1 severity threshold", "I'm raising a major incident", and "please stand by for a sitrep". Clear, concise language is critical to avoid confusion during high-pressure incidents.

What does SOAR stand for and how is it discussed in SOC communications?

SOAR stands for Security Orchestration, Automation, and Response. SOC teams talk about "triggering a playbook", "automating enrichment steps", "reducing MTTR (Mean Time to Respond)", and "integrating connectors" when describing how SOAR platforms streamline repetitive analyst tasks.

How do analysts communicate during a shift handoff?

A structured shift handoff typically uses the SBAR format — Situation, Background, Assessment, Recommendation. The outgoing analyst summarises open incidents, ongoing investigations, and any pending actions so the incoming team can continue without loss of context.

What vocabulary is used when discussing threat intelligence feeds?

Analysts refer to "subscribing to threat feeds", "ingesting STIX/TAXII data", "attributing activity to a threat actor", and "sharing intelligence via an ISAC". Feeds are evaluated on timeliness, fidelity, and relevance to the organisation's industry sector.

What does "containment" mean in incident response language?

Containment refers to actions taken to limit the spread of a threat before full remediation. Analysts distinguish between "short-term containment" (isolating an endpoint) and "long-term containment" (applying network segmentation or credential resets) while preserving forensic evidence.

Why is precise English communication important for non-native SOC analysts?

SOC teams often operate across international shifts and hand off critical incident data to colleagues, management, and third-party responders. Ambiguous language in escalation notes or sitreps can delay response times, so non-native speakers benefit greatly from mastering the specific vocabulary and phrasing conventions of security operations.