SOC & Security Operations

Security Information and Event Management — a platform that aggregates, normalises, and correlates log data from across the environment in real time, generating alerts when patterns match detection rules. Examples: Splunk, Elastic SIEM, Microsoft Sentinel.

"The SIEM ingests 2 billion events per day from 400 log sources — firewalls, endpoints, cloud APIs. Our detection engineering team maintains 340 active correlation rules."

A logic expression in the SIEM that triggers an alert when events match a defined pattern — e.g., 5 failed logins followed by a success from the same IP within 60 seconds (credential stuffing signature).

"We wrote a new detection rule for the LSASS memory dump TTP: any process opening a handle to lsass.exe with PROCESS_VM_READ that is not a known AV process triggers a Priority 1 alert."

User and Entity Behaviour Analytics — uses statistical baselines and ML to detect anomalous behaviour patterns (e.g., a user suddenly downloading 10x their normal data volume) that rule-based detection would miss.

"UEBA flagged the insider threat that our rules missed — the employee's activity pattern was individually normal but statistically anomalous compared to their peer group's baseline."

The process of evaluating incoming security alerts to prioritise and classify them: true positive, false positive, benign true positive. Determines which alerts need immediate action and which can be suppressed or tuned.

"Our Tier 1 analysts triage 400 alerts per day. The triage process: enrich the alert with IP reputation, user context, and asset criticality — then classify as TP/FP/BTP within 10 minutes of receipt."

An alert that fires when no actual threat exists — the system flagged benign activity as malicious. High false positive rates cause alert fatigue and desensitise analysts to real threats.

"The new detection rule is generating 200 false positives per day — our vulnerability scanner's IP triggers the portscan rule. We need to add an exclusion for known scanner IPs."

A real attack that does not trigger any alert — the threat actor's activity was not detected by existing rules. The most dangerous outcome in a SOC: missed detections mean the dwell time increases.

"The red team exercise revealed a false negative in our detection coverage — exfiltration over DNS tunnelling didn't trigger any alert. We've now written a rule for abnormally large DNS query sizes."

Adding context to a raw alert before analysis — resolving IP addresses to geolocation/reputation, mapping user accounts to HR data, correlating with recent vulnerability scan results and asset criticality scores.

"Auto-enrichment adds IP reputation score, ASN, previous incidents from the same IP, and the asset's business criticality before the alert reaches a Tier 1 analyst — cutting average triage time from 12 to 4 minutes."

A forensic artefact — such as a specific IP address, domain, file hash, or registry key — that indicates a system has been compromised. IOCs are discovered after an incident and used for retrospective detection and blocking.

"The threat intel feed pushed 340 new IOCs from the recent campaign — file hashes for the dropper and C2 domain names. We ingested them into the SIEM and EDR for blocking and retrospective search."

A behavioural pattern indicating an attack in progress — defined by what an attacker is doing (e.g., attempting lateral movement) rather than the specific artefacts they use. IOAs detect attacks before compromise and are harder to evade by changing tools.

"Our EDR uses IOAs rather than just IOAs — instead of looking for a known malware hash, it flags any process that injects code into a browser process and then makes an outbound HTTPS connection to a new domain."

A proactive, hypothesis-driven search for threats that have bypassed automated detection. A human analyst formulates a hypothesis about attacker behaviour and queries the data to find evidence — or confirms its absence.

"Hypothesis: an adversary may be using living-off-the-land binaries for lateral movement. I queried for PowerShell processes spawned by Office applications and found 3 endpoints with suspicious WMI activity."

A classification of attacker behaviour from the MITRE ATT&CK framework. Tactics are the goal (e.g., Privilege Escalation), Techniques are the method (e.g., Pass-the-Hash), Procedures are the specific implementation the adversary uses.

"The threat actor used TTP T1003.001 — OS Credential Dumping: LSASS Memory. Mapping attacker behaviour to ATT&CK TTPs lets us assess our detection coverage systematically."

Security Orchestration, Automation, and Response — a platform that automates repetitive SOC tasks (enrichment, blocking, ticket creation) and orchestrates analyst workflows via playbooks, reducing mean time to respond.

"Our SOAR automatically enriches every P1 alert, creates a JIRA ticket, pages the on-call analyst, and blocks the offending IP in the firewall — all within 90 seconds of alert generation, without human intervention."

A documented or automated procedure for responding to a specific type of security incident. A playbook defines decision logic ("if IOC is high confidence, block automatically"); a runbook is the step-by-step procedure a human follows.

"The phishing playbook: (1) auto-enrich sender domain, (2) if domain reputation < 30, auto-quarantine all copies organisation-wide, (3) extract all URLs, (4) query sandbox, (5) if malicious, trigger the endpoint containment runbook."

A real-time or regularly updated data stream of IOCs, TTPs, and threat actor profiles from commercial providers, government sharing platforms (ISACs), or open-source communities.

"We subscribe to 4 threat intel feeds: one commercial feed for financial sector threats, one ISAC feed for critical infrastructure IOCs, and two open-source feeds (AlienVault OTX, Abuse.ch). Feed quality review happens monthly."

STIX (Structured Threat Information eXpression) is a standard format for representing threat intelligence objects. TAXII (Trusted Automated eXchange of Intelligence Information) is the transport protocol for sharing STIX data between organisations.

"Our threat intelligence platform ingests STIX 2.1 objects over TAXII 2.1 from the ISAC. The STIX objects include Campaign, Malware, Indicator, and CourseOfAction — all parseable without manual analyst intervention."