SOC L1 Analyst Workbook

Real-time security operations and incident response

7
Active Incidents
23
Pending Alerts
94%
System Health
12m
Avg Response Time

Threat Timeline (Last 7 Days)

Incident Distribution

Recent Incidents

Active Incidents

Incident Response Playbooks

Analyst Tools & Resources

Investigation Tools

VirusTotal Lookup Whois Lookup Hash Analyzer IP Geolocation

Reference Materials

MITRE ATT&CK Framework CVE Database Threat Intelligence Feeds Security Documentation

Log Analysis

Log Parser Event Code Reference Sysmon Rule Generator Regex Tester

Reporting Templates

Incident Report IOC Documentation Shift Handover Escalation Template

Threat Intelligence

Latest Threat Indicators

Type Indicator Threat Confidence First Seen

Recent Threat Campaigns

BlackCat Ransomware

Active

Targeting financial services with phishing emails containing malicious Excel documents. Uses PowerShell to download secondary payload.

First seen: 2025-11-01 View Details

APT41 Activity

Active

Targeting healthcare sector with spear-phishing and exploitation of VPN vulnerabilities. Uses custom malware for persistence.

First seen: 2025-10-28 View Details

BEC Campaign

Active

Sophisticated business email compromise targeting executives. Uses spoofed email domains and invoice-themed lures.

First seen: 2025-11-03 View Details

Threat Hunting Queries

PowerShell Execution

Splunk
index=windows EventCode=4688 (Process_Command_Line="*powershell*" AND Process_Command_Line="*encode*") OR (Process_Command_Line="*powershell*" AND Process_Command_Line="*bypass*") | stats count by host, user

Brute Force Detection

KQL
SecurityEvent | where EventID == 4625 | summarize count() by TargetUserName, IpAddress | where count_ > 5

Unusual Outbound Traffic

Splunk
index=network sourcetype=firewall action=allowed | stats sum(bytes) as total_bytes by src_ip, dest_ip | where total_bytes > 100000000

SIEM Query Library

Splunk Queries

Microsoft Sentinel KQL Queries

QRadar AQL Queries

SIEM Dashboards for L1 Analysts

Alert Triage & Escalation Framework

Alert Triage Decision Framework

False Positive Identification Guide

Severity Classification Matrix

Escalation Procedure

Communication Templates

Internal Communications

External Communications

Escalation Communications

SOC Knowledge Base

Windows Event Codes

Reference for important Windows security event IDs and meanings

ATT&CK Tactics

MITRE ATT&CK framework tactics and techniques reference

Common Malware IOCs

Indicators of compromise for common malware families

SOC Analyst Role & Responsibilities

Level 1 Analyst Core Functions

  • Monitor security alerts and events in real-time
  • Perform initial triage and analysis of security incidents
  • Categorize and prioritize alerts according to established criteria
  • Verify true positives and document findings
  • Escalate incidents according to defined procedures
  • Maintain accurate documentation of all activities
  • Participate in shift handovers and knowledge sharing

Alert Triage Process

  1. Alert Receipt - Acknowledge the alert in the system
  2. Initial Review - Quickly assess the alert details
  3. Context Gathering - Collect related information about the affected system/user
  4. Analysis & Validation - Determine if the alert is a true positive
  5. Determination & Prioritization - Assess severity and priority
  6. Documentation - Record all findings and actions
  7. Resolution or Escalation - Resolve if within scope or escalate to L2/L3

Escalation Criteria

Escalate incidents to L2/L3 when:

  • Confirmed data breach or exfiltration
  • Active exploitation of critical vulnerabilities
  • Malware that has spread to multiple systems
  • Incidents affecting critical business systems
  • Complex incidents requiring specialized knowledge
  • Incidents with potential regulatory impact
  • Targeted attacks against the organization

CVE Vulnerability Search

1,234
Critical CVEs (30d)
47
Today's CVEs
245,837
Total CVEs
98%
Cache Hit Rate

0 Results Found

Full CVE Search

Enter search criteria to find CVE vulnerabilities