5.1 A Day in the Life of a SOC Analyst
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
welcome to module for a day in the life of a stock analyst.
In the last video, we discussed different seem vendors and tools and how they're utilized.
Then we went over a lab that showed you how to create steam reports with one of the vendor tools. ***
in this video will go into a day in the life of a stock analyst.
So first it's important to understand threat assessment.
They're certain thresholds and rules you can set on your seems software and even inter native system. Kind of like we filtered events out in the Manual Vulnerability Assessment Lab
in order to avoid looking at extraneous events or system noise that might not matter.
For example, you may not care about three Miss password attempts because, honestly, how many times have you entered an incorrect password multiple times?
Getting an alert every time a user enters their password incorrectly a few times would create a lot of unnecessary noise, especially on larger networks.
However, we may care about 10 incorrectly under passwords because that might indicate a larger issue. Our signal on attempted brute force attack,
knowing what rules to set in what thresholds to uphold is an important part of this rule.
Another important day to day activity is investigating.
Everything a system does creates a log each of these logs with the number, code account, name, timestamp, et cetera.
You can quit for certain logs if you want to know more about an event or check for logs within a certain time frame. If you need to view other events logged surrounding a target event, et cetera,
knowing which codes and events are related to others or being able to assess temporal relation. This super helpful when it comes to successfully investigating alert.
All right, so we have an event code. Now what
from there. Once you've begun your investigation, you'll have to begin to examine
what the event code is in what it signals.
Let's go with the previous example entering incorrect passwords. For example,
Windows event cold for a failed log on is 46 to 5.
If you see one or two of those codes, you'll recognize them and be able to say, OK, maybe someone enter the incorrect password or is having a bad day and can't remember There's etcetera.
However, if you see that cold repeatedly in a short time, frame, say 10 to 15 times you may want to investigate further,
the frequency of a seemingly benign code can make a situation suddenly less innocuous.
This is where interpretation comes in. You need to look at these items and say, Is this a real threat?
Then we can begin to correlate events.
You already have alarm bells ringing in your head saying Okay,
I know this code means failed log on, but as a legitimate user failing to log on that many times.
Sure, this coat has sprung up before, and obviously people have failed to log on before.
But at what point does it go from being a legitimate activity to something with malicious intent?
Be able to look at events, and the frequency in time in which they occur can provide huge clues in your investigation.
At this point, you may wanna potentially escalate the activity for further investigation
in a sock. As a beginner, you'll most likely start as a tier one analyst coming. Do triage was we just discussed and determine when an item needs further, more advanced review.
Tier two will be an incident responder. Generally,
this team will usually try to determine the root cause of the event and initiate re mediation and recovery of efforts if needed.
Two or three. The threat hunters will generally provide support for incident response as well as proactively conduct pen tests and other vulnerability assessments.
Your four will be your stock manager
who will direct and monitor activity and communicate as needed to executive leadership.
Now for a learning check.
What are the main activities of a stock analyst
One. Threat hunting digital forensics incident response
to threat assessment investigation, event. Correlation in escalation
or three. Contesting ethical hacking system hardening and evaluation.
The correct answer is to threat assessment, investigation, event correlation, an escalation
While the other activities are important for
normal operation in a suck, they're not necessarily the correct activities for a stock analyst, especially in the entry level position.
In today's brief lecture, we discussed with the normal day to day activities of a stock analyst might look like
thanks for joining me for introducing tools, and I hope to see you next time
Course Assessment - Introduction to SIEM Tools