5.1 A Day in the Life of a SOC Analyst

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Sign up with Google
Sign up with Apple
Sign up with Microsoft
View all SSO options

Already have an account? Sign In »

Introduction to SIEM Tools
Course
Difficulty
Beginner
Video Transcription
00:00
welcome to module for a day in the life of a stock analyst.
00:06
In the last video, we discussed different seem vendors and tools and how they're utilized.
00:11
Then we went over a lab that showed you how to create steam reports with one of the vendor tools. ***
00:16
in this video will go into a day in the life of a stock analyst.
00:22
So first it's important to understand threat assessment.
00:26
They're certain thresholds and rules you can set on your seems software and even inter native system. Kind of like we filtered events out in the Manual Vulnerability Assessment Lab
00:35
in order to avoid looking at extraneous events or system noise that might not matter.
00:40
For example, you may not care about three Miss password attempts because, honestly, how many times have you entered an incorrect password multiple times?
00:48
Getting an alert every time a user enters their password incorrectly a few times would create a lot of unnecessary noise, especially on larger networks.
00:55
However, we may care about 10 incorrectly under passwords because that might indicate a larger issue. Our signal on attempted brute force attack,
01:03
knowing what rules to set in what thresholds to uphold is an important part of this rule.
01:11
Another important day to day activity is investigating.
01:14
Everything a system does creates a log each of these logs with the number, code account, name, timestamp, et cetera.
01:21
You can quit for certain logs if you want to know more about an event or check for logs within a certain time frame. If you need to view other events logged surrounding a target event, et cetera,
01:30
knowing which codes and events are related to others or being able to assess temporal relation. This super helpful when it comes to successfully investigating alert.
01:42
All right, so we have an event code. Now what
01:46
from there. Once you've begun your investigation, you'll have to begin to examine
01:49
what the event code is in what it signals.
01:53
Let's go with the previous example entering incorrect passwords. For example,
01:57
Windows event cold for a failed log on is 46 to 5.
02:02
If you see one or two of those codes, you'll recognize them and be able to say, OK, maybe someone enter the incorrect password or is having a bad day and can't remember There's etcetera.
02:14
However, if you see that cold repeatedly in a short time, frame, say 10 to 15 times you may want to investigate further,
02:21
the frequency of a seemingly benign code can make a situation suddenly less innocuous.
02:25
This is where interpretation comes in. You need to look at these items and say, Is this a real threat?
02:32
Then we can begin to correlate events.
02:36
You already have alarm bells ringing in your head saying Okay,
02:38
I know this code means failed log on, but as a legitimate user failing to log on that many times.
02:45
Sure, this coat has sprung up before, and obviously people have failed to log on before.
02:49
But at what point does it go from being a legitimate activity to something with malicious intent?
02:53
Be able to look at events, and the frequency in time in which they occur can provide huge clues in your investigation.
03:01
At this point, you may wanna potentially escalate the activity for further investigation
03:07
in a sock. As a beginner, you'll most likely start as a tier one analyst coming. Do triage was we just discussed and determine when an item needs further, more advanced review.
03:17
Tier two will be an incident responder. Generally,
03:21
this team will usually try to determine the root cause of the event and initiate re mediation and recovery of efforts if needed.
03:29
Two or three. The threat hunters will generally provide support for incident response as well as proactively conduct pen tests and other vulnerability assessments.
03:38
Your four will be your stock manager
03:39
who will direct and monitor activity and communicate as needed to executive leadership.
03:46
Now for a learning check.
03:49
Question.
03:50
What are the main activities of a stock analyst
03:53
One. Threat hunting digital forensics incident response
03:58
to threat assessment investigation, event. Correlation in escalation
04:02
or three. Contesting ethical hacking system hardening and evaluation.
04:13
The correct answer is to threat assessment, investigation, event correlation, an escalation
04:19
While the other activities are important for
04:21
normal operation in a suck, they're not necessarily the correct activities for a stock analyst, especially in the entry level position.
04:32
In today's brief lecture, we discussed with the normal day to day activities of a stock analyst might look like
04:39
thanks for joining me for introducing tools, and I hope to see you next time
Up Next
Course Assessment - Introduction to SIEM Tools
Assessment
View All
Instructed By
Gabrielle Hempel

Gabrielle Hempel

Instructor
Similar Content
Advanced Cyber Threat Intelligence
Course
Advanced Cyber Threat Intelligence
4
Do you want to take your cyber threat intelligence skills to the next level so ...
5CEUs
Kali Linux Fundamentals
Course
Kali Linux Fundamentals
4.12
If you’re interested in penetration testing and ethical hacking, then this Kali Linux course is ...
1CEUs
Introduction to IT & Cybersecurity
Course
Introduction to IT & Cybersecurity
4.35
Are you new to IT & cybersecurity and wondering which role might suit you best? ...
2CEUs