SOC Operations¶
6. SECURITY OPERATIONS CENTER (SOC) PROCEDURES¶
The Abhavtech SOC operates 24x7x365 in a follow-the-sun model with 12 SOC analysts (4 analysts per shift) providing continuous monitoring, incident triage, and response.
6.1 SOC Organization & Staffing¶
┌──────────────────────────────────────────────────────────────────┐
│ ABHAVTECH SOC STRUCTURE │
├──────────────────────────────────────────────────────────────────┤
│ │
│ SOC Lead │
│ ──────── │
│ (1 FTE, Day Shift NJ) │
│ │
│ ┌──────────────────┴──────────────────┐ │
│ │ │ │
│ L2 Analysts (6 FTEs) L1 Analysts (6 FTEs) │
│ ────────────────── ────────────────── │
│ • Incident Investigation • Alert Triage │
│ • Threat Hunting • Event Correlation │
│ • Escalation to Security Mgr • XDR Case Creation │
│ • 3+ years experience • 1-2 years experience │
│ │
│ SHIFT SCHEDULE (24x7 Coverage): │
│ ─────────────────────────────────────── │
│ Shift 1: 06:00-14:00 GMT (NJ) → 2 L1 + 2 L2 │
│ Shift 2: 14:00-22:00 GMT (London) → 2 L1 + 2 L2 │
│ Shift 3: 22:00-06:00 GMT (Mumbai) → 2 L1 + 2 L2 │
│ │
│ ESCALATION PATH: │
│ ──────────────── │
│ L1 Analyst → L2 Analyst → SOC Lead → Security Manager → CISO │
│ │
│ SHIFT HANDOFF: │
│ ───────────── │
│ • 30-minute overlap (shift change) │
│ • Handoff notes in ServiceNow (open incidents, ongoing hunts) │
│ • Webex Teams shift channel (real-time updates) │
│ │
└──────────────────────────────────────────────────────────────────┘
SOC Analyst Skill Matrix:
| Skill | L1 Analyst (Entry) | L2 Analyst (Senior) | SOC Lead | Required Training |
|---|---|---|---|---|
| XDR Platform (SecureX) | Triage alerts, create cases | Investigate cases, tune playbooks, threat response | Architect playbooks, mentor team, escalate to vendor | Cisco SecureX certification (40 hours) |
| SIEM (Splunk) | Read dashboards, run saved searches | Write SPL queries, create alerts, correlate events | Architect dashboards, optimize performance, manage licenses | Splunk Core Certified User (L1), Power User (L2), Admin (Lead) |
| Endpoint (AMP) | Review detections, isolate endpoints | Orbital forensics, trajectory analysis, custom IOC lists | Manage policies, integrate with XDR, tune detection | AMP for Endpoints training (20 hours) |
| Network (ISE, FTD) | Read auth logs, quarantine devices | Investigate SGT violations, tune policies, analyze flows | Design policies, integrate with XDR, capacity planning | ISE Fundamentals (40 hours), FTD Essentials (40 hours) |
| Incident Response | Follow playbooks (PB-001 to 008), escalate if unsure | Lead P2/P3 investigations, forensics, reporting | Lead P1 investigations, executive reporting, post-mortems | SANS SEC504 (Incident Response) or equivalent |
| Threat Hunting | Assist hunts (run queries), document findings | Lead hunts (hypothesis-driven), MITRE ATT&CK mapping | Define hunt program, prioritize threats, measure ROI | SANS SEC555 (SIEM/Tactical Analytics) or equivalent |
| Compliance | Understand PCI/SOC2 requirements | Collect audit evidence, support auditors | Coordinate audits, remediate findings, policy updates | PCI-DSS Fundamentals (8 hours), ISO 27001 Awareness (4 hours) |
6.2 Daily SOC Operations Workflow¶
Standard Day Shift (06:00-14:00 GMT, NJ Team):
06:00 Shift Start
──────────
• Shift handoff from Mumbai team (Webex call, 30 min overlap)
• Review overnight incidents in ServiceNow (filter: assigned to Mumbai, status=In Progress)
• Check XDR alert queue (priority: P1 Critical alerts first)
06:30 Morning Briefing
───────────────
• SOC Lead hosts 15-min standup (Webex Teams)
• Topics: Overnight incidents, emerging threats (Talos alert review), priority focus areas
• Assign tasks: L1 analysts (alert triage), L2 analysts (investigations, threat hunt)
07:00 Alert Triage (L1 Analysts)
──────────────────────────
• XDR alert queue: ~60-80 alerts overnight (avg: 180/day ÷ 3 shifts = 60/shift)
• Priority: P1 (Critical) > P2 (High) > P3 (Medium) > P4 (Low)
• Triage process (per alert, ~10 min avg):
1. Read alert description (XDR case summary)
2. Gather context (user, device, location, recent activity)
3. Enrich IOCs (Threat Response: file hash, IP, domain reputation)
4. Correlate events (Splunk: related logs, timeline)
5. Determine disposition:
- TRUE POSITIVE → Escalate to L2 (if P1/P2) or contain (if automated playbook)
- FALSE POSITIVE → Mark as FP in XDR, tune detection rule
- BENIGN → Close case with notes
08:00 Incident Investigation (L2 Analysts)
────────────────────────────────────
• P1 Critical (immediate): Ransomware, data breach, DDoS
- Lead: L2 Analyst, Support: SOC Lead + Security Manager
- Tools: AMP Orbital (forensics), FTD PCAP, ISE session logs, Splunk correlation
- Timeline: Contain within 30 min, investigate 1-2 hours, report to CISO
• P2 High (1-hour SLA): Phishing campaign, compromised credential, lateral movement
- Lead: L2 Analyst, Support: L1 Analyst (data gathering)
- Investigation: Scope (how many affected?), containment (quarantine), eradication (reset passwords)
• P3 Medium (4-hour SLA): Single malware detection, policy violation, UEBA alert
- Lead: L2 Analyst (independent)
- Standard investigation: Validate detection, contain if needed, document findings
09:00 Threat Hunting (L2 Analyst, Dedicated Hunter)
───────────────────────────────────────────
• Weekly hunt calendar (Mon: Phishing IOCs, Tue: Lateral Movement, Wed: Data Exfiltration, etc.)
• Today's hunt: "Hunt for DNS Tunneling" (MITRE ATT&CK T1071.004)
• Hypothesis: Attackers use DNS queries to exfiltrate data or receive C2 commands
• Hunt process:
1. Splunk query: `index=network sourcetype=umbrella | stats count by query_domain | where count > 100 AND len(query_domain) > 50`
2. Identify high-entropy domains (DGA detection: domain randomness score >0.8)
3. Cross-reference Umbrella Investigate (domain age, reputation, category)
4. Investigate suspicious domains: Dest IPs, query frequency, affected users
5. Findings: 3 suspicious domains (DGA, newly-seen <7 days, query count >500)
6. Actions: Block domains (Umbrella), investigate affected devices (ISE + AMP)
7. Document: Hunt report in Confluence, add IOCs to threat intel (XDR)
10:00 Splunk Dashboard Monitoring (L1 Analysts)
─────────────────────────────────────────
• Real-time dashboards (displayed on SOC wall monitors):
- XDR Alert Volume (live count, trend chart)
- Failed Authentication Attempts (top users, top source IPs)
- Network Traffic Anomalies (NetFlow volumetrics, >3 std dev from baseline)
- AMP Malware Detections (hourly count, blocked vs. quarantined)
- FTD IPS Events (top attackers, top targets, top signatures)
- ISE SGT Violations (unauthorized access attempts, quarantine rate)
• Proactive monitoring: If any metric spikes (e.g., failed auth >100 in 10 min), investigate immediately
11:00 Compliance Evidence Collection (L2 Analyst, Rotating Duty)
──────────────────────────────────────────────────────────
• PCI-DSS quarterly audit prep (next audit: March 2025)
• Tasks:
- Export FMC firewall rules (CDE segmentation verification)
- Export ISE SGACL matrix (CDE access control)
- Export Splunk CDE logs (90-day retention verification, sample 5 days)
- Screenshot AMP coverage (CDE servers, 100% agent deployment)
• Upload evidence to shared folder (Compliance Analyst reviews)
12:00 Lunch Break (Rotating, 1 hour per analyst)
─────────────────────────────────────────
13:00 Incident Reporting & Documentation
────────────────────────────────────
• L2 Analysts: Finalize investigation reports in ServiceNow
- Incident timeline (UTC timestamps)
- Root cause analysis (how did it happen?)
- Containment actions (what was done?)
- Lessons learned (how to prevent recurrence?)
• Escalation: P1 incidents → Send email summary to CISO + Security Manager
• Metrics update: Update SOC KPI dashboard (MTTD, MTTR, alert volume)
13:30 Shift Handoff Preparation
─────────────────────────
• NJ team prepares handoff notes (ServiceNow + Webex Teams)
• Open incidents: P1 (2 ransomware contained, forensics ongoing), P2 (5 phishing investigations), P3 (12 malware detections, all contained)
• Priority for London team: Continue P1 forensics, complete P2 phishing scope analysis
14:00 Shift End (NJ) → Shift Start (London)
───────────────────────────────────
• 30-minute overlap (13:30-14:00): NJ SOC Lead + London SOC Lead Webex call
• London team takes over, repeats daily workflow for their shift
6.3 Incident Response Playbooks (XDR Automation)¶
Playbook Execution Flow (Example: PB-001 Malware-Containment):
┌─────────────────────────────────────────────────────────────────────┐
│ XDR PLAYBOOK: PB-001 MALWARE-CONTAINMENT │
│ (Fully Automated, ~2-minute MTTR) │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ TRIGGER: │
│ AMP detection: File execution blocked (reputation < -50) │
│ │
│ STEP 1: ENRICH FILE (5 seconds) │
│ ───────────────────────────────────────────── │
│ • XDR Threat Response: Check file hash (SHA-256) against: │
│ - Cisco Talos Intelligence │
│ - VirusTotal (API) │
│ - MISP threat intel feed │
│ • Result: File = "TrojanDownloader.Win32.Agent" (malicious) │
│ │
│ STEP 2: GATHER CONTEXT (10 seconds) │
│ ────────────────────────────────────────────── │
│ • AMP File Trajectory: │
│ - File origin: Email attachment (user: john.doe@abhavtech.com) │
│ - File path: C:\Users\john.doe\Downloads\invoice.exe │
│ - Execution: Blocked (AMP prevented execution) │
│ • ISE Context Lookup (pxGrid): │
│ - Device: LAPTOP-12345 (john.doe's laptop) │
│ - IP address: 10.10.50.123 │
│ - SGT: 15 (Corporate User) │
│ - Location: NJ Office, VLAN 50 │
│ │
│ STEP 3: CONTAINMENT (30 seconds) │
│ ───────────────────────────────────────────── │
│ • AMP Action: Isolate endpoint (network connectivity disabled) │
│ - Result: LAPTOP-12345 isolated, user sees "Network Isolated" │
│ • ISE CoA (Change of Authorization): │
│ - ISE sends CoA to switch (port where LAPTOP-12345 connected) │
│ - Switch re-authenticates device → ISE assigns SGT 999 (Quarantine)│
│ - SGACL: SGT 999 → All = DENY (no network access) │
│ • FTD Block (Secondary): │
│ - XDR creates FTD block rule: Block IP 10.10.50.123 (inbound/outbound)│
│ - Result: Even if device bypasses ISE, FTD blocks all traffic │
│ │
│ STEP 4: NOTIFICATION (15 seconds) │
│ ────────────────────────────────────────────── │
│ • ServiceNow: Create incident ticket (INC0012345) │
│ - Priority: P2 (High) │
│ - Assigned: SOC L2 Analyst (current shift) │
│ - Summary: "Malware detected: TrojanDownloader on LAPTOP-12345" │
│ • Webex Teams: Post alert to #soc-alerts channel │
│ - Message: "@soc-team P2 Malware: LAPTOP-12345 isolated, john.doe affected"│
│ • Email: Notify SOC Lead + Security Manager │
│ │
│ STEP 5: FORENSICS COLLECTION (30 seconds) │
│ ────────────────────────────────────────────────── │
│ • AMP Orbital: Initiate live forensics collection │
│ - Collect: Process list, network connections, registry keys, file hashes│
│ - Store: XDR case (forensics data attached) │
│ • Splunk: Query related events (10-minute window before/after detection)│
│ - Search: `index=* host=LAPTOP-12345 earliest=-10m latest=+10m` │
│ - Export: Timeline of events (auth, web browsing, email, file access)│
│ │
│ STEP 6: REMEDIATION GUIDANCE (10 seconds) │
│ ────────────────────────────────────────────────── │
│ • XDR Case: Add remediation steps (for SOC Analyst to follow): │
│ 1. Review AMP Orbital forensics (check for persistence mechanisms)│
│ 2. Interview user john.doe (how did they receive the file?) │
│ 3. Search email (Secure Email): Find other recipients of malicious email│
│ 4. Block sender domain (Umbrella): Prevent future emails │
│ 5. Reimage endpoint (IT Ops): Clean install Windows 11 │
│ 6. Restore user data (Veeam backup) │
│ 7. Re-enroll device (ISE 802.1X certificate reissue) │
│ 8. Verify AMP agent (check connectivity, update signatures) │
│ 9. User training (phishing awareness) │
│ │
│ TOTAL PLAYBOOK EXECUTION TIME: ~2 MINUTES (fully automated) │
│ │
│ HUMAN FOLLOW-UP: L2 Analyst investigates within 1 hour (P2 SLA) │
│ │
└─────────────────────────────────────────────────────────────────────┘
7. THREAT HUNTING¶
8. CONTINUOUS SECURITY MONITORING¶
8.1 Unified Security Dashboard (Splunk Enterprise Security)¶
Real-Time Security Metrics (SOC Wall Display - 4K Monitors × 6):
Monitor 1: XDR Alert Feed (Live Scroll)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[10:23:45] P2 - AMP Malware: TrojanDownloader on LAPTOP-456
[10:22:18] P3 - ISE SGT Violation: User SGT 15 → Server SGT 81 (Denied)
[10:20:05] P1 - Duo Impossible Travel: user@domain (NYC → London, 30 min)
[10:18:42] P3 - FTD IPS: SQL Injection attempt blocked (Web Server DMZ)
Monitor 2: Incident Status Board
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Open Incidents: 18
P1 Critical: 0
P2 High: 3 (avg age: 2.5 hours)
P3 Medium: 10 (avg age: 6 hours)
P4 Low: 5 (avg age: 12 hours)
SLA Compliance: 95% (target: 98%)
MTTR Today: 22 minutes (target: <120 min)
Monitor 3: Network Traffic Heatmap (ThousandEyes)
Monitor 4: Endpoint Health Status (AMP Coverage %)
Monitor 5: Authentication Success Rate (ISE/Duo)
Monitor 6: Compliance Scorecard (PCI/SOC2/ISO/GDPR)