Security Operations Center (SOC) Analyst

Splunk

SIEM Tool : Security Incident and Event Management Tool for Security Incidents and Event Correlation. SOC team monitors Splunk for alerts and incidents, responding as necessary.

L2 Tasks :

• Performing the health check for reporting and non-reporting devices to Splunk.
• Monitoring the High and critical incidents/Notables and taking the necessary triage action for incident response by creating an incident on SNOW.
• Monitoring the Medium Incidents to reduce the false positives.
• Continuous On boarding of the log sources such as Windows, Linux servers,Network devices and applications.
• Monitoring the cloud monitoring console and validating the Splunk universal forwarder unsupported versions and working with respective teams to get the Forwarder updated.
• Analyzing the raw events and reducing the false positive incidents.
• Working with respective team members to troubleshoot if the log sources are not reporting.
• Escalate Incidents and anomalies to L3 team as required.
• Creating the SOP's based on scope and requirement.

L3 Tasks:

• In addition to L2 tasks, perform threat hunting based on adversaries.
• Plan, Manage and deploy Splunk Enterprise Architecture and resource changes.
• Plan and Onboard new data sources when required.
• Manage and create new security correlations based on Data inputs and Data models.
• Team training.

Crowdstrike

EDR is an integrated endpoint security solution that combines NextGen AV and real-time continuous monitoring, collection of endpoint data with rules-based automated response and analysis capabilities for threat hunting. The SOC team monitors for detections and incidents and responds as appropriate, working with key parties including the Falcon Complete team.

L2 Tasks:

• Performing the health check for reporting and non-reporting devices to Crowdstrike.
• Working with windows and Linux team to install the CrowdStrike agents.
• Analyzing the escalated Detections and incidents and taking the necessary Triage and Incident Response actions.
• Creating the SOP's based on scope and requirement.

L3 Tasks:

• In addition to L2 tasks, create custom IOA based on threat Client. data.
• Collaborate with Crowdstrike Complete team in creating policies, detection capabilities.
• Design and Manage deployments and plan architectural change requirements.
• Threat hunt based on adversary.
• Team training.

Qualys

Vulnerability Management and Assessment. The SOC team is trained to use the tool for ad hoc scans as requested. Also assists Vulnerability manager by organizing assets and performing other maintenance tasks.

L2 Tasks :

• Creating asset groups.
• Creating and managing the TAGS.
• Creating and managing the templates.
• Scheduling the scans.
• Running the Adhoc scans based the teams request and generating reports for validation.
• Creating the SOP's based on scope and requirement
• Helping other teams if any queries on remediation/mitigation.
• Purging the decommissioned assets.
• Creating the new report templates based on the requests.
• Handling the option profiles.
• Fixing the unauthenticated scan issues.
• Monitor for critical advisories and report it to teams for timely action by Opening a P2 incident to fix.
• Deploy and Perform health check for Qualys Cloud agents

L3 Tasks :

• In addition to L2 Tasks, Architecture level planning and Changes.
• Support in new integration requests
• Validating the SOP's created by L2 Team.
• L3 administration and maintenance (Policy, design, updates and enhancements).
• Team training.

Digicert PKI

External Certificate Authority for Client's External facing domains and services.

L3 Tasks

• Guide users in requesting correct certificate based on application and service use.
• Validate and Issues Certificates
• Add new domains and perform validation checks for both Org. and domains.
• Monitor and track certificates issued.
• Help teams on generating CSR and certificate installations.
• Recommend and troubleshoot certificate related issues.

GRC

Risk and Governance tool to Submit PCI and InfoSec Audit evidence: Tools used by internal GRC team, to collect evidence for compliance.

• SOC submits evidence for both PCI and Infosec based on request.
• Participate in Internal and External security audits.

Windows PKI

Internal Certificate Authority for Clients Internal Domains Tasks:

• Validate and Issue Certificates.
• Create and Manage certificate templates.
• Help teams to generate CSR and install Certs.
• Guide users in requesting correct certificate based on application and service use.
• Recommend and troubleshoot certificate related issues.

L3 Tasks

• Participate in Architecture, Deployment and integration requirements with infra. and application teams.

Proofpoint – Phishing Email Reporting and Awareness.

Proofpoint is used for Internal security awareness training and reporting Phishing emails to IT Security. The SOC team assists with Security Awareness training by monitoring the client's mailbox for reported phishing.

L2 Tasks:

• Checking the email header to know the source and authenticity of the email.
• Verify any links in the email and analyze the links in a sandbox.
• Verify if any attachment was opened by the user on the reported emails if yes, run a full scan and check on virustotal and submit the new hash and file to Security vendors.
• Send the email to users with phishing awareness details based on the findings.
• Creating an incident for proofpoint for tracking.
• Analysing the incidents in proofpoint and closing based on the finding.