SOC Analyst
Qu'est-ce que SOC Analyst ?
SOC AnalystA security operations role responsible for triaging alerts, monitoring SIEM/EDR/XDR queues, investigating suspicious events, and escalating confirmed incidents to IR — typically tiered (T1 triage, T2 investigation, T3 hunt/engineering).
A Security Operations Center (SOC) analyst is the frontline role in detection-and-response operations, tasked with reading, triaging, and acting on the stream of alerts from a SIEM, EDR/XDR, NDR, identity-protection, and SOAR pipelines. SOCs are typically tiered. Tier 1 analysts triage volume — confirming or dismissing alerts against runbooks, escalating valid suspicion. Tier 2 analysts investigate deeper, pulling context across multiple data sources, performing log dives, and driving IR until containment. Tier 3 (or 'senior') analysts run threat hunts, build detections, tune false positives, and own playbook authorship. Common skill stack: log query languages (SPL, KQL, Lucene), an EDR (CrowdStrike, SentinelOne, Defender, Carbon Black), packet/pcap basics, MITRE ATT&CK familiarity, Sigma rule authoring, scripting (Python, PowerShell), and clear written communication for incident tickets. Certifications often associated with the role include CompTIA Security+, BTL1/2, GIAC GCDA / GCFA / GCIA, and increasingly vendor-specific badges. Burnout from alert volume is a documented occupational hazard; MDR and SOAR adoption shifted the role toward higher-context investigation.
● Exemples
- 01
A Tier 1 SOC analyst triages an EDR alert for a suspicious PowerShell command line, confirms it matches a benign sysadmin script, and closes the ticket.
- 02
A Tier 3 analyst writes a Sigma rule for a new lateral-movement technique observed in a recent intrusion, then validates coverage with Atomic Red Team.
● Questions fréquentes
Qu'est-ce que SOC Analyst ?
A security operations role responsible for triaging alerts, monitoring SIEM/EDR/XDR queues, investigating suspicious events, and escalating confirmed incidents to IR — typically tiered (T1 triage, T2 investigation, T3 hunt/engineering). Cette notion relève de la catégorie Rôles et carrières en cybersécurité.
Que signifie SOC Analyst ?
A security operations role responsible for triaging alerts, monitoring SIEM/EDR/XDR queues, investigating suspicious events, and escalating confirmed incidents to IR — typically tiered (T1 triage, T2 investigation, T3 hunt/engineering).
Comment fonctionne SOC Analyst ?
A Security Operations Center (SOC) analyst is the frontline role in detection-and-response operations, tasked with reading, triaging, and acting on the stream of alerts from a SIEM, EDR/XDR, NDR, identity-protection, and SOAR pipelines. SOCs are typically tiered. Tier 1 analysts triage volume — confirming or dismissing alerts against runbooks, escalating valid suspicion. Tier 2 analysts investigate deeper, pulling context across multiple data sources, performing log dives, and driving IR until containment. Tier 3 (or 'senior') analysts run threat hunts, build detections, tune false positives, and own playbook authorship. Common skill stack: log query languages (SPL, KQL, Lucene), an EDR (CrowdStrike, SentinelOne, Defender, Carbon Black), packet/pcap basics, MITRE ATT&CK familiarity, Sigma rule authoring, scripting (Python, PowerShell), and clear written communication for incident tickets. Certifications often associated with the role include CompTIA Security+, BTL1/2, GIAC GCDA / GCFA / GCIA, and increasingly vendor-specific badges. Burnout from alert volume is a documented occupational hazard; MDR and SOAR adoption shifted the role toward higher-context investigation.
Comment se défendre contre SOC Analyst ?
Les défenses contre SOC Analyst combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.
Quels sont les autres noms de SOC Analyst ?
Noms alternatifs courants : Security Operations Center analyst, SOC Tier 1/2/3.
● Termes liés
- roles№ 1101
Analyste sécurité (SOC niveau 1/2/3)
Professionnel d'un SOC qui supervise les alertes, enquête sur les incidents et escalade les menaces, avec une hiérarchie classique allant du triage en niveau 1 à l'investigation avancée en niveau 3.
- roles№ 1108
Ingénieur sécurité
Ingénieur qui conçoit, construit et exploite les contrôles, l'automatisation et l'outillage chargés de sécuriser les systèmes sur l'infrastructure, les applications, l'identité et les pipelines de détection.
- roles№ 581
Incident Responder
Spécialiste qui pilote ou appuie la réponse technique aux incidents de sécurité confirmés, assurant containment, éradication, analyse forensique et reprise, en coordination avec juridique, communication et direction.
- roles№ 1266
Threat Hunter
Défenseur senior qui recherche proactivement, dans la télémétrie de l'entreprise, l'activité d'adversaires ayant contourné les détections en place, à l'aide d'hypothèses, de renseignement et d'analyse comportementale.
- defense-ops№ 1151
SIEM
Plateforme qui agrège, normalise et corrèle la télémétrie de sécurité de toute l'entreprise pour la détection, l'investigation, la conformité et le reporting.
- defense-ops№ 412
EDR (Endpoint Detection and Response)
Technologie de sécurité d'endpoint qui enregistre en continu l'activité des processus, fichiers, registre et réseau pour détecter, analyser et répondre aux menaces sur les machines.