SOC Analyst
O que é SOC Analyst?
SOC AnalystA security operations role responsible for triaging alerts, monitoring SIEM/EDR/XDR queues, investigating suspicious events, and escalating confirmed incidents to IR — typically tiered (T1 triage, T2 investigation, T3 hunt/engineering).
A Security Operations Center (SOC) analyst is the frontline role in detection-and-response operations, tasked with reading, triaging, and acting on the stream of alerts from a SIEM, EDR/XDR, NDR, identity-protection, and SOAR pipelines. SOCs are typically tiered. Tier 1 analysts triage volume — confirming or dismissing alerts against runbooks, escalating valid suspicion. Tier 2 analysts investigate deeper, pulling context across multiple data sources, performing log dives, and driving IR until containment. Tier 3 (or 'senior') analysts run threat hunts, build detections, tune false positives, and own playbook authorship. Common skill stack: log query languages (SPL, KQL, Lucene), an EDR (CrowdStrike, SentinelOne, Defender, Carbon Black), packet/pcap basics, MITRE ATT&CK familiarity, Sigma rule authoring, scripting (Python, PowerShell), and clear written communication for incident tickets. Certifications often associated with the role include CompTIA Security+, BTL1/2, GIAC GCDA / GCFA / GCIA, and increasingly vendor-specific badges. Burnout from alert volume is a documented occupational hazard; MDR and SOAR adoption shifted the role toward higher-context investigation.
● Exemplos
- 01
A Tier 1 SOC analyst triages an EDR alert for a suspicious PowerShell command line, confirms it matches a benign sysadmin script, and closes the ticket.
- 02
A Tier 3 analyst writes a Sigma rule for a new lateral-movement technique observed in a recent intrusion, then validates coverage with Atomic Red Team.
● Perguntas frequentes
O que é SOC Analyst?
A security operations role responsible for triaging alerts, monitoring SIEM/EDR/XDR queues, investigating suspicious events, and escalating confirmed incidents to IR — typically tiered (T1 triage, T2 investigation, T3 hunt/engineering). Pertence à categoria Funções e carreiras da cibersegurança.
O que significa SOC Analyst?
A security operations role responsible for triaging alerts, monitoring SIEM/EDR/XDR queues, investigating suspicious events, and escalating confirmed incidents to IR — typically tiered (T1 triage, T2 investigation, T3 hunt/engineering).
Como funciona SOC Analyst?
A Security Operations Center (SOC) analyst is the frontline role in detection-and-response operations, tasked with reading, triaging, and acting on the stream of alerts from a SIEM, EDR/XDR, NDR, identity-protection, and SOAR pipelines. SOCs are typically tiered. Tier 1 analysts triage volume — confirming or dismissing alerts against runbooks, escalating valid suspicion. Tier 2 analysts investigate deeper, pulling context across multiple data sources, performing log dives, and driving IR until containment. Tier 3 (or 'senior') analysts run threat hunts, build detections, tune false positives, and own playbook authorship. Common skill stack: log query languages (SPL, KQL, Lucene), an EDR (CrowdStrike, SentinelOne, Defender, Carbon Black), packet/pcap basics, MITRE ATT&CK familiarity, Sigma rule authoring, scripting (Python, PowerShell), and clear written communication for incident tickets. Certifications often associated with the role include CompTIA Security+, BTL1/2, GIAC GCDA / GCFA / GCIA, and increasingly vendor-specific badges. Burnout from alert volume is a documented occupational hazard; MDR and SOAR adoption shifted the role toward higher-context investigation.
Como se defender contra SOC Analyst?
As defesas contra SOC Analyst costumam combinar controles técnicos e práticas operacionais, conforme detalhado na definição acima.
Quais são outros nomes para SOC Analyst?
Nomes alternativos comuns: Security Operations Center analyst, SOC Tier 1/2/3.
● Termos relacionados
- roles№ 1101
Analista de segurança (SOC Tier 1/2/3)
Profissional de um SOC que monitoriza alertas, investiga incidentes e escala ameaças, com uma hierarquia habitual que vai da triagem em Tier 1 à investigação avançada em Tier 3.
- roles№ 1108
Engenheiro de segurança
Engenheiro que projeta, constrói e opera os controlos, a automação e as ferramentas que mantêm seguros os sistemas em infraestrutura, aplicações, identidade e pipelines de deteção.
- roles№ 581
Responder de incidentes
Especialista que lidera ou apoia a resposta técnica a incidentes de segurança confirmados, executando contenção, erradicação, análise forense e recuperação, em coordenação com jurídico, comunicação e direção.
- roles№ 1266
Caçador de ameaças
Defensor sénior que procura proativamente, na telemetria da organização, atividade de adversários que escapou às deteções existentes, com base em hipóteses, threat intelligence e análise comportamental.
- defense-ops№ 1151
SIEM
Plataforma que agrega, normaliza e correlaciona telemetria de segurança em toda a organização para deteção, investigação, conformidade e reporting.
- defense-ops№ 412
EDR (Endpoint Detection and Response)
Tecnologia de segurança de endpoint que regista continuamente atividade de processos, ficheiros, registo e rede para detetar, investigar e responder a ameaças nos hosts.