SOC Analyst.

A security operations role responsible for triaging alerts, monitoring SIEM/EDR/XDR queues, investigating suspicious events, and escalating confirmed incidents to IR — typically tiered (T1 triage, T2 investigation, T3 hunt/engineering). 它属于网络安全的 角色与职业 分类。

A security operations role responsible for triaging alerts, monitoring SIEM/EDR/XDR queues, investigating suspicious events, and escalating confirmed incidents to IR — typically tiered (T1 triage, T2 investigation, T3 hunt/engineering).

A Security Operations Center (SOC) analyst is the frontline role in detection-and-response operations, tasked with reading, triaging, and acting on the stream of alerts from a SIEM, EDR/XDR, NDR, identity-protection, and SOAR pipelines. SOCs are typically tiered. Tier 1 analysts triage volume — confirming or dismissing alerts against runbooks, escalating valid suspicion. Tier 2 analysts investigate deeper, pulling context across multiple data sources, performing log dives, and driving IR until containment. Tier 3 (or 'senior') analysts run threat hunts, build detections, tune false positives, and own playbook authorship. Common skill stack: log query languages (SPL, KQL, Lucene), an EDR (CrowdStrike, SentinelOne, Defender, Carbon Black), packet/pcap basics, MITRE ATT&CK familiarity, Sigma rule authoring, scripting (Python, PowerShell), and clear written communication for incident tickets. Certifications often associated with the role include CompTIA Security+, BTL1/2, GIAC GCDA / GCFA / GCIA, and increasingly vendor-specific badges. Burnout from alert volume is a documented occupational hazard; MDR and SOAR adoption shifted the role toward higher-context investigation.

针对 SOC Analyst 的防御通常结合技术控制与运营实践,详见上方完整定义。

常见的别称包括: Security Operations Center analyst, SOC Tier 1/2/3。