Job Description- L2 SOC Analyst
Experience
- 3-5 years of experience in Cyber Security domain.
- Hands on Exposure in SIEM Technologies & Security tools like Sentinel, Splunk and at least one other Technologies like EDR / XDR, Endpoint Security, E-Mail security etc.
- Preferable Experience on platforms like Sentinel, MimeCast, MDO, MDE, MDCA, MDI, MDC, Purview DLP solutions.
- Threat Detection & Hunting
- Thorough Understanding of Networking concepts, Security Concepts like Perimeter security, Vulnerability Assessment, Application Security, Identity and Access management, Database Security etc.
- Automation exposure using Scripting Skills (Shell, PowerShell, Python etc.) would be an added advantage
- Thorough understanding of Security events & Logs on Windows/Linux based Operating systems, Firewalls, IDS/IPS devices, WAF etc.
- Adequate Hands-on experience on Ticketing tools like SNOW, Summit, Jira etc. (At least One)
- Exposure to Kill Chain Based Approach for Detection of security incidents like Lockheed Martin or MITRE ATT&CK kill chain
- Working on incidents and reviewing the alerts and do detailed analysis on alerts
- Hands on experience on the Incident Response activities like malware analysis, phishing analysis, timeline analysis in EDR tool to identify the RC of incident.
- Good Knowledge on TCP/IP, security concepts, WAN and LAN concepts, Routing protocols, Firewall security policies
Skillset and Certifications
- Industry certifications (Desirable): CEH/OSCP, CCNA - SEC, ITIL V3 Foundation, GCIH, Specific Certification on SIEM, EDR etc
- Knowledge on variants of Windows and Linux Operating Systems
- A grasp of perimeter security controls such as firewalls, IDS/IPS, WAF, network access controls, and network segmentation
- Knowledge of security concepts related to DNS, including routing, authentication, VPN, proxy services, and DDOS mitigation technology
- Basic understanding of third-party auditing and cloud Security concepts
- Excellent communication skills.
Roles and Responsibilities
- Monitoring of security Alerts in 24x7 rotational shifts on the assigned tools.
- Perform in-depth analysis of security alerts escalated from SOC L1 across SIEM, EDR/XDR, email security, IAM, and network security tools.
- Validate true positives by analysing logs, telemetry, indicators of compromise (IOCs), and attack patterns.
- Investigate security incidents including phishing, malware, suspicious sign-ins, privilege abuse, lateral movement, and data exfiltration.
- Correlate events across multiple data sources (SIEM, Defender, firewall, proxy, IAM, EDR).
- Due Diligence around SOC processes, SOPs and Documentation.
- Perform attacker profiling, in-depth target asset analysis, analysis of Threat Vector, Attack Vector and Cyber Kill Chain.
- Execute containment actions such as isolating endpoints, reset user password, disabling user accounts, blocking IPs/domains, and revoking sessions (as per access approvals).
- Coordinate response activities with IT, IAM, Endpoint, Network, and Cloud teams.
- Ensure timely incident handling in accordance with SLA, SOPs, and playbooks
- Conduct proactive threat hunting based on hypotheses aligned with MITRE ATT&CK techniques.
- Identify anomalous behavior and emerging threats not detected by automated rules.
- Develop and refine KQL / SPL / SIEM queries to improve detection coverage.
- Perform historical analysis for past reoccurrences.
- Tune SIEM, EDR, and email security detections to reduce false positives.
- Recommend new detection rules based on incident trends and threat intelligence.
- Support use-case development and validation.
- Enhance Incident analysis by applying customer context by validating with custom SOPs
- Leverage threat intelligence to assess attacker’s profile and risk
- Create SOPs for offense handling and Incident triage
- Provide detailed information and immediate containment recommendations to IR
- Review the Incidents reports by L1 to create detailed recommendations for resolver groups
- Follow escalation matrix to get the support from Internal/Customer teams to follow up a security incident to closure.
