Featured image of post The Role of a Level 1 SOC Analyst at Senthorus
Senthorus

The Role of a Level 1 SOC Analyst at Senthorus

Level 1 SOC analysts are the first line of defense, triaging alerts, investigating threats, and ensuring real-time cybersecurity for organizations.

The Role of a Level 1 SOC Analyst

In an increasingly connected society with more and more cyber threats, it has become essential to protect organizations against potential data breaches and vulnerabilities.

That’s why more companies are choosing to subscribe to an MSSP (Managed Security Service Provider) service including an external SOC (Security Operations Center) service, which manages information security within the company.

Structure of a SOC

Within this base, in a SOC there are analysts working 24/7 on a rotating shift basis. There is a permanent team of analysts ranging from level 1 to 3.

This article looks at the role of a level 1 analyst within the Senthorus SOC.

Role and Responsibilities

Level 1 analysts are on the front line of corporate defense against cyberattacks, playing a central role in protecting companies from potential breaches and threats. Let’s take a look at their tasks, skills, challenges, and importance in the field of cybersecurity.

The main task of an analyst is to triage security alerts on our customers’ information systems constantly. Identifying and responding to security problems is essential, so security alerts must be identified and dealt with in real-time.

In this role, we are the first to face alerts raised by the detection rules, which is why it’s vital to have a wide range of IT knowledge. This multi-faceted role requires an in-depth understanding of various IT domains, from network architecture and systems administration to cloud services and application development. This diverse expertise enables SOC analysts to effectively decipher complex security incidents, actively navigate complex IT environments, and accurately discern anomalous activity.

With a broad knowledge base, SOC analysts are better equipped to identify vulnerabilities, proactively detect emerging threats, and respond rapidly to security breaches. Ultimately, the ability to seamlessly integrate IT knowledge with security acumen enables SOC analysts to protect critical assets and fortify digital landscapes against an ever-evolving spectrum of cyber threats.

Key Tools: SIEM and EDR

Within a Security Operations Center (SOC), two essential tools are employed by analysts: Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR):

  • SIEM: The central tool that collects and analyses data from several different sources. Its main functions are live monitoring, alerting, incident investigation, incident response, and incident management. The SIEM provides a global view of an organization’s digital landscape.

  • EDR: Continuously monitors individual endpoints—devices connected to the corporate network—and provides deep visibility of endpoint activity to detect and respond to cyber threats. Integration with SIEM improves the SOC’s ability to detect, respond, and investigate security incidents.

Together, SIEM and EDR detect security incidents, increasing the SOC’s capabilities and ensuring a proactive stance against cyber threats.

Incident Resolution Phases

1. Sorting

First, the analyst needs to assess the severity, categorization, and credibility of the alerts. Alerts created by EDR or SIEM are derived from detection rules, resulting in a large number of alerts that aren’t alerts at all—these are known as False Positives. An analyst’s first job is to judge the credibility of an alert.

To respect the SLA (service-level agreement) within the SOC, we use the FIFO (first in, first out) principle for processing alerts. However, some incidents may be prioritized based on their criticality.

2. Investigation

This phase consists of an investigation to verify the activities of the user or host concerned by the alert. The aim is to find the chronology of events leading up to the incident, indicating the actions taken by the attacker.

To do this, go to the incident page in the solution that generated the alert. For example, in Azure Sentinel, a summary of the incident includes its severity level and the resources affected. KQL (Kusto Query Language) queries help retrieve information from other tables in the database.

Several tools assist in the investigation:

In the event of a confirmed incident, predefined protocols (playbooks) are followed to mitigate its impact. Depending on the client’s approved action list, this may involve isolating systems, blocking IPs, or further investigation.

3. Resolution

After determining the result of the incident, there are two possible outcomes:

a. Closing the incident

All the collected information is used to update the customer.

b. Opening a customer ticket

If the incident is of medium severity, a customer ticket is opened to communicate investigation results. The customer’s security department may be asked to perform checks or authorize further action.

If the evidence is inconclusive, the incident is escalated to higher-level analysts or management.

Accurate documentation is essential to understand the chronology, actions taken, and results. The Level 1 analyst keeps detailed records to facilitate subsequent analysis and reporting.

Conclusion

In a SOC, the role of a Level 1 SOC analyst is crucial. Their real-time vigilance, rapid decision-making, and ability to work under pressure contribute significantly to an organization’s overall security posture. As the cyber threat landscape continues to evolve, the expertise and dedication of these analysts remain crucial in the fight against digital adversaries.

© 2025 Senthorus Blog