A Day in the Life of a SOC Analyst

A career as a SOC Analyst can offer great rewards and benefits, where no two days are the same! SOC Analysts are at the forefront of defending organisations against cyber attacks, with a significant role in handling security operations.

To give you an understanding of what to expect in a SOC Analyst role and to answer your frequently asked questions, we sat down with Isaiah, who previously worked as an in-house SOC Analyst. Isaiah now works part-time as a Content Engineer at TryHackMe and full-time as a Senior Offensive Security Engineer for a US-based company.

What does a day in the life of a SOC Analyst look like?

A day in the life of a SOC (Security Operations Center) Analyst typically begins with reviewing the dashboards of various monitoring tools and scanning for any suspicious activities or anomalies within logs.

Responsibilities include investigating triggered rules by examining logs/events, identifying false positives, fine-tuning them, and creating reports.

A vital responsibility of the role is maintaining a clear dashboard by the end of our shift or handing over any remaining alerts or ongoing investigations to the next team.

What happens when you identify an alert?

As SOC Analysts, our goal is to ensure uninterrupted business operations. When examining an alert, we identify its trigger, origin, and rationale, then act according to our organisation's established processes or playbooks while regularly discussing improvements to optimise the SOC's efficiency.

We perform ‘correlation’ by gathering data from relevant sources, such as Web Proxies, EDR, SIEM, and endpoints, that detect and log the activity. We analyse logs from these sources to construct event timelines, revealing patterns that help us determine if the alert resulted from legitimate activities or an actual threat within our network.

Often, we encounter false positive alerts due to benign activities and default detection rules. In such cases, we refine the rules to minimise noise and prevent alert fatigue, enhancing the SOC's overall effectiveness.

For true positive alerts, we address lapses in IT procedures by contacting stakeholders to agree on a resolution or respond to malicious activities, such as phishing campaigns, by following our SOC playbook.

What roles and responsibilities have you had as a SOC Analyst throughout your career?

As a SOC Analyst who previously worked for a Managed Security Services Provider (MSSP) and in-house, my responsibilities included:

• Performed daily monitoring of security consoles for potential hacking, malware, and malicious/suspicious activity on the external and internal corporate network using in-house solutions
• Performed daily monitoring and investigation of user-raised tickets related to phishing/spam and other potential malicious/suspicious activity
• Conducted daily research on the latest trends and news in Information Security / Cyber Security
• Created and tuned internal monitoring scripts and tools to reduce security console noise and ease monitoring
• Triaged security console alerts and correlated device logs
• Initiate Incident Response in the event of a breach
• Perform threat hunting to detect anomalies
• Perform research and write Threat Intelligence reports on typical malware families detected within our client's network(s) and their propagation method

How does your real-world experience come into play when you create TryHackMe training rooms?

The expertise gained as a SOC Analyst equips me to develop training rooms that offer authentic, real-world scenarios and practical knowledge applicable to actual work situations. My knowledge as a SOC Analyst has been very helpful so far in my role at TryHackMe!

What would you say to other people considering a career as a SOC Analyst?

Cultivate a curious mindset, embracing the attitude of ‘I may not know now, but I will know later’. Make a habit of reading about a subject and validating the information through hands-on practice.

Practice intellectual humility by acknowledging that, despite your extensive knowledge, you could be mistaken in certain situations. Be open to being wrong and adjust your understanding when presented with verifiable facts contradicting your beliefs.

Master the fundamentals, such as networking basics and OS essentials (in our Pre-Security learning path), and stay current on the latest developments by engaging with online communities, blogs, and reports on bug bounty, malware analysis, and threat intelligence.

Gain hands-on experience by setting up a home lab, configuring Active Directory on a VM, running your website on the Internet, playing with firewall rules, setting up your own SIEM, and experimenting with offensive and defensive tools - see to it that you can put theory into practice.

Develop the ability to look at things from different perspectives - both from a defender's and adversary’s perspectives.

Check out the TryHackMe SOC Analyst training to kickstart your SOC Analyst journey!

Get started with our Introduction to Cyber Security and Pre-Security pathways before upskilling with our Level 1 SOC Analyst pathway, covering the many tools and real-life analysis scenarios needed in the role.

We also recommend reading our guide ‘How to Become a Level 1 SOC Analyst’ to discover how our blue team training can help you kickstart your career in defensive security.

Thank you so much, Isaiah, for your insight!