How to Become a SOC Analyst (Tier 1)

You get to the SOC ten minutes early for shift handoff. The outgoing analyst briefs you: two open investigations, a Splunk ingestion delay that got fixed at 0300, and a new detection rule that has been firing on the IT team's vulnerability scanner all morning. You pull up the SIEM queue. Forty-seven alerts waiting. Most are informational, but three are tagged high severity. You start there. The first is a brute force detection: 200+ failed SSH attempts from an external IP hitting a DMZ server.

You check the source against VirusTotal and AbuseIPDB. Known scanner. You verify no successful auth events followed, document it, close as false positive. The second alert is more interesting: a workstation in Finance initiated an outbound HTTPS connection to a domain registered 36 hours ago. You pull the DNS history, check the process tree in CrowdStrike, and find the connection came from a macro-enabled Excel attachment delivered via email.

You flag the user account, check if the payload executed successfully, and escalate to Tier 2 with a summary of the IOCs and affected systems. Between investigations, a user calls the help desk reporting a suspicious email. You analyze the headers, extract the sending IP, check SPF/DKIM alignment, and sandbox the attachment. Benign. You close the ticket. Four hours into your shift, the queue has grown again. The SLA timer on two medium-severity alerts is turning yellow. You pick up the pace.

Some hours are quiet enough to tune noisy detection rules. Others are a sprint. The variety is what keeps the job from getting stale.