How to Become a SOC Analyst (Tier 2)

Your day starts with the escalation queue from the overnight Tier 1 shift. Three incidents need your attention. You prioritize by business impact. The most urgent: a Tier 1 analyst escalated a suspicious PowerShell execution chain on a Finance workstation. You pull the full process tree from CrowdStrike. The chain starts with WINWORD.EXE spawning cmd.exe, then PowerShell with a Base64-encoded command. You decode it.

The script downloads a second-stage payload from a .top domain registered yesterday, disables Windows Defender via Set-MpPreference, and creates a scheduled task named "WindowsUpdateCheck" for persistence. You cross-reference the C2 domain against Recorded Future. It is linked to a financially motivated group that has been hitting mid-market companies in your sector.

You coordinate with the network team to isolate the workstation, then query the SIEM for the same IOCs across all endpoints: the specific PowerShell command pattern, the C2 domain, the scheduled task name. Two more machines in Finance show the same activity. Both installed the persistence mechanism but have not yet exfiltrated data based on your firewall log review.

You draft the incident report: full attack chain from phishing email through macro execution, payload download, defense evasion, and persistence establishment. You document affected systems, provide containment recommendations, and brief the SOC Manager on severity and data exposure risk. Between major investigations, you spend an hour tuning a Sigma rule that generated 40 false positives last week because it did not exclude the IT team's legitimate use of PsExec.

You also run a 15-minute training session, walking two Tier 1 analysts through your investigation methodology on the morning's incident. Context switching is constant: active investigations, detection engineering, and team development all compete for your time.