SkarpSkarp

Chapter 15 of 27

Security Operations Fundamentals: Controls in Action and Daily SOC Workflows

Step onto the operations floor to see how security controls, logs, and procedures come together in day-to-day monitoring and response.

27 min readen

Step 1 – What a SOC Is and How It Fits the Security+ Picture

From Theory to Daily Operations

In this module you move from theory into day-to-day security operations. You will see how controls like firewalls, IDS/IPS, EDR, DLP, and backups are actually monitored and used in a Security Operations Center (SOC).

What Is a SOC?

A Security Operations Center (SOC) is a team, process, and usually a physical or virtual space where security staff continuously monitor, detect, analyze, and respond to security events across an organization.

SOC Goals

Key SOC goals: maintain situational awareness, detect suspicious activity quickly, coordinate incident response, and continuously improve controls through tuning and lessons learned.

Link to Security+ and GRC

For SY0-701, you must recognize SOC roles, tools, and workflows. SOC work is shaped by governance, risk, and compliance, so procedures and reporting must align with laws, standards, and internal policies.

Step 2 – SOC Roles, Tiers, and Shift Life

SOC People, Not Just Tools

A SOC is built around people with defined responsibilities. On the exam, roles are often implied by tasks: triaging alerts, deep investigation, threat hunting, or managing shifts.

Tier 1 vs Tier 2

Tier 1 analysts monitor dashboards, perform initial checks, and decide whether to close or escalate. Tier 2 analysts handle escalated alerts, correlate logs, and determine scope and impact.

Advanced Roles

Tier 3 or threat hunters tackle complex attacks, create new detections, and hunt without waiting for alerts. SOC leads manage shifts, quality, and reporting to management.

A Typical Shift

Shift handoff, tool health checks, alert triage, incident handling, and documentation form the core daily workflow. Critical system knowledge from earlier modules guides prioritization.

Step 3 – The SOC Toolset: SIEM, EDR, IDS/IPS, and More

Why Tools Matter

SOC analysts live inside tools that collect and correlate security data. For Security+, you must match tools like SIEM, EDR, IDS/IPS, firewalls, and DLP to the data and actions they provide.

SIEM and EDR

The SIEM ingests and correlates logs from many sources and raises alerts. EDR agents watch endpoints for suspicious behavior and can isolate hosts, kill processes, and collect evidence.

Network and Data Controls

IDS/IPS inspect network traffic to detect or block attacks. Firewalls and WAFs enforce access policies and log rule hits. DLP monitors data in motion, at rest, and in use for sensitive content.

Hybrid Environments

In a hybrid environment, tools must cover on-prem, multiple clouds, OT, IoT, and mobile users. Logs from all of these are funneled into the SIEM for centralized monitoring.

Step 4 – A Day in the Life: Alert Triage Walkthrough

Start of Shift

You are a Tier 1 SOC analyst. On the SIEM dashboard you see a spike in alerts: "Multiple failed logins followed by successful login" for VPN users, especially from one region.

Alert Details

You open one alert: user jane.doe, 12 failed VPN logins from IP 203.0.113.50, then a successful login. Jane works in finance; the IP is from an unusual country for her.

Context and Checks

UEBA shows this is Jane's first login from that country. EDR shows no malware, but her laptop has not checked in for 3 days, which is unusual.

Decision and Documentation

Following the playbook, you treat this as a potential account compromise, escalate to Tier 2, trigger a password reset with MFA, and document your findings and actions in the ticket.

Step 5 – Playbooks, Runbooks, and Zero Trust in Operations

Playbooks vs Runbooks

Playbooks are high-level procedures for handling incident types, defining goals and escalation. Runbooks are detailed, step-by-step technical checklists for specific tasks or tools.

SOAR Automation

SOAR platforms can implement playbooks, automatically enriching alerts and even executing responses such as quarantining hosts or disabling accounts, often with human approval.

Zero Trust in the SOC

Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed. SOC playbooks increasingly follow this model.

Exam Tip

If a scenario describes high-level incident flows, think playbook. If it lists precise commands or clicks, think runbook. A zero trust answer emphasizes verification and least privilege, not broad internal trust.

Step 6 – Operationalizing Controls: Tuning Firewalls, IDS/IPS, EDR, and DLP

Controls Need Tuning

Controls like firewalls, IDS/IPS, EDR, and DLP are not set and forget. SOC teams continuously tune them to reduce false positives while still catching real threats.

Network Controls

For firewalls and WAFs, analysts review blocked traffic, spot repeated rule hits, and adjust rules with more precise conditions. IDS/IPS signatures are enabled, disabled, or tuned based on relevance and noise.

Endpoint and Data Controls

EDR policies define what is suspicious and when to auto-isolate hosts. DLP rules often start in monitor-only mode; SOC reviews incidents to decide whether to enforce blocking.

Risk and Exam Angle

Tuning decisions reflect risk appetite and business needs. On the exam, the best answer often involves tuning or creating exceptions rather than leaving noisy rules fully enabled.

Step 7 – Thought Exercise: Classifying and Handling Alerts

Work through this thought exercise to practice SOC-style thinking. There are no single "right" answers, but compare your reasoning to typical SOC logic.

Scenario A:

  • IDS alert: "Port scan detected" from IP `198.51.100.77` against a public web server.
  • Firewall logs show all scan attempts were blocked.
  • This pattern happens a few times per day.

Questions:

  1. Would you treat this as:
  • a) Informational background noise
  • b) A high-priority incident
  • c) A medium-priority event needing monitoring
  1. What tuning or actions might you take?

Scenario B:

  • DLP alert: An employee attempts to upload a spreadsheet with 500 customer records to a personal cloud storage account.
  • This is the first time this user has triggered a DLP alert.

Questions:

  1. Is this more likely:
  • a) A misconfigured DLP rule
  • b) A potential policy violation or data exfiltration attempt
  1. What immediate steps would you take according to a playbook?

Try to:

  • Classify each scenario (informational, low, medium, high).
  • Decide whether to close, monitor, or escalate.
  • Suggest one tuning change (for example, suppressing known benign scans, or tightening DLP rules for specific departments).

Step 8 – Reading SIEM Dashboards and Log Summaries

What SIEM Dashboards Show

SIEM dashboards highlight top sources and destinations, top event types, trends over time, and correlation rules. You use these to spot spikes and unusual patterns quickly.

A Log Snippet

Example: several failed logins for svc-backup from 10.1.20.5, then a successful login from 203.0.113.90. The change in source IP is a key clue that something may be wrong.

Key Questions

Ask: Should this account log in from that IP? Does the sequence match a known attack pattern? Does it trigger any correlation rules like impossible travel or account takeover?

Exam Strategy

On Security+, look for anomalies and sequences, not every detail. The correct answer usually reflects the story the logs tell, such as brute-force, lateral movement, or privilege escalation.

Step 9 – From Alert to Incident: SOC and Incident Response Lifecycle

SOC and IR Connection

SOC operations and incident response are tightly linked. Alerts are detected and analyzed by the SOC, then formally declared as incidents when criteria are met.

Lifecycle Stages

Flow: detection and analysis, incident declaration with severity, containment and eradication, recovery, and post-incident lessons learned and improvements.

Containment and Recovery

SOC drives containment actions like isolating hosts or blocking IPs. Other teams restore from backups, patch systems, and rotate keys, tying back to resilience and continuity planning.

Exam Hint

If a scenario describes a clear compromise, the next step is usually to escalate to incident response. Strong answers also mention updating rules, signatures, or training afterwards.

Step 10 – SOC Links to Vulnerability Management and Compliance

SOC and Vulnerabilities

Vulnerability scans find weaknesses; SOC watches for exploitation attempts. For a new critical flaw, SOC may add SIEM rules to detect attacks while patches are deployed.

SOC and GRC

Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.

Procedures and Frameworks

SOC follows documented procedures and meets compliance requirements for logging, monitoring, and retention. This supports legal defensibility and audit readiness.

Metrics and Exams

SOC metrics like MTTD and MTTR inform risk decisions. On the exam, remember this two-way link: SOC informs risk and compliance, and GRC requirements shape SOC monitoring.

Step 11 – Quick Check: SOC Roles and Tools

Test your understanding of SOC roles and tools.

A scenario describes an analyst who monitors a SIEM dashboard, performs initial checks on alerts, and escalates suspicious ones for deeper investigation. Which role best matches this description?

  1. Tier 1 SOC analyst
  2. Tier 2 SOC analyst
  3. Threat hunter (Tier 3)
  4. SOC manager
Show Answer

Answer: A) Tier 1 SOC analyst

Monitoring dashboards, doing first-level checks, and escalating is the core of Tier 1 SOC work. Tier 2 performs deeper investigations; threat hunters proactively search for threats; SOC managers oversee operations and reporting.

Step 12 – Quick Check: Interpreting SIEM Output

Apply your SIEM interpretation skills.

Your SIEM shows a correlation alert: "10 failed logins followed by a successful login to an admin account from an unusual country." What is the MOST appropriate next action for a Tier 1 analyst following a playbook based on zero trust?

  1. Ignore the alert because the login was eventually successful
  2. Immediately disable the account and wipe the user’s device without escalation
  3. Treat it as a potential account compromise, escalate to incident response, and trigger additional verification (for example, MFA re-prompt)
  4. Create a permanent whitelist rule for the source IP to prevent future alerts
Show Answer

Answer: C) Treat it as a potential account compromise, escalate to incident response, and trigger additional verification (for example, MFA re-prompt)

The pattern suggests a possible account compromise. A zero trust approach requires verification, not trust based on a successful login. The Tier 1 analyst should escalate and trigger additional verification, not ignore, overreact, or whitelist.

Step 13 – Flashcards: Key SOC and Operations Terms

Use these flashcards to reinforce key terms before moving on. Try to recall the definition before flipping each card.

Security Operations Center (SOC)
A centralized function (team, processes, and often a physical or virtual location) responsible for continuously monitoring, detecting, analyzing, and responding to security events across an organization.
SIEM (Security Information and Event Management)
A platform that collects, normalizes, correlates, and analyzes logs and security events from multiple sources, providing alerts, dashboards, and reports.
EDR (Endpoint Detection and Response)
Security tools with agents on endpoints that monitor behavior, detect suspicious activity, and enable remote response actions such as isolating hosts or killing processes.
Playbook
A high-level, structured procedure for handling a specific type of incident, defining goals, decision points, and escalation paths.
Runbook
A detailed, step-by-step technical guide for performing specific operational tasks, often including exact commands or tool actions.
Zero trust
Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.
Hybrid environment
A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.
Governance, risk, and compliance (GRC)
Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.
SOAR (Security Orchestration, Automation, and Response)
Tools that integrate with SOC systems to automate playbooks, enrich alerts, and coordinate or execute response actions across multiple platforms.
Alert triage
The process of reviewing, prioritizing, and classifying security alerts to decide whether to close them, investigate further, or escalate as incidents.

Key Terms

Runbook
A detailed, step-by-step technical guide for performing specific operational tasks, often including exact commands or tool actions.
Playbook
A high-level, structured procedure for handling a specific type of incident, defining goals, decision points, and escalation paths.
Zero trust
Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.
Alert triage
The process of reviewing, prioritizing, and classifying security alerts to decide whether to close them, investigate further, or escalate as incidents.
Incident response
A structured approach for preparing for, detecting, containing, eradicating, and recovering from security incidents, followed by lessons learned and improvements.
Hybrid environment
A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.
Governance, risk, and compliance
Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.
Security Operations Center (SOC)
A centralized function (team, processes, and often a physical or virtual location) responsible for continuously monitoring, detecting, analyzing, and responding to security events across an organization.
EDR (Endpoint Detection and Response)
Security tools with agents on endpoints that monitor behavior, detect suspicious activity, and enable remote response actions such as isolating hosts or killing processes.
UEBA (User and Entity Behavior Analytics)
Technology that uses analytics and machine learning to detect anomalies in user and system behavior that may indicate threats.
IDS/IPS (Intrusion Detection/Prevention System)
Network security tools that monitor traffic for malicious activity. IDS detects and alerts; IPS can automatically block or drop malicious traffic.
SIEM (Security Information and Event Management)
A platform that collects, normalizes, correlates, and analyzes logs and security events from multiple sources, providing alerts, dashboards, and reports.
SOAR (Security Orchestration, Automation, and Response)
Tools that integrate with SOC systems to automate playbooks, enrich alerts, and coordinate or execute response actions across multiple platforms.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself