SOC Workflow & Roles
Where SOC Staff Spends Time
90% of the time — Wazuh Dashboard.
From the Wazuh Dashboard, analysts see:
- All real-time alerts
- Logs from all servers and FortiGate
- Vulnerability assessments
- Compliance status
- Connected agent inventory
- File Integrity Monitoring (FIM) events
- USB connection events
When to Use What
| When | Where |
|---|---|
| Alert needs investigation | TheHive — open a case |
| Suspicious IP / hash / file | Cortex — auto-check (or from TheHive with one click) |
| Need evidence from a specific PC | Velociraptor — launch a hunt |
| Check CERT-UA publications | MISP — new IoCs, feeds |
| Create or modify an automation rule | Shuffle — edit playbook |
| Show a report to the director | Grafana — executive dashboard |
Typical SOC Analyst Day
- Morning — Open Wazuh Dashboard, review overnight alerts sorted by severity
- Triage — Critical and High alerts get immediate attention; open cases in TheHive
- Investigation — Use Cortex to enrich indicators (IP reputation, hash lookups, domain analysis)
- Forensics — If a machine is suspected compromised, launch a Velociraptor hunt to collect artifacts
- Response — Block malicious IPs via Shuffle playbook or Wazuh Active Response
- Documentation — Update TheHive case with findings, actions taken, and resolution
- Reporting — End of day/week: review Grafana dashboards for trends, prepare summary for management
SOC Roles
| Role | What They Do |
|---|---|
| SOC Analyst L1 (Tier 1) | Monitor dashboards, triage alerts, escalate to L2 |
| SOC Analyst L2 (Tier 2) | Investigate incidents, analyze artifacts, coordinate response |
| SOC Analyst L3 (Tier 3) | Threat hunting, malware analysis, deep forensics |
| SOC Manager | Manage team, define processes, report to management |
| Incident Responder | Respond to active incidents, contain and remediate |
| Threat Intelligence Analyst | Work with MISP, manage feeds, curate IoC |
!!! note "Academy Context" Realistically, the Academy SOC operates with two effective roles: SOC Analyst (without tier separation) and SOC Manager. The tier structure above is the industry standard for reference.
Alert Routing
Primary communication channel: Microsoft Teams
Communication Channels
| Channel | Purpose | Tool |
|---|---|---|
| SIEM Dashboard | Main analyst workplace | Wazuh Dashboard (open all day) |
| Ticket System | Incident tracking from creation to closure | TheHive (auto-created via Shuffle) |
| Messenger | Instant critical/high alert notifications | Microsoft Teams |
| Daily/weekly summaries, non-urgent alerts | Email via Wazuh or Shuffle | |
| Phone / SMS | P1 incidents (breach, ransomware, data leak) | Direct call |
Alert Routing Scheme
Wazuh detects threat
│
▼
Shuffle SOAR
├── Critical → Teams IMMEDIATELY + TheHive case
├── High → TheHive case + email notification
└── Medium/Low → TheHive case only (analyst reviews in morning)
Severity Definitions
| Severity | Response Time | Examples |
|---|---|---|
| Critical | Immediate (minutes) | Active breach, ransomware execution, data exfiltration |
| High | Within 1 hour | Successful brute force, malware detected, privilege escalation |
| Medium | Within 4 hours | Failed login patterns, policy violations, suspicious process |
| Low | Next business day | Informational events, minor policy deviations |