Daily Routine — Tier 1 Analyst ("Petya 9am" scenario)
For: new Tier 1 SOC analysts joining the team. Senior analysts can skip.
Style: concrete scenario from a working day — what the analyst sees in the browser, what they click, what decisions they make. Complements 005. SOC Workflow (general theory of roles and routing).
9:00 — Petya arrives at the workstation
He opens the browser. 3 tabs are always open (SOC standard):
- Microsoft Teams —
SIEM-Alertschannel (overnight alerts) +API-Limits(Cortex service notifications) - TheHive —
https://thehive.nasbu.edu.ua— primary working UI, alert triage queue - Wazuh Dashboard —
https://wazuh.nasbu.edu.ua— secondary UI, for health-check and deep drill-down when broader history is needed
Optional (when on threat intel duty): MISP (https://misp.nasbu.edu.ua).
Why TheHive is primary and Wazuh is secondary
A common mistake is to think "Wazuh = center of SOC, that's where I work". Actually:
| Wazuh Dashboard | TheHive Alerts queue | |
|---|---|---|
| What's there | EVERYTHING (2.3M events/day from all agents, FIM, vuln scans, compliance, health metrics, top rules) | Only level ≥ 10 alerts (~100-1000/day) requiring triage |
| Role | "X-ray archive" — historical search, metrics, health | "Triage nurse desk" — those who just arrived with concerning symptoms |
| Workflow | Read-only viewing + search | Interactive: 📄 Preview and Import on the alert row → modal with observables → Import button (→ becomes Case) or Cancel |
| UI time per shift | ~5-10 min (health check) | ~80-95% of Tier 1 time |
Analogy: a hospital emergency department.
- TheHive = triage nurse's desk in the emergency room. Patients with concerning symptoms arrive here. The nurse decides: "admit to ward" (Preview and Import → Case) or "go home — just a cold" (Ignored).
- Wazuh Dashboard = hospital X-ray archive. All scans are stored there: healthy, sick, preventive. A doctor visits when they need to check a specific scan in the context of history.
An analyst doesn't "live in the X-ray archive" — they live at the emergency desk.
Velociraptor, Cortex, Shuffle — not daily for Tier 1:
- Cortex is called automatically from TheHive (click on observable → auto enrichment).
- Velociraptor — Tier 3 / IR tool (forensics on a specific host).
- Shuffle — SOC Engineer's tool (writing playbooks, not daily use).
9:01 — Teams SIEM-Alerts channel
Petya scrolls through overnight notifications (18:00–09:00, ~15 hours). Each message is an Adaptive Card:
- Title:
Wazuh SOC Alert — 🟠 HIGH (Level 10)(or 🔴 CRITICAL level 12+, 🟡 MEDIUM level 8-9) - Rule:
5712 • sshd: brute force trying to get access to the system. Non existent user. - Agent:
wazuh-manager(or the CT/host where the rule fired) - Source IP:
198.18.0.99 - Time:
2026-04-15T14:53:00+0000 - Full log: first 500 chars of raw log (context without opening other UIs)
A typical quiet night: 5–15 messages. A noisy one (public-facing scan / brute force): 100+.
!!! info "Planned improvement (TASK-092d subtask 29)" The card currently has no action buttons to jump into TheHive/Wazuh — the analyst switches tabs manually. Planned additions:
- **"Open in TheHive"** — deep link to the specific Alert in TheHive (one-click)
- **"View in Wazuh Discover"** — deep link into Wazuh Dashboard with a pre-filter by rule+agent+time
Requires refactoring the Wazuh integrations chain so `custom-thehive.py` can pass the created Alert ID into `custom-teams.sh` (currently independent scripts).
Petya asks himself: "Did the night shift (TheHive queue) already handle what needs handling?" Next tab (manual switch — until buttons are implemented).
9:05 — TheHive alert queue
Main page of org Academy-SOC:
┌─────────────────────────────────────────────────────┐
│ ALERTS (17 unassigned) │
├─────────────────────────────────────────────────────┤
│ [Wazuh L10] sshd brute force from 82.149.x.x │
│ Severity: 2 | Date: 03:42 | Status: New │
│ Observables: ip=82.149.x.x, user=root │
└─────────────────────────────────────────────────────┘
Alert — warning, not yet confirmed as a real attack. Could be noise (FP — false positive).
Case — confirmed incident being investigated.
Tier 1 alert workflow (concrete TheHive 4.1 UI clicks):
On the right side of each alert row there are 4 icons with tooltips:
| Icon | Tooltip | What it does |
|---|---|---|
| 📄 document | Preview and Import | Opens modal with full details + observables + Import button at bottom |
| 👁 eye | Ignore new updates | Stop receiving update events for this alert (if Wazuh re-sends the same sourceRef) |
| ✉️ envelope | Mark as read / Mark as unread | Toggle read state |
| ⚙️ gear | Run responders | Trigger Cortex responders (we have none → "No responders available") |
Triage steps:
- Click 📄 (document) →
Preview and Importmodal opens with title / observables / description / tags. - Inside the modal you can run Cortex analyzers on observables (button next to each) — VirusTotal, AbuseIPDB, MISP. Verdict in 5-10 sec.
- Decide based on verdict:
- Toxic (VirusTotal detects, AbuseIPDB > 50%, MISP has matches) → click Import at bottom of modal → alert becomes a Case → appears in Cases tab → auto-assigned to org-admin (at Academy: Samuel for now).
- Clean / low risk → Cancel the modal, then ⚙️ > tag
Ignored-FP, or simply ✉️ "Mark as read" and skip.
- For obvious bot noise (same rule firing 1000×/min) — checkbox-select in the list, then bulk action "Delete" or "Mark as read".
!!! tip "Tier 1 rule" "Don't be a hero. Triage, don't investigate. Real → Tier 2."
9:15 — Wazuh Dashboard real-time view
- Security events — 24h count (e.g. 2.3M = normal)
- Agents status — online count (we have 35, all active ✅)
- Active response — banned count overnight (6 IPs blocked by CrowdSec)
- Top 5 rules — most fired rule IDs (if rule X spikes 10k times → attack or rule needs tuning)
Petya leaves this tab in background. Level ≥ 12 alerts (critical) trigger Teams immediately, not once per night.
9:30 — 12:00 — routine
Every 30 min: check Teams + TheHive queue. If alert arrives — triage (see 9:05). Otherwise: review yesterday's tickets, Wazuh metrics, study.
Tier 1 key metric: "time to triage" — from alert arrival to review. Target: < 15 min.
When Tier 1 visits other UIs
| Service | When Tier 1 opens it | Typical action |
|---|---|---|
| Cortex | Almost never directly — 99% of cases TheHive calls Cortex automatically. Sometimes to check "why this verdict" | Jobs → specific run → raw output |
| Velociraptor | Rarely — Tier 3 / IR tool. Tier 1 might verify host online before escalating | Clients → search by hostname |
| MISP | To expand context on a specific IoC (who else shared it, in which event) | Search attributes |
| Shuffle | Never — SOC Engineer / Manager tool for playbook configuration | — |
What Tier 1 does NOT do
- ❌ No deep investigation. Saw alert → triage → hand off. Not an hour per case.
- ❌ No Wazuh rule editing. 100 false positives → escalate to SOC Engineer / Tier 2/3, don't code yourself.
- ❌ No manual IP blocks. CrowdSec auto-bans. Ad-hoc ban → Shuffle playbook, not FortiGate CLI.
- ❌ No business communication. "Is there business risk?" → SOC Manager.
Tier 1 key metrics
| Metric | Expansion | Target |
|---|---|---|
| MTTD | Mean Time To Detect | < 5 min (event → alert in Teams) |
| MTTT | Mean Time To Triage | < 15 min (alert in Teams → closed/escalated) |
| FP rate | False Positive rate | < 30% (if > 50% — Wazuh rules need tuning) |
| Coverage | Agents online % | > 95% |
Next topics
Natural follow-ups (future handbook sections):
- What Tier 2 does when receiving a case from Tier 1 (alert → case → investigation workflow)
- How Cortex automatically determines IP toxicity (VirusTotal + AbuseIPDB + MISP integration internals)
- Proactive threat hunting and Tier 3 / Threat Hunter role
- Automatic CrowdSec ban trade-offs: when good, when catastrophic
- 3am level 14 alert — who wakes up? (on-call rotation, escalation)
- False positive tuning — why it's 70% of Tier 1 work
Last updated: 2026-04-15.