Being able to collect an incredible amount of log data from your organization's information systems is ultimately not the goal of the SOC. The goal is to take this information and, in a repeatable fashion, effectively analyze available information to detect whether an information security threat exists on the enterprise network.

This is where indicators of compromise are used to inform your information security tools (via correlation rules) and personnel to look for threats on the enterprise network. Indicators of compromise can be found within:

• System events:
  • Network
  • Applications
• Firewall connections
• User activity
• Suspicious system file or registry changes
• Untimely information system usage
• DDoS activity, and so on

Being able to properly handle events will depend primarily on the security operations center's ability to properly triage and categorize events so that you can effectively prioritize SOC activities, ensuring that critical threats are handled before less critical activities are started. As mentioned throughout this book, it is important to ensure that the SOC triage and categorization processes are tied tightly to business needs so that any investigations that are started are initially focused on business-critical concerns.

Processes implemented by the security operations center analysts during this phase include:

• Tier one:
  • Review events that have the highest severity or criticality:
    • This information will be defined in the organization's SIEM tool
  • Establish a help desk ticket once it has been determined that an event requires further investigation:
    • If the event requires further investigation, it will be escalated to the tier two SOC analyst

• Tier two:
  • Conducts a thorough investigation and triage of the event, fully documenting the identified threat for remediation
  • Information that must be documented includes:
    • Date and time of event/incident
    • Points of contact throughout event investigation:
    • Name, email, phone number, and so on
    • Description of event/incident
    • Individuals notified
    • Identification of VIPs and executives
    • Data sensitivity
    • Potential impact of event/incident
    • Steps taken as part of the investigation
    • Physical location of system(s)
    • Number of systems affected
    • Number of sites affected
    • Number of users affected
    • Has the incident been resolved?
    • Provide any additional information required to properly document the event/incident