eastbaycyber

What Does a SOC Do? Definition, Workflow, and When You’ll Encounter One

Glossary 8 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-16
Definition

A SOC (Security Operations Center) is the people-and-process function responsible for continuous security monitoring, alert triage, investigation, and incident coordination across an organization’s systems.

A SOC (Security Operations Center) monitors your environment for threats, triages alerts, investigates suspicious activity, and coordinates incident response—using tools like SIEM and EDR plus documented playbooks and escalation paths. If you’ve ever asked, “what does a SOC do?” this guide breaks down the practical workflow and the situations where you’ll most often interact with one.

How a SOC works (day to day)

A SOC is part people, part process, part tooling. Whether it’s in-house, outsourced, or delivered via an MDR provider, most SOCs follow the same operating loop.

1) Collect telemetry (visibility first)

SOCs can’t detect what they can’t see. They ingest and normalize security-relevant data, often including:

  • Endpoints: EDR telemetry (process starts, file writes, command lines, network connections)
  • Identity: authentication logs (SSO, MFA, AD/Azure AD/Entra ID, VPN)
  • Network: firewall, proxy, DNS, IDS/IPS, netflow
  • Cloud/SaaS: cloud audit logs (AWS CloudTrail, Azure Activity), SaaS access logs (Microsoft 365, Google Workspace)
  • Applications: web server logs, WAF logs, API gateways, database audit logs (where feasible)

This data typically lands in a SIEM (or SIEM-like platform) for correlation, alerting, and investigation.

2) Detect and alert (rules, analytics, and context)

Detections are generated via a mix of:

  • Rule-based correlation (e.g., “impossible travel” + “new device” + “high-risk sign-in”)
  • Behavior analytics (baselines and anomalies)
  • Threat intelligence matches (known malicious IPs/domains/hashes)
  • EDR detections (malware, credential dumping, suspicious scripting)

Mature SOCs reduce noise by tuning detections and adding context (asset criticality, known admin tools, maintenance windows, service accounts).

3) Triage (is it real, and how bad is it?)

Triage is where analysts quickly determine:

  • True positive vs. false positive
  • Scope: which hosts/users/accounts are involved
  • Severity: likelihood of compromise + business impact
  • Time sensitivity: active attacker vs. historical artifact

Triage ends in one of a few outcomes: close, monitor, request more info, or escalate to incident response.

4) Investigate (prove or disprove compromise)

Investigation is evidence-driven. SOC analysts pivot through logs and telemetry to answer:

  • What triggered the alert?
  • What happened immediately before/after?
  • Is there lateral movement?
  • Are credentials compromised?
  • Is data exfiltration likely?

A common blocker in real SOC work is credential uncertainty—knowing whether a leaked token/password expands the incident scope. If you want a quick way to reason about scope, see: what is the blast radius of a credential.

5) Respond (containment and coordination)

Some SOCs can execute actions directly; others coordinate with IT/engineering. Response actions may include:

  • Containment: isolate endpoint, block hash/domain/IP, disable user, revoke tokens, reset passwords
  • Eradication: remove persistence, kill malicious processes, remove scheduled tasks/services
  • Recovery: restore systems, validate controls, safely re-enable access
  • Communication: notify stakeholders, open an incident bridge, coordinate with IT/app owners

Response should be driven by playbooks/runbooks and governed by SLAs (e.g., “critical alerts acknowledged in 15 minutes”).

6) Improve (continuous tuning and lessons learned)

A SOC’s value compounds when it closes the loop:

  • Post-incident reviews: what was missed, what was noisy
  • Detection engineering: refine rules and reduce false positives
  • Visibility improvements: onboard missing logs, fix retention gaps
  • Hardening recommendations: MFA, least privilege, segmentation, patching

A SOC that only “closes tickets” without improving detections and coverage usually drowns in alerts over time.

What SOC work looks like in practice (artifacts you’ll see)

Common log patterns a SOC investigates

- Multiple failed logins followed by a success from a new IP
- MFA push fatigue patterns (many prompts in short window)
- New admin role assignment / privileged group membership change
- Suspicious PowerShell with encoded command (EncodedCommand)
- Creation of scheduled tasks or services shortly after a download
- DNS queries to newly registered domains (NRDs) + beaconing intervals
- Large outbound data transfers to uncommon destinations

Windows endpoint triage commands (IR/SOC collaboration)

# Identify active network connections and owning processes
netstat -ano

# Review recent PowerShell operational logs (if enabled)
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -MaxEvents 50 |
  Select TimeCreated, Id, Message

# List scheduled tasks (persistence check)
schtasks /query /fo LIST /v

Linux quick checks during an escalation

# Recently logged-in users and sessions
last -a | head

# Suspicious persistence locations
crontab -l
ls -la /etc/cron.* /var/spool/cron

# Listening services
ss -lntp

What a SOC ticket typically contains

Title: Suspicious sign-in + mailbox forwarding rule created
Severity: High
Time window: 2026-05-15 02:12Z–02:25Z
Entities: user=j.smith, ip=203.0.113.45, device=unknown
Evidence: Entra ID risky sign-in, new inbox rule, OAuth consent granted
Recommended actions:
  1) Disable account + revoke sessions
  2) Reset password + enforce MFA re-registration
  3) Remove forwarding rules, review mailbox audit logs
  4) Hunt for similar rules across tenant

When you’ll encounter a SOC

Most organizations “meet the SOC” in one of four scenarios: onboarding monitoring, escalations, compliance work, or a suspected breach.

1) You’re onboarding monitoring (SIEM/EDR/cloud logs)

Common SOC touchpoints during onboarding:

  • Confirming log sources and retention (e.g., 30/90/180 days)
  • Defining detection use cases (ransomware, BEC, privileged misuse, cloud misconfig)
  • Establishing asset inventory and criticality so alerts have business context
  • Agreeing on escalation paths (who gets paged, when, and how)

Expect requests for API permissions, agent deployment coverage, and firewall/proxy log access.

2) An alert is escalated (you’re asked to act fast)

When the SOC escalates, they’re usually asking you to:

  • Confirm whether activity is expected (change window, admin work)
  • Provide context (user role, system purpose, known tools)
  • Execute containment (disable accounts, isolate hosts, block indicators)

Speed improves dramatically when escalation paths and pre-approvals exist (for example: “SOC can isolate endpoints in EDR without waiting for management approval”).

3) You’re preparing for an audit (SOC evidence requests)

During audits, SOC-related requests often include:

  • Proof of security monitoring coverage
  • Incident response policy + evidence of testing (tabletops)
  • Ticket samples showing triage, investigation, and closure
  • Retention settings and access controls for logs and SIEM

4) You’re responding to a breach (SOC becomes the hub)

During suspected compromise, the SOC often becomes the coordination center:

  • Establishing timeline of events
  • Preserving logs and forensic artifacts
  • Coordinating containment across endpoints, identity, email, and cloud
  • Supporting cyber insurance / IR firms / legal with evidence packs

If you don’t already have an escalation plan, this is when gaps become painfully visible—missing logs, unclear ownership, and slow approvals.

Practical tips: make your SOC more effective (without buying more tools)

Tighten identity hygiene (SOC pain point #1)

A huge percentage of SOC workload starts with compromised credentials (phishing, password reuse, session theft). Improving password and MFA practices reduces noisy alerts and real incidents alike. Use this walkthrough to raise the baseline: how do i create a strong password.

If you want a pragmatic way to reduce password risk across the org, a password manager can help enforce unique, long passwords and secure sharing. For teams that need admin controls and auditing, 1Password is a common option: Try 1Password →.

Reduce commodity malware noise on endpoints

A SOC is more effective when endpoints aren’t constantly generating preventable malware alerts. If you’re a small team or you support freelancers/contractors, endpoint hygiene matters; see antivirus for freelancers 2026 7 top picks compared for options. If you’re looking for a widely used malware-removal and endpoint protection tool, Malwarebytes is one place to start: Get Malwarebytes →.

Secure remote work paths (especially during incident response)

During incidents, people log in from unusual networks, move quickly, and sometimes bypass normal routines—conditions that attackers also love. For safer remote access on untrusted Wi‑Fi, a reputable VPN can reduce exposure to local network attacks. If you need a mainstream option, consider NordVPN: Check NordVPN pricing →. (A VPN doesn’t replace SOC monitoring, but it can reduce certain network-layer risks for traveling staff.)

Quick self-check: do you “have a SOC” functionally?

If you can answer “yes” to most of these, you likely have a functional SOC capability (in-house or outsourced):

- We ingest endpoint + identity logs and can search them quickly.
- We have defined alert severities and response SLAs.
- We know who is on-call and how to escalate 24/7 (or defined hours).
- We can isolate a host / disable an account within minutes, not days.
- We run post-incident reviews and tune detections based on findings.

If not, the next step usually isn’t “buy a SOC”—it’s clarifying coverage, telemetry, retention, and escalation so monitoring turns into timely action.


This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Related terms

SIEM (Security Information and Event Management)

Central platform for log ingestion, correlation, alerting, and investigation.

SOAR (Security Orchestration, Automation, and Response)

Automation layer for playbooks (ticketing, enrichment, containment).

EDR/XDR

Endpoint Detection and Response (and expanded telemetry coverage).

MDR (Managed Detection and Response)

Outsourced detection + response service with defined SLAs.

Incident Response (IR)

Structured process to contain, eradicate, and recover from incidents; SOCs often initiate or support IR.

Threat hunting

Proactive searching for adversary activity that may not trigger alerts.

Triage

Rapid classification and prioritization of alerts.

Runbooks/Playbooks

Documented procedures for incident types (phishing, malware, account compromise).

SOC maturity

How well the SOC detects, responds, measures outcomes, and improves over time.

Last verified: 2026-05-16

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.