The core function of a SOC

The core function of a SOC (Security Operations Center) is to investigate, monitor, prevent, and respond to threats. SOC teams benefit from using a single platform with integrated yet disparate technologies for a full-picture view that is continually updated with emerging threat intelligence. This unified perspective simplifies security monitoring, supports incident response workflows, and provides all the core functionality required for building a SOC. Here’s a blog post about the main functions.

Main functions:

    1) Preparation and Prevention:

  • Stay informed of the current cybersecurity threats.
  • Gathering intelligence data on the latest threats, threat actors, and their TTPs (Tactics, Techniques, and Procedures). Also maintenance procedures, patching vulnerabilities, block-listing, safe-listing applications, email addresses, and IPs.
  • Review the essential security monitoring tools you’ll need to build a SOC: Asset Discovery, Vulnerability Assessment, Intrusion Detection, Behavioral Monitoring, and SIEM / Security Analytics. Achieve SOC success with limited time and resources by utilizing a single platform that consolidates these tools into one place.
    2) Monitoring and Investigation:

  • The first is setting up your security monitoring tools to receive raw security-relevant data (login/logoff events, persistent outbound data transfers, the firewall allows/denies, etc.). This includes making sure your critical servers and security devices (firewall, database server, file server, domain controller, DNS, email, web, active directory, etc.) are all sending their logs to your log management, log analytics, or SIEM tool.
  • Using SIEM (Security information and event management) and EDR (Endpoint Detection and Response) tools to monitor suspicious and malicious network activities. Why is important? Collecting and analyzing system events from across your network provides a wealth of raw source material that you can use to mine for suspicious activity. Security Information and Event Management (SIEM) tools were developed on the assumption that by looking for certain patterns of activity and sequences of events you can detect a cyber attack as well as validate and demonstrate regulatory compliance. SIEM tools provide a core foundation for building a SOC because of their ability to apply dynamic correlation rules (for example Correlation Directives) against a mountain of disparate and varied event log data, to find the latest threats.
  • Prioritize the alerts based on their level: Low, Medium, High, and Critical.
  • Monitoring your environment for nefarious traffic assumes that you know what those nefarious folks are doing, what “it” looks like, and how to find this activity across your assets, devices, and networks. The “bread crumbs” that these adversaries leave are usually of the same sort: IP addresses, host and domain names, email addresses, filenames, and file hashes.
    3) Response:

  • After the investigation, the SOC team coordinates and takes action on the compromised hosts, which involves isolating the hosts from the network, terminating the malicious processes, deleting files, and more.
  • About he compromised hosts: The goal is to use some tools to find suspicious or malicious activity – analyzing alerts, investigating indicators of compromise (IOCs like file hashes, IP addresses, domains, etc.), reviewing and editing event correlation rules, performing triage on these alerts by determining their criticality, the scope of impact, evaluating attribution and adversary details, as well as sharing your findings with the threat intelligence community, etc.


Traditional SOC has morphed into a modern SOC concept where there is a lot more focus on building capabilities for early threat detection (both known and unknown), minimizing dwell time, and using automation to improve efficiency. Also, it’s difficult to understand the offers of cybersecurity technology companies and their associated perimeter. I’m talking about marketing. For example, each editor uses the word “XDR” but not everyone really offers one… Basically, you can discover how to build a SOC in this specific blog post.

You may not feel as if you’re in a position to build a SOC and manage it on your own like most companies. Based on your company’s line of business and the size and skill set of the IT department, you may decide outsourcing to an MSSP (managed security service provider) is a viable option. Many global and regional MSSPs are set up to provide 24x7x365 SOC support, which includes vulnerability assessment, compliance reporting, alert response services, and more. And many of them rely on many technologies (SIEM, XDR, SOAR, EDR, UEBA, etc.) as the foundational elements in building their SOCs.


Play ransomware infection routine: Blog Post
Identify a piece of malware with Yara: Blog Post
New Veeam v12 Platform Overview: Blog Post
OpenSSL patch (v3.0.7) for Vulnerability 2022: Blog Post
Building a SOC: Blog Post
List of vendors and software affected by the OpenSSL vulnerability: Blog Post
Critical OpenSSL Vulnerability version 3.0: Blog Post
Veeam v12 Linux Without SSH And SUDO: Blog PostHardened Repository in Veeam v12: Blog Post
Wasabi Object Storage Usage with Veeam B&R v12: Blog Post
VeeaMover in v12: Blog Post
Ransomware & Cybersecurity with Veeam v12: Blog Post
Why backup directly to Object Storage? Blog Post
Veeam B&R v12 New Features Overview: Blog Post
[REPLAY] Webinar Veeam v12 and Wasabi: Replay
Protect your data with Veeam and Wasabi: Blog post
Wasabi – Object Lock feature spotlight: Blog post
Veeam and the S3-compatible object storage solutions: Blog Post
[PODCAST] VeeamUser Group France #1: Record
Conti initiates their attacks on Backup: Blog Post
Backup with Trusted Repository Storage: Blog Post.
Protect your Backup against Ransomware: Blog Post.

Please follow and like us:

Enjoy this blog? Please spread the word :)