SOC (Security Operations Centre)
Definition
A function providing continuous monitoring, alert triage, and early detection of security events. The SOC is the first tier of response: it identifies candidate incidents, filters false positives, and escalates confirmed or suspected incidents to the CSIRT. SOC analysts typically work from a SIEM platform against defined detection rules and playbooks.
Related terms
- CSIRT (Computer Security Incident Response Team)
- A dedicated team responsible for coordinating the response to confirmed security incidents. The CSIRT manages containment, forensic investigation, communication to stakeholders, and...
- Escalation Path
- The predefined chain of notification and decision-making authority that an incident follows as its severity increases. Documented in the IR plan before...
- Indicator of Compromise (IoC)
- An observable artefact that suggests a system has been involved in a malicious event. Static analysis produces file-based IoCs: cryptographic hashes, embedded...
- Tactics, Techniques, and Procedures (TTPs)
- A three-level description of adversary behaviour. Tactics are the high-level goals (initial access, persistence, exfiltration). Techniques are the specific methods (spear-phishing, pass-the-hash)....
- Threat actor
- An individual or group responsible for a security incident or malicious campaign. Threat actors are categorised by motivation (financial, espionage, hacktivism, destruction)...
Explained in
- Key Terms and Stakeholders in Incident ResponseA function providing continuous monitoring, alert triage, and early detection of security events. The SOC is the first tier of response: it identifies candidat...