HomeSOC Operations in 5 DaysDay 4
Day 4 of 5
⏱ ~60 minutes
SOC Operations in 5 Days — Day 4

Incident Response in the SOC

When a threat hunt or alert confirms an active intrusion, incident response begins. The SOC shifts from detection to containment. Today covers SOC-driven IR: declaration, escalation, containment, and communication.

Incident Classification and Severity

Not every alert is a P1 incident. A severity framework: P1 (Critical) — active ransomware, ongoing data exfiltration, complete system compromise; P2 (High) — confirmed malware on multiple systems, compromised admin account; P3 (Medium) — single malware infection, policy violation; P4 (Low) — false positive, blocked attack attempt. Severity drives response time, staffing, and management notification requirements.

SOC Tools: SOAR and Case Management

SOAR (Security Orchestration, Automation, and Response) automates response actions triggered by SIEM alerts: isolating an infected host via EDR API, blocking a C2 IP in the firewall, and creating a ticket in the case management system. Platforms: Palo Alto XSOAR, Splunk SOAR, TheHive (open source). Case management tracks the full investigation lifecycle: evidence, timeline, analyst notes, and closure.

Communication During an Incident

Internal communication: IT leadership notified within 1 hour of P1 confirmation, senior management within 2 hours, legal/compliance within 4 hours. External communication: customers if PII is breached (GDPR 72-hour notification requirement, state breach notification laws). Law enforcement: FBI CyberDivision for nation-state/ransomware. Public statement: legal reviews before any external disclosure. Never confirm or deny to media during active incident.

yaml
# TheHive case creation via API
# POST /api/case
{
  "title": "P2: Suspected Cobalt Strike Beacon - WORKSTATION-42",
  "severity": 2,
  "tlp": 2,
  "tags": ["cobalt-strike", "lateral-movement", "T1059.001"],
  "description": "Sysmon detected powershell.exe network connection to "
                  "known Cobalt Strike team server 198.51.100.10:443. "
                  "Host isolated via CrowdStrike. Investigation ongoing.",
  "tasks": [
    {"title": "Isolate host", "status": "Completed"},
    {"title": "Memory acquisition", "status": "InProgress"},
    {"title": "Identify patient zero", "status": "Waiting"},
    {"title": "Scope lateral movement", "status": "Waiting"},
    {"title": "Draft stakeholder notification", "status": "Waiting"}
  ]
}
💡
Create case templates for common incident types (ransomware, BEC, data exfiltration) before you need them. When a real P1 hits at 2am, you want a checklist, not a blank page.
📝 Day 4 Exercise
Set Up TheHive for Case Management
  1. Deploy TheHive using Docker: docker run -p 9000:9000 strangebee/thehive:latest
  2. Create a case template for 'Malware Infection' with 8 standard tasks
  3. Create a simulated P2 case using the Cobalt Strike scenario from the code example
  4. Link observables (IP, domain, hash) to the case and mark severity
  5. Practice the escalation flow: create the case, assign tasks, document findings, close with lessons learned

Day 4 Summary

  • Severity framework (P1-P4) determines response time and escalation path
  • SOAR platforms automate response actions triggered by SIEM alerts
  • TheHive provides open-source case management for the full IR lifecycle
  • GDPR requires breach notification within 72 hours — prepare templates in advance
  • Case templates prevent chaos during real P1 incidents
Challenge

Create a complete SOC runbook for a ransomware incident. Include: detection criteria, P1 declaration checklist, isolation steps, evidence preservation, stakeholder communication template, and recovery checklist.

← Previous
Day 3: Threat Hunting
Next →
Day 5: SOC Metrics, Playbooks & Career
Finished this lesson?