HomeSOC Operations in 5 DaysDay 5
Day 5 of 5
⏱ ~60 minutes
SOC Operations in 5 Days — Day 5

SOC Metrics, Playbooks & Career

A world-class SOC measures everything, documents everything, and continuously improves. Today covers key performance metrics, playbook development, and how to build a career in security operations.

SOC KPIs and Metrics

Key metrics: Mean Time to Detect (MTTD) — average time from attacker entry to alert; Mean Time to Respond (MTTR) — alert to containment; False Positive Rate — percentage of alerts that are not real attacks (industry average: 40-70%); Dwell Time — time attacker operates before detection (industry average: 21 days). These metrics drive analyst hiring, tool investment, and process improvement decisions.

Writing Detection Rules and Playbooks

A detection rule has: name, ATT&CK technique mapping, data source, query logic, tuning notes, and expected alert volume. A playbook has: trigger condition, triage steps, investigation steps, escalation criteria, and response actions. Both must be version-controlled (Git), reviewed quarterly, and tested annually against real or simulated attacks. SOC maturity correlates directly with documentation quality.

SOC Career Paths

Tier 1 Analyst → Tier 2 Analyst → Tier 3 Analyst/Threat Hunter → SOC Manager/CISO. Salary ranges (2025): T1 $55-75K, T2 $80-110K, T3 $100-140K, SOC Manager $120-160K. Key certifications: CompTIA Security+ (entry), Splunk Core Certified User (T1-T2), Blue Team Labs certifications, GCIH (GIAC Certified Incident Handler), GCIA (GIAC Certified Intrusion Analyst), CISSP (management). Federal SOC roles add 15-25% salary premium.

text
SOC DETECTION RULE DOCUMENTATION TEMPLATE

Rule Name: PowerShell Encoded Command Execution
ATT&CK Technique: T1059.001 (Command and Scripting: PowerShell)
Data Source: Windows Security Event Log, Sysmon
Event IDs: 4104 (Script Block Logging), Sysmon 1

Query (Splunk):
  index=windows (EventCode=4104 OR source=Sysmon EventCode=1)
  | regex CommandLine="(?i)(-enc|-encodedcommand)"
  | stats count by host, user, CommandLine
  | where count > 0

Tuning Notes:
  - Exclude hosts: [SCCM server, patching servers] — they use encoded PS legitimately
  - Alert threshold: any occurrence (0 expected in non-admin population)
  - Expected false positive rate: ~5% from legitimate admin scripts

Escalation Criteria:
  - Any P1: PowerShell + outbound network connection
  - Any P2: Encoded command from non-admin account
  - P3: Encoded command from admin account during business hours
💡
Track your MTTD and MTTR weekly. If MTTD exceeds 24 hours, you have a detection coverage problem. If MTTR exceeds 4 hours for P1, you have a process problem. Both need fixing.
📝 Day 5 Exercise
Document Your SOC Playbooks
  1. Write a detection rule document for the PowerShell encoded command rule using the template above
  2. Create a Git repository for your SOC documentation: rules/, playbooks/, runbooks/
  3. Write a triage playbook for phishing email alerts (5 investigation steps, 3 escalation criteria)
  4. Calculate MTTD and MTTR for 5 incidents from your lab exercises
  5. Research Blue Team Labs Online (blueteamlabs.online) and complete one free SOC investigation challenge

Day 5 Summary

  • MTTD and MTTR are the two most important SOC performance metrics
  • Detection rules and playbooks must be version-controlled, reviewed, and tested
  • SOC career path: T1 → T2 → T3/Threat Hunter → Manager, with certifications at each level
  • Federal SOC roles command 15-25% salary premium over private sector
  • Blue Team Labs and TryHackMe Blue Path provide hands-on SOC training
Challenge

Complete the 'The Report' or 'Infection Monkey' challenge on Blue Team Labs Online. Write a detailed analyst report documenting your investigation methodology, findings, and IOCs in a format suitable for a job interview portfolio.

← Previous
Day 4: Incident Response in the SOC
Course complete
Back to course overview
Finished this lesson?