Monitoring IT Network traffice for unusual or suspicious behavior Determine the alerts are false positive or true positive Analysis and investigation evidences Determine the severity of a security issue and apply the appropriate risk rating.
Triaging & identifying suspicious events. In the case of true positive, Standard operating procedure (SOP) according to the playbooks or runbooks The evidences from SOCL1 help establish a context for security incidents have occurred. Security incidents with critical and high severity are immediately escalated to IR