A SOC analyst found out about an event of interest, what is the next step to take it forward for further review?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: A
Reference:
When a Security Operations Center (SOC) analyst detects an event of interest, the next step is to flag the event for further review. This involves assigning a specific marker or label to the event, so it can be easily identified and tracked within the security information and event management (SIEM) system.
Flagging an event serves as a mechanism for prioritizing and assigning ownership of the event, so that it can be further investigated or remediated. Typically, the flagging process involves adding notes or comments to the event to provide additional context or information that may be useful for the investigation.
Tagging an event is another possible option that can be used in conjunction with or instead of flagging. Tagging involves adding keywords or metadata to an event, to make it more easily searchable within the SIEM system. This can be useful for categorizing events by type, location, severity, or other criteria.
Highlighting an event is not a common practice in SOC operations. It might refer to adding emphasis or priority to an event, but this is generally achieved through flagging or tagging.
Closing an event is not the appropriate next step when an event of interest is detected. Closing an event means that it has been resolved or dismissed, and is no longer being actively investigated. This should only be done once the event has been thoroughly investigated and remediated, or determined to be a false positive.