# Security Operations Center (SOC) Fundamentals One-sentence definition: A SOC monitors, detects, investigates, and coordinates response to security events 24×7. ## Key Facts - Tiers: L1 triage → L2 investigation → L3 threat hunting/IR; SMEs on call. - Inputs: SIEM, EDR, NDR, cloud logs, threat intel, user reports. - Processes: intake, triage, enrichment, case mgmt, escalation, closure. - Tooling: SIEM/SOAR, ticketing, case links to evidence; shift handover. - Metrics: MTTD/MTTR, alert fidelity, coverage; continuous tuning. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Recognize SOC’s role as central detection/response hub. **Mnemonic:** “**See**, **Sort**, **Solve**.” ## Mini Scenario Q: Alerts pile up at shift change—control? A: Formal handover checklist and case ownership transfer in ticketing. ## Revision Checklist - Name SOC tiers. - Three data sources. - Two core metrics. ## Related [[Logging Strategy and SIEM Use Cases]] · [[Playbooks and SOAR Automation]] · [[Incident Response Lifecycle (NIST-Style)]] · [[Threat Hunting Program Basics]] · [[Operational Metrics and KPIs (MTTD MTTR Coverage)]] · [[Domain 7 - Index]]