What the SOC: behind the tools powering Blue Teams

A Security Operations Center combines multiple tools to protect an organisation’s data, systems, and employees. From detection to collaboration, each tool has its unique role, and when they work well together, they provide a powerful defence. Let’s explore the core categories and how these solutions operate with concrete examples.

‍

1. Data Aggregation and Event Analysis

At the heart of a SOC, the Security Information and Event Management (SIEM) system consolidates data from across the organisation to detect unusual activities and alert analysts. SIEMs, like Microsoft Sentinel, Splunk, or IBM QRadar, pull data from various sources, including:

• Firewalls to log incoming and outgoing network traffic
• Email security gateways for flagged phishing attempts or malware
• Active Directory to track user authentications and access attempts
• Web proxies to monitor websites employees access
• Endpoint detection systems for alerts from individual devices
• Intrusion Detection Systems (IDS) to capture suspicious network packets

With these sources combined, a SIEM builds a full picture of activity across the network. To identify suspicious patterns, SIEMs rely on detection rules—specific criteria set by SOC teams that define which types of behaviour should trigger alerts. For example, say a user’s account is accessed from a foreign IP address flagged as suspicious by the web proxy. The SIEM, using its detection rules, might also identify multiple failed login attempts on the same account through the firewall logs. By cross-referencing these sources, the SIEM detects that this is more than a random failed login—it’s a potential account compromise.

‍

2. Device and Network Monitoring

Complementing the SIEM are Endpoint Detection and Response (EDR) tools and Network Traffic Analysis tools. EDR systems, such as CrowdStrike, continuously monitor endpoints (like laptops, desktops, mobile devices, etc.) for unusual activity. Network Traffic Analysis tools track data flows within the network itself, identifying irregular patterns in network behaviour.

Imagine an employee’s laptop suddenly connects from a location in the Maldives while the employee is supposed to be on vacation. The EDR tool detects this unusual connection attempt and flags it. This will trigger an alert. Meanwhile, the Network Traffic Analysis tool could help to detect a sudden spike in data transfer from this device. It's the analyst's role to piece this information together to get a more complete picture, determining whether the activity is benign or a possible threat.

‍

3. Insights with Threat Intelligence

Responding to threats requires context, which is where Threat Intelligence platforms come into play. These platforms gather and analyse data on vulnerabilities, malware, and attack patterns from across the internet, giving SOC analysts crucial insights into potential threats. One widely used platform is VirusTotal, which aggregates data from antivirus engines worldwide to analyze files and URLs for known malware signatures.

For example, if a SOC receives a suspicious email attachment, they can upload it to VirusTotal. If VirusTotal flags the file as malicious based on data from multiple antivirus engines, the SOC can block the file across all endpoints before it spreads. This proactive step means the SOC can prevent incidents before they even hit the organisation’s network, giving analysts the advantage of forewarning.

‍

4. Coordinating Responses and Managing Workflows

Given the sheer volume of alerts, SOCs rely on Security Orchestration, Automation, and Response (SOAR) tools to automate routine tasks and streamline workflows. Tools like Palo Alto Cortex XSOAR integrate with SIEMs, EDR, and threat intelligence feeds to take rapid action when incidents occur. Ticketing tools like ServiceNow also play a key role here, enabling SOC analysts to document, track, and collaborate on each incident as it progresses. This ticketing process ensures that alerts and tasks are prioritised and that everyone stays aligned.

‍

However, these tools present two major challenges:

1. Alert volume: detection tools (i.e., SIEM, EDR) generate a significant number of alerts, most of which are harmless, leading to an overwhelming workload on analysts.
2. Tool sprawl: SOCs rely on numerous tools, and with so many in play, analysts often struggle to make the most of each one effectively. While SOAR solutions help reduce some of this friction, they still demand significant human input to create and maintain playbooks.

This is where Qevlar AI steps in, bridging these tools and enabling autonomous investigations across all sources. By consolidating insights and coordinating actions within the SOC, Qevlar AI ensures that each tool’s capabilities are fully leveraged, enabling faster and more precise threat response.

‍

Stay tuned for more in this series as we continue to explore the roles, challenges, and solutions within today’s SOCs.