Common Use Cases for SOC for Different Sec teams
Use Cases help an organization to more efficiently identify and manage common
reiterative events and function, as well to identify a particular situation for a product or service
where they can be utilized efficiently. A common use case deployment process follows like this :
- Understand Business Objective : The first step to creating a use case for SOC is to
understand the primary objectives of the business.
- Document Problem Statement : Problem statement of the SOC needs to be documented
properly & illustrated so that can be used to formulate specific solutions.
- Define Use Cases : Define Use cases so that they can be used in system analysis to
identify, clarify & organize system requirements.
- Generate Requirement Statement : Create a list of requirements statement which are
needed for the SOC architecture.
- Prioritize Objective : Properly prioritize the issues that need to be addressed and
- Identify Source Data : Properly identify the sources of the data that are coming & where
they are going in the stream.
- Create Content : Creating the relevant content
- Build Real time Event Based data monitors : These data monitors utilize real time event
triggers that are to be monitored.
- Rules for advanced co-relation : Preparing & Laying out rules to further advanced co-
- Build variables & event stream analysis : finally it comes down to preparing the variables
doing event stream analysis.
Most Common Use case for SOC Blue team :
- Attempt to stop AV services : This use case defines any active
attempt to stop the AV services.
- Virus detected : This use case defines whenever a potential or
recognized virus is detected
- Data exfiltration : recognizing & monitoring the unauthorized
copying, transfer or retrieval of data from a computer or server.
Data exfiltration is a malicious activity performed through various
- Antivirus Failed to Clean/Quarantine/Remove Malware : To find out
if the malicious virus was cleaned & removed or not.
- Multiple Failed Login Attempts to VPN---“ Repeated Login Failure”:
- Audit Policy Setting Change : Identifying if & when the Security Audit
setting is changed or modified.
- Multiple logins from different locations- “User Logged In From
- SEPM :Intrusion Prevention disabled : To correctly pinpoint when an
SEPM Intrusion Prevention is disabled.
Use Cases for SOC Red Team :
- Identifying The security Controls : Proper alert conveyance for both
low level frequency & High impact level events
- Determining the effective range of the software during proof of
concept : Is the alerting depended on a given event, or depended
on runtime context (i.e. user, parent/child process attributes, etc.)
- Evaluating the Security analysis team and the Security processes :
Determining the signal to noise ratio for the detection criteria used
to identify the activity?
Use cases for Pink (Process/ Compliance) Team :
- Detailed SOC Security Design
- Process Framing
- Project & Resource Management, Competency Management
- Responding to an incident
Use Case for Purple (Technology Implementation) Team :
- Project Planning : Formulating & Planning the Security Architecture.
- Understanding the SOC Architecture needs for the organization
- Foot Printing : Comprehensive technique used to gather
information about the host, network & people related to the
organization. TO know Security Posture, Reduce attack area, identify
vulnerabilities, Draw network map detailing the data server
- Observation, Installing & implementing the required security assets
like Data Servers, SIEM, SOAR as well as EDR according to their place
in the Security Architecture layer.
- Support for the SOC architecture needs once it is installed.
So there you have it folks. These are the most common use cases for the
various security defense team that are made for Security Optimization