Role Overview
The SOC L2 Analyst is responsible for in-depth security investigation, incident analysis, and response coordination across enterprise environments. This role focuses on correlating multi-domain telemetry (SIEM, EDR/XDR, Cloud, DLP, DAM, Email Security) to determine root cause, assess impact, and recommend containment actions. The analyst acts as a technical escalation point for L1 and contributes to improving detection use cases and SOC maturity.
Key Responsibilities
- Perform deep-dive investigations on alerts from across SIEM, EDR/XDR, Cloud, DLP, DAM, and Email Security tools
- Correlate logs and telemetry to reconstruct attack timelines and identify root cause
- Investigate advanced threats such as lateral movement, privilege escalation, account compromise, and malware activity
- Conduct endpoint analysis (process injection, persistence mechanisms, suspicious binaries, command-line artifacts)
- Analyze cloud security incidents (Azure/AWS) including IAM misuse, impossible travel, token abuse, and misconfigurations
- Perform advanced phishing and BEC investigations, including header analysis, URL detonation, and payload inspection
- Investigate DLP (Netskope) alerts for potential data exfiltration, policy violations, and insider threats
- Analyze data movement patterns across endpoints, email, and cloud storage
- Tune and validate DLP policies to reduce false positives and improve detection accuracy
- Investigate DAM alerts for unauthorized database access, privilege misuse, abnormal query patterns, and potential SQL injection attempts
- Correlate database activity with user identity and endpoint behavior to detect malicious intent
- Lead incident investigation and provide containment/remediation recommendations
- Create and enrich IOCs (IP, domain, hash) and perform threat intelligence lookups
- Ensure timely escalation to L3/IR teams for critical incidents (P1/P2)
- Improve and tune SIEM use cases and detection rules to reduce false positives
- Maintain detailed incident documentation, timelines, and reporting
- Support threat hunting activities using SIEM and EDR tools
Required Qualifications
- 3 to 6 years of experience in SOC / Cyber Security Operations / Incident Response
- Bachelor's degree in Cybersecurity, Computer Science, IT, or related field
- Strong hands-on experience with SIEM platforms (Sentinel, Splunk, QRadar, ArcSight)
- Experience with EDR/XDR tools (Microsoft Defender, CrowdStrike, SentinelOne)
- Practical knowledge of cloud security monitoring (Azure, AWS, GCP)
- Experience in Netskope DLP and Database Activity Monitoring alert investigations
- Understanding of email security solutions and phishing/BEC analysis
- Relevant certifications: CySA+, CCSP, CEH, GCIA, GCIH, SC-200, Splunk Certified
Core Competencies
- Strong knowledge of MITRE ATT&CK framework and attack lifecycle mapping
- Ability to correlate events across endpoint, network, cloud, and database layers
- Proficiency in SIEM query languages (KQL, etc.)
- Solid understanding of network protocols, authentication mechanisms, and log analysis
- Experience in incident handling, root cause analysis, and attack chain reconstruction
- Strong analytical and problem-solving skills with attention to detail
- Ability to work independently and mentor L1 analysts
- Effective communication skills for technical and non-technical stakeholders
- Ability to work in a 24x7 rotational shift environment
