SOC L2 Analyst

Role Overview

The SOC L2 Analyst is responsible for leading advanced security monitoring, investigation, and response for high-severity and complex incidents. This role acts as the escalation point for L1s, drives improvements in detection and response (use cases, playbooks, and runbooks), and supports continuous maturity of the SOC. Strong SOC L2 (senior analyst) experience and hands-on expertise in Google SecOps (Chronicle SIEM) are highly preferred.

Key Responsibilities -

• Lead end-to-end investigation and response for complex and high-severity security incidents, including containment guidance, eradication recommendations, and recovery validation.
• Perform deep-dive analysis to determine root cause, impacted assets, and attack path; document findings and drive corrective actions with stakeholders.
• Oversee monitoring and response operations to meet SLAs/KPIs (e.g., MTTD/MTTR), ensuring quality triage, escalation discipline, and accurate case documentation.
• Act as the primary escalation point for L1/L2; validate triage outcomes, provide direction on next investigative steps, and ensure timely escalation to IR/engineering teams.
• Administer and optimize SOC tooling (SIEM, EDR, SOAR, threat intel) to improve visibility, investigation efficiency, and response outcomes.
• Own operational use of Google SecOps (Chronicle): data onboarding/integrations, normalization, dashboards, and investigation workflows.
• Engineer, tune, and govern detection content (use cases/correlation rules) by leveraging threat intelligence, MITRE mapping, and feedback from incident learnings to reduce false positives.
• Define and maintain response playbooks and automation workflows (SOAR) for enrichment, notification, containment actions, and evidence capture.
• Mentor and guide L1/L2 analysts through coaching, investigation reviews, and runbook updates to improve consistency and analyst capability.
• Partner with IT, network, cloud, and application teams to remediate control gaps and implement preventive measures based on incident outcomes.
• Produce clear incident communications and reports for stakeholders, including timelines, IOCs, impact assessment, and lessons learned.

Required Skills & Experience

• Experience: Minimum 6+ years of relevant experience in SOC operations, incident response, and SOC platform administration.
• SOC L2 background: Proven experience handling escalations, deep-dive investigations, and incident ownership; ability to translate operational learnings into improved detections, runbooks, and response workflows.
• SIEM expertise: Hands-on experience with SIEM tools (e.g., Google SecOps (Chronicle), Splunk, QRadar, ArcSight) across alert triage, investigations, and detection/use-case tuning.
• Google SecOps (Chronicle): UDM-based search/investigation, rule creation/tuning, entity/alert triage, and telemetry onboarding/integration (EDR, firewall, proxy, cloud, identity).
• Security telemetry: Endpoint security, network security, and log analysis across Windows/Linux, network devices, and cloud/identity platforms.
• Threat knowledge: Strong understanding of attacker TTPs, common attack vectors, and containment/mitigation strategies.
• Process & frameworks: Familiarity with MITRE ATT&CK, NIST, and ISO 27001; ability to map detections/incidents to controls and drive continuous improvement.
• Communication: Strong documentation and stakeholder communication skills; able to produce clear incident updates, reports, and executive-ready summaries.

Certifications (Mandatory)

• CEH
• Google SecOps Certification