SOC/CSIRT Basic and fundamental concepts
March 5, 2026 ยท View on GitHub
ToC
- What is a SOC?
- SOC Activities vs. CSIRT activities
- What is a SIEM? What for?
- SOC mission and context
- SOC/CERT processes and workflow
- What is purple/red/blue team?
- Attack lifecycle
- Most common infection vectors
- Difference/comparison between EDR and antivirus
- EDR,XDR,NDR,MDR explained
What is a SOC?
SOC definition:
As per MITRE paper (SOC strategies, see below):
Typical SOC:
Data, tools, and capabilities:
Evolution of SOC in time
Some people may consider SOC has evolved in time, as the following drawing shows (from this article):
I do believe it mostly depends on the context (environment to the monitored), and the cyber maturity. And on top of that, AI (meaning Artificial Intelligence) still does not exist per say....
SOC activities vs. CSIRT activities
SOC activities:
As per ENISA's whitepaper, a minimal set of services for SOCs usually includes those in bold below in accordance with the FIRST services framework:
CSIRT activities:
As per ENISA's whitepaper, a minimal set of services for CSIRTs usually includes those in bold below in accordance with the FIRST services framework:
SOC vs. CSIRT vs. ISAC vs. PSIRT
As per this article on LinkedIn:
What is a SIEM? What for?
As per Gartner's glossary:
Security information and event management (SIEM) technology supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources. The core capabilities are a broad scope of log event collection and management, the ability to analyze log events and other data across disparate sources, and operational capabilities (such as incident management, dashboards and reporting).
And as per this article (in French):
SOC mission and context
SOC operating context:
As per MITRE paper (SOC strategies, see below):
SOC/CERT processes and workflows
Incident response lifecycle (detection // incident response):
As per NIST SP800-61 rev2 paper (see below):
As an IT security teacher used to tell his students, like a SOC motto: "Without response, detection is useless" (Freely inspired from Bruce Schneier, Secrets and Lies: Digital Security in a Networked World book).
Typical incident handling workflow:
As per ENISA paper see below:
SOC/CERT procedures:
- Write and maintain in time alerts/incident handling procedures.
- My recommendation: take those from CERT-SG: IRM, as an example, and have a look at the DFIQ
- You may want to have a look at:
- the one I propose for compromise (malware) suspicion use case on Windows;
- the one I propose for Azure/M365 compromise assessment use case.
- Leverage community-standards to define the common questions and checkpoints, for incident response :
- My recommendation: DFIQ
What is purple/red/blue team?
Quoting Lutessa (article in French):
What is an attack lifecycle?
As per Mandiant article:
What are the most common infection vectors?
Based on experience, and on numerous malware statistics, the following ones should be considered as priority:
- emails;
- web browsing;
- USB sticks / removable storage;
- exposed (internet facing) services/apps and equipments (e.g.: appliances)
What are the differences between antivirus and EDR?
| Capability | Antivirus (part of EPP) | EDR |
|---|---|---|
| Console API | Quite limited | Depends on the vendor: some provide a limited API and force to use their console, some others provide an API that allows to implement a "single pane of glass" approach in the SIEM/SIRP |
| Detection of malicious files | Hash-based (even if not pure MD5 per say), or binary portions based. Sometimes code emulation-based | Hashed-based (but backed by standards like OpenIOC sometimes) |
| Detection of common malware | AV vendors have knowledgebase of billions of samples (often called something like "cloud protection") | Out of scope: EDR does not replace AV |
| Detection of advanced malware | Partial, depends on the use case and vendor | Full capability (IoC-based, behaviour-based, ML-based, etc.) |
| Detection of malicious traffic | Depends on the antivirus solution (some may, some may not) | Full capacity (HTTPs and others), endpoint-wide |
| Detection of malicious behaviour | Limited | Machine-learning-based or with embedded advanced detection logics (like for drive-by download technique detection) |
| Detection on custom IoC | Quite uncommon (some may, some may not) | Standard: detect custom MD5/SHA1/SHA2, URL/IP/Domain, file path, file name, etc. |
| Detection based on logging | Limited: only what is detected is being logged | Full capability: system, network, and security events history is collected and centralized (often called telemetry), allowing to build custom detections in the SIEM |
| Investigation (eg: on detection cases) | Very limited | Full capability: system, network, security events history is collected and centralized (often called telemetry), allowing to investigate deeper in the EDR or SIEM console |
| Sample remote collection | Quite uncommon | Full capability: file sample collection, memory collection (RAM dump), etc. |
| Containment of endpoint | Uncommon (only a few solutions provide it AFAIK) | Full capability |
| Containment: network trafic block | Depends on the antivirus solution (some may, some may not) | Full capability, endpoint-wide: block on IP or URL at will |
| Containment: file hash block | Depends on the antivirus solution (some may, some may not) | Full capability, endpoint-wide: block on hash or file path at will |
| Remediation: malware cleaning | Limited to malicious file deletion or quarantine | Same as AV. EDR does not replace a real backup! |
EDR / MDR / NDR / XDR ?
I would recommend this article and picture:
IMHO, XDR is more like a mini-SIEM (limited capabilities compared to a full-blown SIEM), with admin capabilities on security solutions (at least for the same vendor as the XDR) and even sometimes orchestration capabilities.
End
Go to main page.