Part 34 — SOC Analyst Workbench

Investigation Workbench

A premium SOC analyst workspace for alert triage, evidence review, IOC context, investigation notes, case escalation, and human approval handoff.

Risk Score
95
Critical identity risk
Evidence Items
6
Logs, IOCs, session data
Status
Open
Analyst review required

Alert Triage Queue

Critical Admin MFA disabled with suspicious login

Identity alert from admin account. Multiple failed logins followed by MFA setting change.

Critical Public SSH exposure on production asset

Cloud finding shows port 22 open to 0.0.0.0/0 on production-tagged resource.

High Fake courier OTP/APK fraud campaign

Mobile fraud signal contains OTP request, APK link, suspicious domain, and urgency language.

Investigation Output

Click Load Investigation to start analyst workflow.

Evidence Board

Evidence Source Risk Meaning
admin_login_failure Identity logs High Repeated failures before admin setting change.
mfa_disabled IAM event Critical Privileged control weakened.
suspicious_ip Threat Intel High IP reputation linked with scanning activity.
new_country_login Geo context Medium Unusual location for admin account.

Analyst Notes

01

Triage

Review severity, confidence, affected asset, identity context, and alert source.

02

Enrich

Use threat intelligence, cloud context, fraud signals, and evidence correlation.

03

Escalate

Promote validated alerts into incident cases with timeline and evidence.

04

Approve

Risky response actions require owner/admin approval before safe simulation.

Investigation Timeline

09:10 Alert created

Detection agent created critical identity alert.

09:13 Threat intel enrichment

Suspicious IP reputation added to evidence board.

09:18 Case escalation recommended

Analyst should promote this alert to incident case and request containment approval.

Recommended Response

Safe Preserve logs

Collect identity logs, MFA change event, IP context, and session metadata.

Review Verify user activity

Confirm whether the admin activity was legitimate or suspicious.

Approval Required Containment action

Disabling user or revoking session must go through human approval workflow.