cyber revision

Security operations: SOC, SIEM and the blue team

How defenders monitor at scale: the SOC, SIEM and SOAR, detection engineering, threat hunting, and the colour-coded teams.

~4 min read

The defensive side

Where forensics is reactive, security operations is the continuous work of monitoring, detecting and responding before and as incidents unfold. The people doing it are the blue team, the defenders, and most of them work, literally or organisationally, in a SOC.

The SOC

A Security Operations Centre (SOC) is the team and facility responsible for monitoring an organisation's security around the clock, detecting threats and coordinating response. SOCs are usually tiered:

  • Tier 1 (analysts): triage the flood of alerts, dismiss false positives, escalate the real ones. The front line.
  • Tier 2 (responders/investigators): investigate escalated alerts in depth, scope incidents, begin containment.
  • Tier 3 (threat hunters / senior IR): proactively hunt for threats that evaded detection, build new detections, handle the hardest incidents.

The defining challenge is alert volume: a SOC drowns in alerts, and alert fatigue, where so many false positives arrive that analysts start ignoring them, is a genuine security risk (a real attack hidden in the noise). Much of SOC engineering is about raising signal and cutting noise. Not every organisation runs its own; many use an MSSP (Managed Security Service Provider) or MDR (Managed Detection and Response) service.

SIEM and SOAR

A SIEM (Security Information and Event Management) platform is the SOC's nerve centre. It aggregates logs from across the estate (firewalls, servers, endpoints, applications, cloud) into one place and correlates them to detect patterns no single source would reveal. A failed login on one box is noise; the same account failing across fifty boxes in a minute (password spraying) is an alert the SIEM can raise by correlating. It also provides the searchable history investigations depend on. Splunk, Microsoft Sentinel and Elastic are common examples.

A SIEM is only as good as what you feed it (logging, per OWASP A09) and the detection rules you write. The output is alerts; the inputs are well-chosen log sources and tuned correlation logic.

SOAR (Security Orchestration, Automation and Response) sits alongside, automating repetitive response: enriching an alert with threat-intel lookups, isolating a host, disabling an account, opening a ticket via playbooks. The goal is to handle routine cases at machine speed and free analysts for judgement work, directly improving MTTR.

Detection engineering and threat hunting

  • Detection engineering is the deliberate building and tuning of detections, often mapped to MITRE ATT&CK techniques so coverage and gaps are visible (the heat map from the ATT&CK chapter). Good detections balance catching real attacks against false positives.
  • Threat hunting is proactive, assuming a breach has already occurred and actively searching for it rather than waiting for an alert. Hunts are usually hypothesis-driven ("if an attacker were living off the land with PowerShell, what would I see?") and lean on TTP-level thinking, because that's what evades signature alerts.

The colour-coded teams

A standard exam set:

  • Red team: offensive; emulates real adversaries (often a specific ATT&CK-profiled actor) to test defences end to end. Broader and more goal-driven than a scoped penetration test.
  • Blue team: defensive; monitors, detects and responds (the SOC and IR functions above).
  • Purple team: not a separate team so much as a collaboration, with red and blue working together so that every attack technique the red team uses is checked against whether blue can detect it, and detections are improved on the spot. Purple teaming is how an organisation turns offensive testing into measurable defensive improvement.
  • White team: runs and adjudicates the exercise, sets rules of engagement.

Key supporting controls

The blue team relies on tooling met elsewhere, tied together here:

  • EDR/XDR: endpoint (and extended, cross-source) detection and response, providing behaviour-based detection with the ability to investigate and isolate hosts remotely.
  • IDS/IPS: network detection and prevention (networking topic).
  • Vulnerability management: continuously scanning, prioritising (by CVSS and real exploitability) and patching weaknesses before they're used. Proactive, and one of the highest-value activities.
  • Threat intelligence: feeds of IOCs and TTPs that sharpen detection and prioritisation.
  • Honeypots: high-signal decoys that catch attackers who get past the perimeter.

The blue team's hard truth: defenders must be right every time across a huge surface; an attacker needs to be right once. That asymmetry is why the strategy is defence in depth plus fast detection and response: you assume prevention will sometimes fail and invest in noticing and reacting quickly, which is exactly what shrinking MTTD and MTTR measures.

Quick recall

  • The SOC monitors and responds 24/7, tiered 1 (triage) → 2 (investigate) → 3 (hunt). Alert fatigue from false positives is a real risk; MSSP/MDR are outsourced options.
  • SIEM aggregates and correlates logs to detect what single sources can't; it's only as good as its log inputs and detection rules. SOAR automates response via playbooks, improving MTTR.
  • Detection engineering builds/tunes detections (mapped to ATT&CK); threat hunting proactively assumes compromise and searches for it.
  • Teams: red (offence/emulation), blue (defence), purple (red+blue collaboration to improve detection), white (runs the exercise).
  • Attacker needs one win, defender must cover everything → defence in depth + fast detect/respond.
Previous