Incident Analyst L1

Wiki > Incident Analyst L1

An Event Analyst conducts security monitoring, initial triage and analysis, incoming notification management, related data collection or event enrichment, and may conduct initial victim notifications.


Responsibilities: The Event Analyst is responsible for the initial triage of security incidents and indicators generated by the incident monitoring systems. This will require personnel to look at the highest number of events, while performing the lowest level of analysis. Event Analysts continuously monitor the event queue for new alerts and are direct consumers of the Security Operation Center’s (SOC)/CIRC configured security suite. The role determines if an event is deemed an incident and will be required to query referential information to add context to the event.


The Event Analyst uses several tools to triage the incident maintaining the goal of complete event triage in less than 10 minutes. If triage takes additional time and/or the analyst believes that further analysis is required, they will classify the event as an incident and escalate accordingly.


Skills Required: The ability to interpret basic security metrics and process data queries is essential to successful execution of responsibilities. Ticketing and/or change management skills should be present. This job requires the ability to take basic event alerts and determine if incident escalation is required. For each event, the individual in this role will run through a pre-documented and scripted playbook that strictly guides the triage. An Event Analyst will need the ability to understand an environment’s ‘normal baseline’, process requests, determine abnormalities against the normal baseline, and formulate a logical picture from the information and data obtained.


Collaboration and teamwork is essential to this role. Due to victim notification and collaboration with other business units, this person must have excellent communication skills.  Organization and time management will also be highly valued, as the role requires quick decision-making and the ability to multi-task.


This analyst should be able to grasp basic security concepts such as IDS/IPS, log monitoring, firewalls, active directory, Internet searching, and research. Having the ability to extract metadata out of a log, such as an event ID, in order to conduct research will be required.


Qualifications: A bachelor’s degree (or equivalent experience) is required to complete this job and all associated responsibilities. A technical qualification (preference to technical qualification in security realm) such as SANS GSEC, CompTIA Security +, or CompTIA Network + is preferred. A clear passion for information technology and pursuit to learn should be evident.


Experience: This is an entry-level role, which requires one year experience working in operations or help desk environments.  Experience and knowledge of security concepts and tools is required. The candidate should be familiar with basic operations center shift duties. This job may require staffing nights, weekends, and/or holiday shifts.


Technical Interview: This is an entry-level job that does not require in-depth security experience. The technical interview should focus on logical problem solving. Having the ability to consume metadata and describe pertinent context and detail is the goal. An interviewer should have the candidate receive a Microsoft Windows Event ID or firewall message, allowing the candidate an Internet search to correlate all useful information within five minutes. This process will allow the interviewer to see the candidate’s problem solving, logical abilities, and communication skills that will represent daily roles and responsibilities. There also should be a technical writing component to this interview to profile their ability to document issues and communicate effectively through email.