Back to Details

defensive-security-analyst

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Defensive Security Analyst

防御性安全分析师

When to Use

适用场景

  • Triage security alerts from SIEM, EDR, identity, cloud, network, or email systems
  • Investigate suspicious activity and build an evidence-backed timeline
  • Tune detections, reduce false positives, or map behavior to MITRE ATT&CK
  • Run threat hunts from hypotheses, indicators, or recent incident patterns
  • Package findings, IOCs, and containment recommendations for incident command
  • 分诊来自SIEM、EDR、身份系统、云平台、网络或邮件系统的安全告警
  • 调查可疑活动并构建基于证据的时间线
  • 调优检测规则、减少误报,或将行为映射至MITRE ATT&CK框架
  • 根据假设、指标或近期事件模式开展威胁狩猎
  • 为事件指挥团队整理调查结果、IOC(指标妥协)及遏制建议

When NOT to Use

不适用场景

  • Run alert queues, SOAR playbooks, or shift handoffs as primary work → 
    soc-analyst
  • Define enterprise security strategy, policy, or GRC roadmap → 
    cybersecurity
  • Execute penetration tests or exploit validation → 
    offensive-security-analyst
  • Add CI/CD, SBOM, or supply-chain security gates → 
    devsecops
  • Design SEV programs, on-call rotations, or postmortem process → 
    incident-management-engineer
  • Implement IdP, KMS, SIEM, EDR, or guardrails as engineering controls → 
    information-security-engineer
  • 将告警队列处理、SOAR剧本执行或轮班交接作为主要工作 → 
    soc-analyst
  • 制定企业安全战略、政策或GRC路线图 → 
    cybersecurity
  • 执行渗透测试或漏洞验证 → 
    offensive-security-analyst
  • 添加CI/CD、SBOM或供应链安全管控 → 
    devsecops
  • 设计SEV事件流程、随叫随到轮值或事后复盘机制 → 
    incident-management-engineer
  • 实施IdP、KMS、SIEM、EDR或作为工程控制的防护措施 → 
    information-security-engineer

Related skills

相关技能

NeedSkill
SOC queue triage, playbooks, shift turnover
soc-analyst
Security program, GRC, architecture
cybersecurity
Pipeline and IaC security
devsecops
Rollout during active incident
deployment-strategist
Platform logs and infra forensics
infrastructure-engineer
Incident comms documentation
tech-writer-researcher
Authorized pentest or red-team execution
offensive-security-analyst
Incident commander process, SEV, postmortems
incident-management-engineer
需求技能
SOC队列分诊、剧本执行、轮班交接
soc-analyst
安全规划、GRC、架构设计
cybersecurity
流水线与IaC安全
devsecops
事件响应期间的部署策略
deployment-strategist
平台日志与基础设施取证
infrastructure-engineer
事件沟通文档编写
tech-writer-researcher
授权渗透测试或红队执行
offensive-security-analyst
事件指挥流程、SEV事件、事后复盘
incident-management-engineer

Core Workflows

核心工作流程

1. Alert triage

1. 告警分诊

Triage in order (first 15 minutes):
  1. Validate alert — true positive vs false positive vs benign true positive
  2. Scope — single host, user, tenant, or org-wide?
  3. Severity — active exploitation vs recon vs policy violation
  4. Priority — data class, exposure, privilege level of actor
  5. Assign — owner, escalate to IR lead if SEV1–2
OutcomeNext step
False positiveTune detection; document FP reason
Benign TPClose with justification; optional allowlist
True positiveOpen incident; begin investigation
See 
references/alert_triage.md
for severity matrix and escalation.
分诊优先级(前15分钟):
  1. 验证告警 — 真阳性 vs 假阳性 vs 良性真阳性
  2. 界定范围 — 单主机、用户、租户还是全组织范围?
  3. 评估严重程度 — 主动利用 vs 侦察 vs 政策违规
  4. 确定优先级 — 数据类别、暴露程度、攻击者权限级别
  5. 分配任务 — 指定负责人,若为SEV1–2级则升级至IR负责人
结果下一步动作
假阳性调优检测规则;记录误报原因
良性真阳性附理由关闭;可选择加入白名单
真阳性启动事件;开始调查
查看 
references/alert_triage.md
获取严重程度矩阵与升级流程。

2. Investigation and timeline

2. 调查与时间线构建

collect sources → normalize UTC timeline → identify IOCs → map ATT&CK → hypothesis → validate
Primary sources: EDR, auth logs (IdP), proxy/DNS, firewall, cloud audit (CloudTrail etc.), email gateway, DLP.
Timeline fields: timestamp UTC, host/user, action, source log, analyst note.
See 
references/investigation_timeline.md
for query patterns and correlation tips.
收集数据源 → 标准化UTC时间线 → 识别IOC → 映射ATT&CK框架 → 提出假设 → 验证假设
主要数据源: EDR、认证日志(IdP)、代理/DNS、防火墙、云审计日志(如CloudTrail)、邮件网关、DLP。
时间线字段: UTC时间戳、主机/用户、操作、来源日志、分析师备注。
查看 
references/investigation_timeline.md
获取查询模式与关联技巧。

3. Detection engineering (analyst-facing)

3. 检测工程(面向分析师)

When creating or tuning detections:
  1. Define threat behavior in plain language
  2. Map to MITRE ATT&CK tactic/technique
  3. Specify data source and required fields
  4. Write detection logic (Sigma-style or SIEM SPL/KQL)
  5. Estimate false positive rate; test on 7–30 days historical data
  6. Document response playbook link
See 
references/detection_engineering.md
for rule template and tuning loop.
创建或调优检测规则时:
  1. 用简明语言定义威胁行为
  2. 映射至MITRE ATT&CK战术/技术
  3. 指定数据源与所需字段
  4. 编写检测逻辑(Sigma风格或SIEM SPL/KQL)
  5. 预估误报率;在7–30天的历史数据上测试
  6. 记录响应剧本链接
查看 
references/detection_engineering.md
获取规则模板与调优循环。

4. Threat hunting

4. 威胁狩猎

Hunt hypothesis format: "If adversary [objective], we might see [observable] in [data source]."
  1. Pick hypothesis from intel, recent incidents, or ATT&CK gap
  2. Run hunts across SIEM/data lake
  3. Pivot on entities (user, IP, hash, domain)
  4. Document negative results (still valuable)
See 
references/threat_hunting.md
for hunt cycles and pivot table.
狩猎假设格式: "如果攻击者要达成[目标],我们可能会在[数据源]中发现[可观测指标]。"
  1. 根据情报、近期事件或ATT&CK框架缺口选择假设
  2. 在SIEM/数据湖中开展狩猎
  3. 围绕实体(用户、IP、哈希、域名)进行关联分析
  4. 记录阴性结果(仍有价值)
查看 
references/threat_hunting.md
获取狩猎周期与关联表。

5. Containment and handoff

5. 遏制与交接

Recommend containment only with approval per runbook:
ActionWhen
Disable user sessionCompromised credentials
Isolate host (EDR network containment)Active malware/C2
Block IOC at proxy/firewallConfirmed malicious comms
Revoke OAuth/app tokensToken theft
Preserve evidence before destructive actions when possible (memory/disk snapshot per policy).
Hand off to IR lead: timeline, IOCs, affected assets, recommended containment, open questions.
See 
references/containment_handoff.md
for IR handoff template and evidence checklist.
仅可根据剧本授权提出遏制建议:
动作适用场景
禁用用户会话凭据已泄露
隔离主机(EDR网络遏制)存在活跃恶意软件/C2通信
在代理/防火墙处阻断IOC已确认恶意通信
吊销OAuth/应用令牌令牌被盗
尽可能在执行破坏性操作前保留证据(按政策获取内存/磁盘快照)。
向IR负责人交接:时间线、IOC、受影响资产、建议的遏制措施、待解决问题。
查看 
references/containment_handoff.md
获取IR交接模板与证据清单。

6. Reporting

6. 报告编写

Analyst finding summary:
  • Executive: 2–3 sentences impact and status
  • Technical: timeline, IOCs, root cause hypothesis, evidence refs
  • Actions: containment taken, detections added, tickets opened
Redact PII per policy; store raw logs in secure case folder.
See 
references/investigation_timeline.md
for report outline.
分析师调查结果摘要:
  • 管理层版:2–3句话说明影响与状态
  • 技术版:时间线、IOC、根因假设、证据参考
  • 行动项:已采取的遏制措施、新增的检测规则、已创建的工单
按政策脱敏PII;将原始日志存储在安全的案例文件夹中。
查看 
references/investigation_timeline.md
获取报告大纲。

When to load references

何时查阅参考文档

  • Alert triage and severity
    references/alert_triage.md
  • Investigation and reporting
    references/investigation_timeline.md
  • Detections and tuning
    references/detection_engineering.md
  • Threat hunting
    references/threat_hunting.md
  • Containment and IR handoff
    references/containment_handoff.md
  • 告警分诊与严重程度评估
    references/alert_triage.md
  • 调查与报告编写
    references/investigation_timeline.md
  • 检测规则与调优
    references/detection_engineering.md
  • 威胁狩猎
    references/threat_hunting.md
  • 遏制与IR交接
    references/containment_handoff.md