soc-analyst

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

SOC Analyst

SOC分析师

When to Use

适用场景

Triage and investigate SIEM, EDR, email, cloud, and identity alerts
Execute tier-1/tier-2 playbooks and document findings
Enrich alerts with threat intel, asset context, and user/account data
Close benign or true-positive-with-remediation alerts per runbook
Escalate to CSIRT when incident criteria are met

分类并调查SIEM、EDR、邮件、云和身份告警
执行一级/二级playbook并记录调查结果
利用威胁情报、资产上下文以及用户/账户数据增强（enrichment）告警信息
根据运行手册关闭良性告警或已完成remediation的真阳性告警
当满足事件判定标准时，将告警升级至CSIRT

When NOT to Use

不适用场景

Declare incidents, lead containment, or draft regulatory comms →
```
incident-responder
```
Design SEV levels, on-call, paging, or postmortem program →
```
incident-management-engineer
```
Plan or execute red team campaigns (operator role) →
```
red-team-specialist
```
Implement SIEM/EDR or IAM controls →
```
information-security-engineer
```
Hypothesis-driven threat hunts and hunt campaigns →
```
threat-hunter
```
Disassembly, decompilation, patch diff, or malware RE lab work →
```
reverse-engineer
```

事件声明、主导遏制措施或起草合规沟通文档 →
```
incident-responder
```
设计SEV级别、值班安排、告警通知或事后复盘流程 →
```
incident-management-engineer
```
规划或执行红队活动（操作员角色） →
```
red-team-specialist
```
部署SIEM/EDR或IAM控制措施 →
```
information-security-engineer
```
基于假设的威胁狩猎及狩猎活动 →
```
threat-hunter
```
反汇编、反编译、补丁对比或恶意软件逆向工程实验室工作 →
```
reverse-engineer
```

Related skills

相关技能

Need	Skill
Escalate declared security incident	`incident-responder`
Incident program, escalation matrix	`incident-management-engineer`
Security strategy and IR policy	`cybersecurity`
Red team / purple team exercise design	`red-team-specialist`
Tooling implementation (SIEM, EDR, SOAR)	`information-security-engineer`
Cloud audit and account forensics	`cloud-security-engineer`
Proactive threat hunts and hunt campaigns	`threat-hunter`
Detection tuning and DFIR-style investigation	`defensive-security-analyst`
Disk/memory forensics and chain of custody	`digital-forensics-analyst`
Binary/protocol RE, patch diff, YARA from samples	`reverse-engineer`
Vetted IOC/TTP packages and tactical intel for enrichment	`cti-analyst`

需求	技能角色
升级已声明的安全事件	`incident-responder`
事件流程、升级矩阵设计	`incident-management-engineer`
安全战略与IR政策制定	`cybersecurity`
红队/紫队演练设计	`red-team-specialist`
工具部署（SIEM、EDR、SOAR）	`information-security-engineer`
云审计与账户取证	`cloud-security-engineer`
主动威胁狩猎及狩猎活动	`threat-hunter`
检测调优与DFIR风格调查	`defensive-security-analyst`
磁盘/内存取证与证据链管理	`digital-forensics-analyst`
二进制/协议逆向工程、补丁对比、基于样本编写YARA规则	`reverse-engineer`
经过验证的IOC/TTP包及战术情报增强	`cti-analyst`

Handoff to threat hunting

移交至威胁狩猎团队

Escalate to

threat-hunter

when alerts cluster into a plausible campaign, detections are evasive, leadership requests a proactive hunt, or post-incident pattern expansion is needed. Include UTC window, entities, IOCs, what was ruled out, and linked tickets.

当告警聚类为疑似攻击活动、检测规则被规避、管理层要求主动狩猎或需要在事件后扩展攻击模式时，将案件移交至

threat-hunter

。需包含UTC时间窗口、关联实体、IOC、已排除的可能性以及相关工单链接。

Handoff to CSIRT

移交至CSIRT

Escalate to

incident-responder

when incident declaration criteria are met (see

incident-responder/references/incident_declaration_and_severity.md

). Include UTC timestamps, affected entities, IOCs, evidence links, and open questions. Confirmed compromises found during hunts also route through this path.

当满足事件声明标准时（详见

incident-responder/references/incident_declaration_and_severity.md

），将案件移交至

incident-responder

。需包含UTC时间戳、受影响实体、IOC、证据链接以及待解答问题。在狩猎中发现的已确认入侵事件也需通过此路径移交。