How I Think Like a SOC L3 Analyst: Real-World Investigation Workflow (Step-by-Step Guide)

ratikraj01 -
April 2, 2026
coding, programming, css, software development, computer, close up, laptop, data, display, electronics, keyboard, screen, technology, app, program, software, computer engineering, coding, coding, coding, programming, programming, software development, computer, data, software, software, software, software, software
Uncategorized

INTRODUCTION

In a Security Operations Center (SOC), detecting an alert is only the beginning.

The real skill lies in how you investigate that alert, understand attacker behavior, and determine whether it is malicious or benign.

In this guide, I explain my step-by-step SOC L3 investigation workflow β€” the exact mindset I use when analyzing suspicious activity in my lab.

THE CORE PRINCIPLE

SOC L3 is not about tools.
It is about thinking.

You must always answer:

  • What happened?
  • Why did it happen?
  • Is it normal or suspicious?
  • What should I do next?

STEP 1 β€” START WITH THE DETECTION

Example:

PowerShell execution detected.

First question:

πŸ‘‰ Is this expected or suspicious?

STEP 2 β€” IDENTIFY KEY DETAILS

Always extract:

  • User (who executed it)
  • Host (where it happened)
  • Process (what executed)
  • Time (when it happened)
  • Command Line (how it was executed)

These 5 fields are your foundation.

STEP 3 β€” ANALYZE COMMAND LINE (MOST IMPORTANT STEP)

The command line tells the real story.

Look for:

  • Encoded commands
  • Download activity (http/https)
  • Bypass flags
  • Hidden execution

Example:

powershell -enc β†’ HIGHLY suspicious

STEP 4 β€” CHECK PARENT-CHILD RELATIONSHIP

Ask:

πŸ‘‰ Who launched this process?

Example:

  • explorer.exe β†’ powershell (normal)
  • winword.exe β†’ powershell (SUSPICIOUS)

This step alone detects many attacks.

STEP 5 β€” VALIDATE USER BEHAVIOR

Ask:

  • Is this user technical?
  • Do they normally run this command?
  • Is this a service account?

Unexpected behavior = strong signal.

STEP 6 β€” CHECK FREQUENCY

Ask:

  • One-time execution?
  • Repeated execution?

Repeated patterns = automation or malware.

STEP 7 β€” PIVOT TO RELATED ACTIVITY

Now expand investigation:

  • Search same host
  • Search same user
  • Look for:
    • PowerShell
    • WMI
    • Scheduled tasks
    • Registry changes

This builds the attack chain.

STEP 8 β€” MAP TO MITRE ATT&CK

Example:

PowerShell β†’ T1059.001

Ask:

πŸ‘‰ What is attacker trying to achieve?

  • Execution
  • Persistence
  • Lateral movement

STEP 9 β€” DETERMINE RISK LEVEL

Classify:

  • Low β†’ Normal behavior
  • Medium β†’ Suspicious
  • High β†’ Malicious

STEP 10 β€” DECIDE ACTION

SOC L3 actions:

  • Escalate incident
  • Continue monitoring
  • Close as false positive

REAL EXAMPLE FLOW

Detection: PowerShell executed

Investigation:

  • Command line shows encoded command
  • Parent is Word document
  • User is non-technical

Conclusion:

πŸ‘‰ Likely phishing attack

MITRE:

πŸ‘‰ T1566 + T1059

COMMON MISTAKES

❌ Jumping to conclusions
❌ Ignoring command line
❌ Not checking parent process
❌ Not pivoting
❌ Overlooking user context

SOC L3 MINDSET

Don’t think:

πŸ‘‰ β€œWhat does this query show?”

Think:

πŸ‘‰ β€œWhat is the attacker doing?”

FINAL THOUGHT

Tools detect.
But analysts investigate.

The difference between SOC L1 and SOC L3 is not tools β€”
it is thinking and decision making.

#No Tag

Comments are closed