Understanding Assets & Identities in SOC: A Guide for L1 Analysts
Understanding Assets & Identities in SOC: A Guide for L1 Analysts
Meta Description:
Streamline your SOC alert triage with asset and identity inventory. Learn how to quickly investigate user activity, servers, and corporate resources.
Introduction
Alert triage is a critical task in any Security Operations Center (SOC). Imagine you’re on a night shift and receive an alert:
“G.Baker logged into HQ-FINFS-02 and shared ‘Financial Report US 2024.xlsx’ with R.Lund.”
To investigate effectively, you need answers to key questions:
-
Who is G.Baker? What are their working hours and role?
-
What is HQ-FINFS-02? Who has access?
-
Why would R.Lund need access to financial records?
This is where identity and asset inventory come in.
Identity Inventory
Identity inventory is a catalogue of corporate users, services, and accounts with details like privileges, contact info, and roles. It helps SOC analysts quickly determine if activity is expected.
Example of Identities
| Full Name | Username | Role | Location | Access |
|---|---|---|---|---|
| Gregory Baker | G.Baker | Chief Financial Officer | UK | VPN, HQ, FINANCE |
| Raymond Lund | R.Lund | US Financial Analyst | Texas | VPN, FINANCE |
| Kate Danner | K.Danner | Chief Technology Officer | UK | VPN, DA, HQ, AWS |
Sources of Identities
-
Active Directory (AD) – On-premises AD or Entra ID
-
SSO Providers – Okta, Google Workspace
-
HR Systems – BambooHR, SAP, HiBob
-
Custom Solutions – CSV or Excel sheets
Identity inventory is essential for understanding user context, making triage faster and more accurate.
Asset Inventory
Asset inventory, or asset lookup, lists all computing resources such as servers and workstations. It provides context about the systems involved in an alert.
Example of Assets
| Hostname | Location | OS | Owner | Purpose |
|---|---|---|---|---|
| HQ-FINFS-02 | UK Datacenter | Windows Server 2022 | Central IT | File server for financial data |
| HQ-ADDC-01 | UK Datacenter | Windows Server 2019 | Central IT | Primary AD domain controller |
| PC-891D | London Office | Windows 11 Pro | Tech Support | Accountant workstation |
Sources of Assets
-
Active Directory – also serves as a solid asset database
-
SIEM / EDR – Elastic, CrowdStrike
-
MDM Solutions – MS Intune, Jamf MDM
-
Custom Solutions – CSV or Excel sheets
Putting It Together
Using identity and asset inventories, you can answer critical SOC questions quickly:
-
Role of R.Lund: USFinancialAnalyst
-
Data on HQ-FINFS-02: Financial records
-
File sharing legitimacy: ✅ Expected
This structured approach ensures accurate alert triage, reduces mistakes, and helps SOC teams operate efficiently.
Conclusion
For L1 SOC analysts, mastering asset and identity inventory is essential. By leveraging existing resources, you can triage alerts faster, make informed decisions, and maintain security across the organization.
Comments
Post a Comment