I. Introduction
A Cyber Security Operations Center (CSOC) is responsible for the timely identification of suspicious activities in an organization’s network and thoroughly investigating them to prevent (or recover from) the cyber incidents. A CSOC comprises of cyber analysts who continuously monitor interesting activities, in the form of alerts, generated from the intrusion detection systems (IDSs). Analysts are expected to thoroughly investigate all the alerts and classify each alert as suspicious, or innocuous through a triaging process. Suspicious alerts are given a closer inspection and a portion of them are categorized as significant alerts (incidents or events) according to the categories shown in [1] and are escalated for further investigation. Figure 1 provides a visual representation of a typical alert data hierarchy for a CSOC organization [2].
Alert Data Hierarchy for a CSOC.