Cywarden, Inc.
Website:
cywarden.com
Job details:
Job Title: SOC Analyst – L2
Location: Chandigarh
Experience: 3-5 Years
Employment Type: Full-time
About the role
As an L2 SOC Analyst you’ll own advanced detection triage, investigation, and incident response for enterprise customers. You’ll validate and expand L1 findings, use multiple telemetry sources to build attack timelines, trigger containment via automated playbooks, collect forensic artifacts, and coordinate remediation with client IT teams. You will escalate novel or advanced threats to L3 and contribute to improving SOC runbooks, playbooks, and detection quality.
Core responsibilities (what you’ll do day-to-day)
- Accept escalated incidents from L1 and own in-depth investigation, validation, and response.
- Perform deep-dive analysis using Sentinel investigation graph, XDR causality views, and XSOAR timelines to reconstruct incidents and scope impact.
- Correlate related events across SIEM, XDR, and SOAR to build a consolidated incident timeline and evidence package.
- Trigger containment and mitigation actions (endpoint isolation, account disable, IP blocking, mail quarantine) via XSOAR playbooks or manual controls when required.
- Collect, preserve, and log forensic artifacts (memory, disk images, EDR traces, email headers) for follow-up analysis and audit purposes.
- Coordinate remediation activities with client IT / infrastructure teams and document remediation validation steps.
- Escalate advanced threats (APT activity, ransomware, zero-day exploits) to L3 with a clear executive summary and a technical evidence pack.
- Validate true positives, close false positives with documented rationale, and recommend detection tuning to reduce noise.
- Maintain accurate case notes, timelines, and evidence in the SOAR/Case Management system.
- Contribute to playbook and runbook improvements, detection tuning, and post-incident reviews (RCA).
Key tasks / technical snap points
- Triage alerts from Microsoft Sentinel, EDR/XDR, email and network feeds and perform prioritized investigations.
- Use EDR tools to inspect suspicious processes, persistence mechanisms, and lateral movement artifacts.
- Investigate phishing and email compromise incidents (malware, BEC, spoofing) and coordinate takedown or containment actions.
- Run KQL and Splunk queries to hunt, pivot, and validate attacker activity across log sources.
- Execute and improve XSOAR playbooks for enrichment, containment, ticketing, and escalation.
- Preserve chain-of-custody for evidence and ensure case readiness for forensic deep dives or external escalation.
Tools & technologies you are well versed with
- Microsoft Sentinel
- Microsoft Defender for Endpoint
- Splunk
- Cofense
- Proofpoint
- Cortex XSOAR
- Cortex XDR
(You’ll also work with internal CMDBs, ticketing systems (ServiceNow/Jira), threat intel feeds, and forensic toolsets.)
Required skills & experience (must-have)
- 3–5 years in SOC operations / incident response with demonstrable L2 experience.
- Strong hands-on experience with Microsoft Defender and Microsoft Sentinel (KQL basics).
- Practical experience in Splunk for log analysis and event correlation.
- Experience investigating phishing attacks using Cofense, Proofpoint or equivalent tools.
- Solid understanding of the Incident Response lifecycle and MITRE ATT&CK mappings.
- Ability to collect and preserve forensic artifacts and maintain chain-of-custody.
- Clear, concise technical writing and verbal communication for handoffs and client coordination.
- Comfortable working in rotational shift schedules.
Nice-to-have
- Experience with SOAR platforms and playbook authoring (XSOAR preferred).
- Threat hunting / use-case tuning experience and familiarity with EDR/XDR investigations.
- Basic scripting (PowerShell, Python) for small automations and enrichment tasks.
- Certifications: SC-200, Splunk Power User / ES, GCIA / GCIH, CEH or equivalent.
Behavioural competencies
- Takes ownership and drives investigations to closure.
- Logical, methodical investigative mindset and attention to detail.
- Strong collaboration skills — able to work with remote client teams and internal stakeholders.
- Comfortable with ambiguity, prioritizes under pressure, and escalates appropriately.
- Continuous improvement orientation — actively contributes to runbook/playbook tuning.
What we offer
- Clear progression path to L3 / detection engineering roles.
- Mentorship from experienced incident responders and access to continuous training.
- Competitive compensation and benefits aligned to experience.
- Opportunity to work on complex, real-world incidents across enterprise environments.
Click on Apply to know more.