A SOC analyst's effectiveness depends not just on understanding individual tools, but on understanding how they work together during an investigation. A SIEM generates an alert. An EDR provides the endpoint context to evaluate it. A threat intelligence platform enriches the indicators it contains. A ticketing system tracks what was done and when. A SOAR platform automates the repetitive steps between all of them. No single tool tells the full story. Knowing how to move between them under pressure is what the job actually requires.
The toolkit has also evolved by tier. A Tier 1 analyst works primarily in SIEM dashboards and ticketing systems, following defined playbooks. A Tier 2 analyst needs deeper proficiency across EDR, network monitoring, forensic tooling, and threat intelligence, and is expected to investigate independently rather than escalate. This guide maps the toolkit to how it is actually used, at each level.
The Core Tool Categories
SIEM: Where Every Investigation Starts
The Security Information and Event Management platform is the central nervous system of the SOC. It ingests logs from across the environment, firewalls, endpoints, servers, applications, and cloud platforms, correlates them, and surfaces alerts when patterns match detection rules.
For a Tier 1 analyst, the SIEM is where the shift begins and ends. Reviewing the alert queue, querying logs to understand what happened before and after an alert triggered, and building the basic timeline of an event are all SIEM tasks. At Tier 2, the work involves writing custom detection rules, tuning alert logic to reduce false positives, and running complex investigative queries that span multiple log sources simultaneously.
The dominant platforms in 2026 are Splunk (with its SPL query language), Microsoft Sentinel (KQL), IBM QRadar, and Elastic Security. Splunk and Sentinel are the most widely represented in job postings and the most relevant for candidates to develop proficiency in.
What analysts need to know: Writing basic and intermediate searches, understanding how correlation rules work, interpreting alert context, and recognising when a log gap indicates a visibility problem rather than absence of activity.
EDR: Endpoint Visibility
Endpoint Detection and Response tools monitor individual endpoints (workstations, servers) in real time, detecting suspicious process behaviour, file execution, registry changes, and network connections from the host perspective.
At Tier 1, EDR is used reactively: when a SIEM alert fires, the analyst checks the EDR to see what the endpoint was doing at the relevant time, whether a suspicious process spawned child processes, whether any unusual files were created, and whether the endpoint has been seen communicating with known-bad infrastructure.
At Tier 2, EDR proficiency extends to live response capabilities: remotely collecting artefacts from a compromised host, isolating an endpoint from the network, and performing deeper behavioural analysis to understand the full scope of a compromise.
The most widely deployed platforms are CrowdStrike Falcon, Microsoft Defender for Endpoint, and SentinelOne.
What analysts need to know: Navigating EDR consoles, reading process trees, interpreting behavioural detections, and correlating EDR findings with SIEM alert context.
Network Monitoring: Traffic Visibility
Network Detection and Response tools and packet capture analysis provide visibility into what is happening on the network rather than on individual endpoints. They are particularly valuable for detecting lateral movement, command and control beaconing, and data exfiltration that does not generate endpoint-level detections.
Tools in this category include Zeek (formerly Bro) for network traffic analysis, Wireshark for packet-level inspection, Suricata and Snort for IDS/IPS alerting, and NDR platforms like Darktrace and ExtraHop for behavioural anomaly detection.
At Tier 1, network tool interaction is typically limited to reviewing IDS/IPS alerts and basic traffic analysis. At Tier 2, analysts are expected to read PCAP files, write Suricata rules, and analyse network flows to reconstruct attack chains that span multiple hosts.
Threat Intelligence: Enrichment and Context
Threat intelligence tools give analysts the context to evaluate whether an indicator, an IP address, a domain, a file hash, is associated with known malicious activity. Without this context, alert triage is slower and less accurate.
VirusTotal is the most widely used free tool for hash and URL analysis. MISP (Malware Information Sharing Platform) is the dominant open-source threat intelligence platform for sharing and correlating IoCs. AlienVault OTX provides community threat intelligence feeds. Commercial platforms like Recorded Future and Crowdstrike Falcon Intelligence provide higher-confidence, curated intelligence at enterprise scale.
At Tier 2, threat intelligence use expands beyond enrichment into active hunting: using intelligence feeds to search the environment for known TTPs associated with active threat actors, and mapping findings to the MITRE ATT&CK framework.
Ticketing and Case Management
Ticketing systems manage the lifecycle of every security incident from detection to closure. They create the audit trail that demonstrates how incidents were handled, track escalations, and provide the data that drives SOC performance metrics like Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).
ServiceNow, Jira, and the open-source TheHive are the most common platforms. Clear, accurate case documentation is expected at every tier. At Tier 2, analysts are also expected to produce investigation summaries that give Tier 1 analysts and management a clear picture of what happened and what was done.
SOAR: Automation and Orchestration
Security Orchestration, Automation and Response platforms connect the tools above into automated workflows. Common use cases include automated alert enrichment (automatically querying VirusTotal for every hash in an alert), automated ticket creation from SIEM detections, and automated endpoint isolation when specific detection criteria are met.
Cortex XSOAR, Splunk SOAR, and Swimlane are the most widely deployed platforms. SOAR familiarity is increasingly expected at Tier 2 level, both for executing playbooks and for understanding which parts of the investigation workflow can be safely automated.
The Full Toolkit by Tier
| Tool / platform | Category | Tier 1 use | Tier 2 use | Examples |
|---|---|---|---|---|
| SIEM | Log aggregation and alerting | Alert triage, basic log queries, timeline building | Custom detection rules, complex cross-source queries, tuning | Splunk, Microsoft Sentinel, IBM QRadar, Elastic |
| EDR | Endpoint detection and response | Process tree review, alert context, basic host investigation | Live response, artefact collection, host isolation, deep behavioural analysis | CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne |
| Network monitoring | Traffic visibility and anomaly detection | IDS/IPS alert review, basic traffic analysis | PCAP analysis, custom Suricata rules, network flow reconstruction | Zeek, Wireshark, Suricata, Snort, Darktrace |
| Threat intelligence | IoC enrichment and context | Hash, IP and domain lookups, alert enrichment | Active hunting with TTP-based intelligence, ATT&CK mapping | VirusTotal, MISP, AlienVault OTX, Recorded Future |
| Ticketing / case management | Incident tracking and documentation | Case creation, investigation notes, escalation documentation | Investigation summaries, incident reports, trend analysis | ServiceNow, Jira, TheHive |
| SOAR | Automation and orchestration | Executing automated playbooks, following automated enrichment outputs | Building and maintaining playbooks, identifying automation opportunities | Cortex XSOAR, Splunk SOAR, Swimlane |
| Forensic tooling | Deep host and memory investigation | Basic artefact review when directed | Memory analysis, timeline forensics, malware triage, disk imaging | Volatility, Autopsy, KAPE, Redline |
| MITRE ATT&CK framework | Adversary behaviour reference | Mapping alerts to techniques, understanding attacker context | Building hypothesis-driven hunts, detection coverage mapping | ATT&CK Navigator, ATT&CK technique pages |
How the Tools Work Together in Practice
Understanding tools in isolation is not the same as understanding how they function during a real investigation. A Tier 1 analyst working through a phishing alert will typically move through four or five tools in sequence before reaching a conclusion.
The SIEM fires an alert: a user executed a macro-enabled Office document. The analyst queries the SIEM for the surrounding log context to understand what happened before and after. They pivot to the EDR to review the process tree: what did the macro spawn, did it make network connections, did it write files to disk? They check those file hashes in VirusTotal to see if they are known malicious. They look up the outbound IP in MISP to see if it appears in any threat intelligence feeds. They document everything in the ticketing system as they go. If the investigation confirms a genuine compromise, they escalate to Tier 2 with a concise summary of what they found.
That sequence, from SIEM to EDR to threat intelligence to ticketing, is the core workflow that Tier 1 proficiency is built around. Every tool in the chain serves a specific purpose, and gaps in any of them create investigation blind spots.
Certifications That Map to This Toolkit
TryHackMe SAL1 (Security Analyst Level 1) puts candidates inside a live SOC simulator working through exactly this kind of alert investigation workflow. The exam uses real tooling, real data, and real scenarios that reflect Tier 1 analyst responsibilities. Backed by Accenture and Salesforce, SAL1 is the certification that validates Tier 1 tool proficiency in a practical exam environment rather than through multiple choice. Explore SAL1
TryHackMe SAL2 (Security Analyst Level 2) takes the toolkit deeper. SAL2 covers the Tier 2 capabilities: advanced SIEM investigation, EDR live response, forensic tooling, memory analysis, and threat hunting with TTP-based intelligence. Pablo Menendez Cores, SOC Analyst at NCC Group, described SAL2 as "a strong and practical certification... it reflects quite well what we actually do in an MSSP environment." That endorsement from a practitioner at one of the most respected names in managed security services positions SAL2 as the certification that validates the full Tier 2 toolkit, not just the Tier 1 baseline. Explore SAL2
Together, SAL1 and SAL2 map directly to the progression from alert triage analyst to independent investigator, with each certification validating the toolkit and skills appropriate to that level.
Build Proficiency With the Real Toolkit
TryHackMe's SOC Level 1 path covers the core Tier 1 tools in a structured, hands-on environment: Splunk investigation, Windows event log analysis, network traffic analysis, threat intelligence enrichment, and the documentation and reporting workflows that SOC roles require from day one.
The platform puts you inside live environments using the same categories of tools you will use in a real SOC, which means every completed room builds the specific muscle memory that matters when you are working through an alert queue under real conditions.
Nick O'Grady