Security Operations Centre Analyst


Applications have closed


The primary objective of this service is to act as the first line of response regarding the potential
occurrence of a cyber attack or security incident. Supported by several automated tools such as
intrusion detection systems, log correlation engines and SIEM, ticketing system, alerts and warning
from internal and external sources, this service involves receiving, triaging and responding to
alerts, requests and reports, and analysing events and potential incidents and to provide the
primary support for incident responders. Triage involves assessing whether a security incident or
the level of exposure of a vulnerability is a true or false positive, tagging the vulnerability or incident
with an initial severity classification and to activate the corresponding incident response playbook
entry. Another objective of this service is to follow pre-defined procedures to perform technical
tasks related to identity and access management.


 Real-time monitoring of cyber defence and intrusion detection systems
 Automatic-based processing (centralisation, filtering and correlation) of security events
 Human-based analysis of automatically correlated events
 Processing of incoming warnings, alerts and reports
 Triage based on verification, level of exposure and impact assessment
 Categorize events, incidents and vulnerabilities based on relevance, exposure and impact
 Open tickets and ensure case management
 Activate initial response plan based on standard playbook entries
 Maintain incident response address book
 Provide support to incident responders
 Advise affected users on appropriate course of action
 Monitor open tickets for incidents/vulnerabilities from start to resolution
 Escalate unresolved problems to higher levels of support, including the incident response
and vulnerability mitigation teams
 Configure the SIEM components for an optimal performance
 Improve correlation rules to ensure that the monitoring policy allows an efficient detection of
potential incidents. For a new component to be monitored, this encompasses
 Analysing risks and security policy requirements
 Translating them into technical events targeting the system components
 Identifying the required logs/files/artefacts to collect from the monitored system and,if necessary, possible complementary devices to deploy
 Elaborating the relevant detection and correlation rules
 Implementing these rules in the SIEM infrastructure
 Configuring and tuning cyber-defense solutions
 Reviewing and improving the monitoring policy on a regular basis
 Integrate cyber-defence solutions for efficient detection
 Define dashboards and reports for reporting on KPIs.
 Produce qualified reports (including recommendations) or alerts to SOC customers and follow-up on actions
 Contribute to the design of the overall monitoring architecture, in close relationship with the customers/system owners, on the one hand, and the security operations engineering team, on the other hand, by performing the following tasks:
 Assessment of security events detection solutions, development of solutions;
 Integration of these solutions within the security monitoring scheme (log collection architecture, interoperability, formats, network aspects, …);
 Deployment and validation of the solutions;
 Draft documentation such as architecture design descriptions, assessment reports,
configuration guides, security operating procedures
 Produce and maintain accurate and up-to-date technical documentation, including
processes and procedures (so called playbook), related to security incidents and preventive
maintenance procedures
 Management of identities and its related user accounts
 Management of groups, roles and other means of authorization
 Solve incidents, requests and problem tickets from 1st Level Support or internal customers
related to identity and access management
 Maintain accurate documentation
 During security incidents, implement detection means to monitor attacker activities in realtime
 Integrate IOCs in security solutions
 Take an active part in developing and improving the maturity framework, and have it understood and implemented by the team, by:

  • Designing and drafting SOC processes and procedures framework
  • Implementing SOC processes and procedures, deploy collaborative tools and dashboards
  • Coaching/training the team on the processes, procedures and tools
  • Regularly auditing and reporting on maturity to the management
  • Reviewing and improving the framework

 Provide activity reports to management to demonstrate service SLA and service quality

Key Requirements:

At least 1 certification among:
 GPEN (GIAC Certified Penetration Tester)
 GCED (GIAC Certified Entreprise Defender)
 GPPA (GIAC Certified Perimeter ProtectionAnalyst)
 GCFE (GIAC Certified Forensic Examiner)
 GCFA (GIAC Certified Forensic Analyst)
 GNFA (GIAC Certified Network Forensic Analyst)
 CFCE (IACIS Certified Forensic ComputerExaminer)
 CCFP (Certified Cyber Forensics Professional)
 SCMO (SABSA Certified Security Operations &Service Management Specialist) or an equivalent certification rec-ognized internationally (subject to acceptance as a valid-credential by the Contracting EU-I)

  • Networking (TCP/IP, SNMP, DNS, Syslog-ng, etc.)
  • Strong knowledge in the security analysis of firewall,
    proxy,and IDS logs
  • Strong knowledge in the security analysis of Applicable
    or Middleware logs (Oracle, Apache, Weblogic)
  • SIEM (Arcsight ESM 6.x, Q-RADAR, or equivalent -
    subject to acceptance by the contracting EU-I)
  • Log management solution (Arcsight Loggers and/or QRADAR
    and/or Splunk or equivalent - subject to
    acceptance of the contracting EU-I))

Desirable skills

  • STIX (Structured Threat Information Expression) with a
    particular focus on the following related standards:
    • CybOX (Cyber Observables)
    • CAPEC (Attack Patterns)
    • MAEC (Malware)
    TAXII (Threat Information Exchange)
  • Experience in using, configuring and tuning a SIEM
  • Knowledge in network security solution/technologies
    o Firewalls;
    o Network IDS and IPS;
    o Switches and routers
    o APT detection solutions such as
    o DNS, DHCP, VPN, …
    o Network forensics (full packet capture)
    o Traffic baselining analysis
  • Knowledge in Host based security solutions
    o HIPS;
    o Malware end-point protection
    o OS logs
  • Strong knowledge in Windows security events analysis
  • Writing and optimizing IDS signatures (preferably
    SNORT and/or SURICATA)
  • Writing and optimizing YARA rules
  • SNORT or SourceFire NGIPS, FireSIGHT,
  • Suricata/StamusNetworks
  • ELK (ElasticSearch, Logstash & Kibana)
  • FireEye Ex, Nx, Ax, Fx, Hx, Ix
  • CheckPoint and Juniper Firewalls
  • BlueCoat proxies

The following documents / procedures will be requested to successfully complete the hiring process :

  • A copy of your university degree(s)
  • A copy of your criminal record
  • Security Clearance Procedure



CRI company part of VASS Group, leads the digital transformation and cyber security in the European Union.

CRI operates serving the European Union Institutions, telecom operators, financial institutions and governmental bodies through a comprehensive offering of services and technologies.

Please visit our website and let's get in touch:

Tags: APT ArcSight Audits Clearance DNS Elasticsearch ELK Firewalls Forensics GCED GCFA GIAC GNFA GPEN IAM IDS Incident response Intrusion detection IPS KPIs Malware Monitoring Network security Oracle QRadar Security analysis Security Clearance SIEM Snort SOC Sourcefire Splunk TCP/IP VPN Vulnerabilities Windows

Perks/benefits: Career development Team events

Region: Europe
Country: Belgium
Job stats:  48  3  0

More jobs like this

Explore more InfoSec/Cybersecurity career opportunities

Find open roles in Ethical Hacking, Pen Testing, Security Engineering, Threat Research, Vulnerability Analysis, Cryptography, Digital Forensics and Cyber Security in general, filtered by job title or popular skill, toolset and products used.