SOC Alert Processing Summary
Description
SonicSentry delivers a 24x7 Security Operations Center (SOC) that monitors, detects, investigates, and responds to security threats on behalf of our partners. Our monitoring spans endpoints, servers, cloud and identity platforms, and network devices including firewalls. This document describes our incident response methodology, severity-based runbooks, escalation procedures, and the service level commitments that govern our operations. It is intended to provide partners with a clear understanding of how we protect their environments and what they can expect from us when an incident occurs.
Incident Response Cycle
Our methodology follows a continuous five-phase cycle designed to both prevent incidents and recover from them effectively.
| Phase | Owner | Description |
| 01 - Prepare/Protect | Partner & SonicSentry Support | Ensure all security controls, configurations, and tooling are in place, tested, and validated before any threat occurs. |
| 02 - Detect | SOC | Monitor telemetry across endpoints, servers, cloud and identity platforms, and network devices. Automated correlation rules and manual threat hunting identify anomalous or malicious activity across all sources. |
| 03 - Mitigate | SOC |
When a confirmed or high-confidence threat is identified, the SOC takes immediate containment action to limit damage and prevent further spread - without waiting for partner authorization in Critical situations. |
| 04 - Investigate | SOC | Analyze & document the timeline, scope, and impact of the incident through analysis of available telemetry and endpoint data. This includes identifying any related activity or events within the environment that were not part of the initial alert. |
| 05 - Remediate | Partner | Once the threat has been eradicated, the partner restores systems, configurations, and data to their known-good state with SOC guidance as needed. |
Alert Processing
- The SOC ingests and analyzes telemetry from across the partner environment. Monitored data sources include:
- Endpoints & Servers - Anti-Virus and EDR agents process events locally and forward them to their respective management portals.
- Cloud & Identity - Sign-in activity, account changes, and policy events from Microsoft 365, Google Workspace, and other supported saas platforms.
- Firewalls & Network Devices - Traffic logs, threat detections, and policy events from network security devices.
- These events are then sent to the SIEM/SOAR owned by SonicWall Managed Security Services, Inc. as syslogs.
- The SIEM/SOAR leverages automation to identify anomalistic or malicious activities and generate security incidents for the SOC Analyst to process/investigate.
- SOC Analysts will also perform manual investigations (threat hunting) in the SonicWall XDR platform to provide additional scrutiny on potentially malicious or anomalistic activity that cannot be automated. Findings from these investigations will start a manual security incident.
The following targets apply to all automated event processing and represent our standard of care for partner environments.
| Metric | Target | Notes |
| Target Analysis Time | 15 minutes | Automated event triage and classification |
| Target Response Time | 30 minutes | Analyst action or partner notification initiated |
These targets reflect the time from when an event is received by the SIEM/SOAR platform to when analyst action or partner notification is initiated. Complex, multi-system incidents may require additional investigation time beyond the initial response.
Incidents are assigned one of three severity levels based on the analyst's assessment of available evidence, regardless of the source platform.
**Note:** Severity levels are not static. They may be elevated or lowered at any point as additional evidence is gathered or as partner confirmations are received. Partners will always be notified when a severity level changes.
| Severity | Description | Notification | Mitigation Actions | Severity Change |
| Minor | Abnormal activity across any monitored platform; informational | Email only | None | Can be elevated |
| Major | Suspicious activity across any monitored platform; no confirmed compromise | Email; phone call at analyst discretion | None | Can be elevated or lowered |
| Critical | High-confidence compromise (breach or active infection) across any monitored platform | Email + phone call required | Endpoint isolation; identity lockout (where applicable) | Can be lowered upon confirmation |
Incident Response Runbooks
Minor Severity Runbook
Classification: Informational
Notification: Email only
Mitigation: None
Abnormal activity has been identified across one or more monitored platforms that does not meet the analyst's expectation of normal activity. The false-positive rate for Minor alerts is relatively high; however, the information is considered valuable for the partner to review and determine whether further investigation is warranted.
| Step | Action | Owner |
| 1 | Analyst receives automated alert or identifies activity through threat hunting across any monitored platform (endpoint, server, cloud/identity, or firewall/network). | SOC Analyst |
| 2 | Analyst investigates available telemetry to assess authenticity, timeline, and context. | SOC Analyst |
| 3 | Analyst determines activity is abnormal but does not meet the threshold for suspicious or malicious classification. | SOC Analyst |
| 4 | Analyst classifies incident as Minor and documents findings in the incident record. | SOC Analyst |
| 5 | Analyst sends email notification to the partner's designated SOC Alert contact, including full investigation details and a recommendation to review. | SOC Analyst |
| 6 | No mitigation actions are taken. The partner determines whether further investigation or action is required. | Partner |
| 7 | If the partner's review reveals indicators of compromise or escalating activity, the partner notifies the SOC to re-investigate. The analyst may elevate severity accordingly. |
SOC / Partner |
Major Severity Runbook
Classification: Suspicious Activity
Notification: Email; phone call at analyst discretion
Mitigation: None
The SOC has identified suspicious or potentially malicious activity with reasonable confidence across one or more monitored platforms. There is no direct evidence of a compromise at this time; however, the activity warrants partner awareness and further investigation. This classification is commonly associated with threats that were detected and blocked by security tooling.
Notification: Email; phone call at analyst discretion
Mitigation: None
The SOC has identified suspicious or potentially malicious activity with reasonable confidence across one or more monitored platforms. There is no direct evidence of a compromise at this time; however, the activity warrants partner awareness and further investigation. This classification is commonly associated with threats that were detected and blocked by security tooling.
| Step | Action | Owner |
| 1 | Analyst receives automated alert or identifies activity through threat hunting across any monitored platform (endpoint, server, cloud/identity, or firewall/network). | SOC Analyst |
| 2 | Analyst investigates available telemetry across all relevant platforms to assess authenticity, timeline, and scope. | SOC Analyst |
| 3 | Analyst determines activity is suspicious but finds no direct evidence of a compromise (e.g., threat was blocked or quarantined, suspicious sign-in was not followed by account activity, firewall blocked malicious traffic). | SOC Analyst |
| 4 | Analyst classifies incident as Major and documents findings in the incident record. | SOC Analyst |
| 5 | Analyst sends email notification to the partner's designated SOC Alert contact with full investigation details and recommended next steps. | SOC Analyst |
| 6 | At the analyst's discretion, a phone call may be placed to the partner's emergency contact if the nature of the activity warrants immediate verbal notification (e.g., high-volume suspicious activity, near-miss compromise, unusual identity behavior). | SOC Analyst |
| 7 | No mitigation actions are taken. Initiating containment without confirmed compromise risks operational disruption disproportionate to the threat. | SOC Analyst |
| 8 | Partner investigates the flagged activity and provides feedback to the SOC. If compromise is confirmed, the SOC elevates to Critical and engages the Critical runbook immediately. | Partner / SOC |
Critical Severity Runbook
Classification: Confirmed or High-Confidence Compromise
Notification: Email + phone call required
Mitigation: Endpoint/server isolation; identity lockout (where applicable)
The SOC has high confidence that a compromise (breach or active infection) has occurred or is actively occurring within the partner environment. This may originate from or involve any monitored platform — endpoint, server, cloud/identity, or network. Immediate containment is required. The SOC will initiate mitigation actions without waiting for partner authorization — delay increases the risk of lateral movement, data exfiltration, and broader damage.
Notification: Email + phone call required
Mitigation: Endpoint/server isolation; identity lockout (where applicable)
The SOC has high confidence that a compromise (breach or active infection) has occurred or is actively occurring within the partner environment. This may originate from or involve any monitored platform — endpoint, server, cloud/identity, or network. Immediate containment is required. The SOC will initiate mitigation actions without waiting for partner authorization — delay increases the risk of lateral movement, data exfiltration, and broader damage.
| Step | Action | Owner |
| 1 | Analyst receives automated alert or identifies activity through threat hunting across any monitored platform. | SOC Analyst |
| 2 | Analyst conducts rapid triage of available telemetry across all relevant platforms to confirm scope, timeline, and indicators of compromise. | SOC Analyst |
| 3 | Analyst classifies incident as Critical and documents findings in the incident record. | SOC Analyst |
| 4 | Endpoint: If not already automated, analyst initiates network containment (isolation) on affected endpoint(s) or server(s) to prevent lateral movement and further spread. Connectivity is maintained for ongoing SOC investigation. | SOC Analyst |
| 5 | Domain Controller Exception: If the affected device is the sole Domain Controller and DNS resolver for the network, isolation will sever communication with all hosts on that network. The analyst will document this risk and consult the partner before isolating, if contact can be reached rapidly. | SOC Analyst |
| 6 | Cloud / Identity: If identity compromise is detected (Microsoft 365 or Google Workspace), analyst initiates identity mitigation — sign out all active sessions and block sign-in for the affected account(s). | SOC Analyst |
| 7 | Firewall / Network Devices: The SOC does not perform mitigation actions on network devices. The analyst will notify the partner of any firewall or network-level findings so the partner can take appropriate action. | SOC Analyst / Partner |
| 8 | Analyst sends email notification to both the SOC Alert contact and Emergency Contact(s) on file, outlining investigation details and all response actions taken. | SOC Analyst |
| 9 | Analyst places a phone call to the partner's emergency contact number(s). Four call attempts will be made within the first hour. | SOC Analyst |
| 10 | If contact is not made in the first hour, the analyst will place one call attempt at the top of every subsequent hour until contact is established. | SOC Analyst |
| 11 | Once contact is made, the analyst briefs the partner on the incident details, containment actions taken, current status, and recommended next steps. | SOC Analyst |
| 12 | SOC continues to monitor contained systems and the broader environment across all platforms for additional indicators. Connectivity to isolated endpoints or servers can be restored by the SOC once the threat is assessed as contained and the partner is ready to proceed with remediation. | SOC Analyst |
| 13 | Partner leads remediation activities (re-imaging, credential resets, patching, firewall rule changes, configuration review, etc.). SOC provides investigative support as needed. | Partner / SOC |
| 14 | Severity may be lowered (e.g., to Major) if further investigation or partner confirmation rules out an actual compromise. | SOC Analyst |
Mitigation Capabilities & Scope
The SOC's mitigation capabilities are scoped to the platforms and integrations supported within the WSWS managed service. The SOC monitors all platforms listed below; response actions vary by platform.
| Platform | Mitigation Actions Available | Notes |
| MDR for Endpoint | Network containment (isolation) | Connectivity is maintained for SOC investigation. SOC can restore connectivity when the partner is ready for remediation. |
| MDR for Cloud | Sign out all sessions, block sign-in | Office 365 & Google Workspace - Sign out all sessions, block sign-in |
| Firewalls & Network Devices | No mitigation actions performed | SOC will surface findings and provide details to the partner. Partner is responsible for all network device response actions. |
Understanding our Approach - The Fire Department Analogy
Analogies can assist to explain an unfamiliar concept or idea. To better help our partner community understand the methodology behind our alert classifications, we have summarized our alert processing into the following analogy:
Consider our SOC a Fire Department and our Analysts as Fire Fighters
- Minor Classification
- We smell smoke in the area.
- Likely not a fire, however, we will use the information we have to let the homeowner know that something does not seem right.
- Major Classification
- We smell smoke and hear the fire alarms in the house, but do not have direct evidence that a fire is burning.
- We do not want to start dousing the house with water as this could potentially cause more harm than good.
- We need the homeowner to investigate further of what might have caused the smoke as we are.
- Critical Classification
- We smell the smoke, see the smoke, and see the fire.
- We will immediately attempt to put the fire out (mitigation).
- We will not ask for permission to do so, as this could cause more harm and damage.
- We will make contact with the homeowner once we have taken all steps we could to mitigate the issue.
Related Articles
not finding your answers?
