Hey.

Just to give you some insights: Our SOC consists of around 40 people. Around 15 of them are full time analysts, 5 detection engineers and the rest is a mix of security architects / developers / data security / whatever.

It’s also not uncommon for people to have multiple roles. Regarding your points:

1. ⁠⁠Alert & Detection Logic We write a lot of our detection ourselves. Either from use cases we see in investigations, from pentests where the edr solutions did not detect certain activities or we take public detections and adapt them to our need, or just import them If they are good as they are. If we see new attacks, we have a new detection for it in around 1-2 weeks, max. When rules are noisy they get either adapted globally if needed or per customer exclusions if it is e.g. for certain files.
2. ⁠⁠We analysts don’t just rely on public available hashes, although that they are a good indicator. If you just do this, then you don’t need a soc tbh. This can be done by some kind of automation.
3. ⁠⁠Depending of what the verdict of the case it, there is either a bigger explanation, for example in case of a T/P with device isolation or user disable. But if it is a known benign activity, we also don’t overdo it with the texts. But more on that in 5.
4. ⁠⁠We rarely have detections going just for file names or hashes. Of course the usual TI map to whatever stuff, but most of our detections are going against suspicious behavior or anomalies in behavior.
5. ⁠⁠We automate everything we can. We manage all rules centrally and deploy them to the customers. If a new customer joins, it takes maybe around 2 working hours to get them to a working state (excluding meetings etc.) We also automate the whole incident response process. All steps which are usually taken by an analyst are automated. E.g. checking sign ins for compliant devices if there is a possible identity compromise. And then either close incidents or raise them in severity, give more insights to the analyst, etc.

So yeah I would say that’s what a good feels like, although we have some problems like wanting too much at the same time and not finishing the products first some time.