Security operations

SOC triage, detection, and response in your SIEM, EDR, identity, and cloud signals

intSignal runs security operations for teams that already invested in Splunk, Microsoft Sentinel, Google Chronicle, QRadar, or similar—and need alert handling, correlation, and case work executed in your tenants, queues, and change windows. Tier-1 through escalation lives in your ITSM or SOAR where you want it; containment steps are spelled out in a RACI so nobody argues in the middle of an incident.

Default posture is co-managed: senior-led execution, your stack retained, and response ownership documented in the statement of work—not a generic “we’ll watch your logs” MSSP handoff.

Scope SOC coverage and RACISee how work is executed

SOC functions

What the service does in production

Day-to-day work is alert intake, enrichment from identity and cloud context, correlation in your SIEM, EDR timeline review, and tickets your stakeholders can audit—not slide decks about “visibility.”

Monitoring

Monitoring and intake

Ingest and normalize signals you authorize: on-prem and cloud identity, endpoint, network where available, SaaS audit, and mail—routed into the SIEM or data store you already pay for.

  • Parser and CIM/schema hygiene where gaps block use cases
  • Dashboards and searches your team can reuse after hours
  • Health checks on forwarders and cloud connectors
  • Shift notes tied to open cases

Detection

Detection engineering

Rules, scheduled searches, and EDR policies tuned to your crown jewels and realistic attacker paths—not a vendor-default pack left on forever.

  • Correlation and thresholding in your SIEM
  • EDR queries and exclusions with change control
  • Intel matching where a TIP or feed is in scope
  • Backlog of noisy logic with owners and dates

Response

Investigation and containment

Case folders with timeline, evidence, and recommended actions mapped to playbooks you approve—host isolation, account disable, token revoke, network blocks—only where RACI says intSignal may execute.

  • ITSM/SOAR case updates your auditors can read
  • Containment executed or guided per SOW
  • Handoff to IR retainers when severity warrants
  • Post-incident corrective actions tracked to closure

Hunting

Hunt and hygiene

Hypothesis-driven sweeps on top of recurring hygiene: dormant admin paths, OAuth grants, risky sign-ins, and data staging patterns relevant to your industry.

  • IOC and TTP sweeps scoped to your estate
  • Findings written into the same case system as alerts
  • Detection gaps fed back into the rule backlog
  • Quarterly hunt cadence or ad hoc after major changes

Team

How roles map to your workflow

Titles vary by client; the point is clear ownership from first touch through escalation—without a black hole between “managed service” and your internal IR lead.

Tier 1

Alert intake, deduplication, enrichment with identity and asset context, first-pass verdict, and ticket hygiene.

Tier 2

Multi-source investigations across SIEM and EDR timelines, scope confirmation, and containment packages ready for approval.

Tier 3 / detection

Complex incidents, hunt execution, parser and content fixes, and vendor or cloud-provider escalations when needed.

Engagement lead

Your single thread for backlog, SOW changes, QBR-style metrics you can defend, and escalation when priorities conflict.

Process

Detection-to-case workflow

Each step produces an artifact in your SIEM, EDR, or ticket queue so work survives shift change and audit.

1

Detect

Rule or hunt hit

2

Triage

Enrich, dedupe, severity

3

Investigate

Scope in SIEM/EDR

4

Contain

Approved actions only

5

Remediate

Eradicate persistence

6

Close

Root cause + backlog

Technology

Where work actually happens

We meet you in the tools you already licensed; scope lists connectors, parsers, and API limits up front so detection work is not blocked by “we’ll need another SKU.”

SIEM

Correlation, search, retention

EDR

Process, file, network telemetry

Identity

IdP sign-in, MFA, risky users

Cloud audit

AWS, Azure, GCP, SaaS admin

SOAR / ITSM

Cases, tasks, approvals

Intel

Feeds and TIP when in scope

Process

Detection-to-case workflow

Each step produces an artifact in your SIEM, EDR, or ticket queue so work survives shift change and audit.

MTTD

Time to detect

Clocked from first malicious observable to alert or hunt finding, using timestamps in your SIEM and EDR—not marketing stopwatches.

MTTR

Time to respond

First meaningful customer update and, where approved, first containment step—defined separately for P1–P4 in the SOW.

Noise

Tuning throughput

Open suppressions and broken parsers tracked to owners; recurring review so alert volume reflects real risk, not fatigue.

Quality

Case evidence

Tickets closed with timeline, scope, actions taken or declined, and lessons fed to detection and IAM backlogs.

Delivery models

How engagement is structured

Most clients choose explicit co-management: intSignal operates inside your stack and tickets, while you keep veto rights on architecture and destructive response. Pure “send us logs” arrangements are not our default.

Operations-led

Managed SOC execution

We staff triage and escalation against your SIEM, EDR, identity, and cloud connectors; cases and evidence stay in systems you control.

  • Coverage hours and languages spelled out in the SOW
  • Runbooks aligned to your change and CAB process
  • Monthly readouts on backlog, noise, and incident mix
  • Optional bridge to intSignal MDR for correlated XDR-style workflows

Co-managed

Shared queue and content ownership

Your analysts own selected tiers or business units; we cover nights, weekends, surges, or specific use cases—same parsers, same SOAR playbooks, same RACI.

  • Joint on-call and escalation trees
  • Shared detection backlog with priority tags
  • Pairing on complex investigations until your bench is ready
  • No parallel “shadow SIEM” unless you explicitly want one

Program build

SOC readiness and optimization

Design or harden internal SOC capabilities: use-case library, data onboarding plan, staffing model, and handoff into steady-state operations—yours, ours, or split.

  • Use-case and data-source gap analysis
  • Process and case templates mapped to ITSM
  • Tooling choices constrained by what you already own
  • Tabletops before go-live coverage

Engagements

Typical entry points

Each starts with a short discovery on data sources, case system, and who may execute containment—then a written proposal you can compare to other providers without buzzword bingo.

Assessment

Readiness review: parsers, use-case coverage, queue health, RACI gaps, and realistic MTTD/MTTR baselines from your own timestamps—not a generic maturity heat map.

Build or remediate

Onboarding plan for new SIEM or EDR estates, migration off legacy MSSP content, or hardening after an incident—delivered as a time-boxed program with exit criteria.

Run-state operations

Ongoing triage, detection engineering hours, and hunt cadence scoped to your SOW. Service levels are documented per severity; we do not promise unattested global averages.

Map SOC execution to your environment

Bring your SIEM, EDR, identity, cloud audit, and ticketing reality—we will respond with scope, RACI, and a clear view of what shifts and engineering hours look like.

Request Assessment  🡪