β Day 18 β SOC KPIs, SLAs, Use Cases & SOC Maturity Levels
Today students learn how professional SOCs are measured and evaluated.
This is critical for interviews, real SOC jobs, and leadership understanding.
π§ 1. What are SOC KPIs? (Simple Explanation)
KPIs = Key Performance Indicators
They measure how well a SOC team is performing.
Think of KPIs as βSOC scorecards.β
π 2. Important SOC KPIs (Easy for Students)
1οΈβ£ MTTA β Mean Time to Acknowledge
How fast SOC sees the alert and acknowledges it.
Goal:
2β5 minutes for critical alerts.
2οΈβ£ MTTD β Mean Time to Detect
How long it takes to detect an attack.
Goal:
< 30 minutes for most events.
3οΈβ£ MTTR β Mean Time to Respond
How long to fully stop and fix the issue.
Goal:
1β2 hours for high severity.
4οΈβ£ False Positive Rate
Less noise = better SOC.
Goal:
< 10% false positives.
5οΈβ£ Alert Fatigue Score
If analysts receive too many alerts β burnout.
Goal:
< 60 alerts per analyst per day.
6οΈβ£ SLA Adherence
SLA = Service Level Agreement
Controls how fast SOC must respond.
Example:
- Critical Alert: respond in 5 min
- High: 10 min
- Medium: 30 min
- Low: 1 hour
π§Ύ 3. SOC SLAs (Explain to Students Simply)
SLA = βTime commitment for handling alerts.β
Example SOC SLA table:
| Severity | SLA for Response |
|---|---|
| Critical | 5 minutes |
| High | 10 minutes |
| Medium | 30 minutes |
| Low | 60 minutes |
SOC analysts must meet these SLAs.
π₯ 4. SOC Use Cases (Very Important)
Use case = security problem + detection logic.
Examples:
β Brute Force Detection
index=* EventCode=4625 | stats count by IpAddress
β Privilege Escalation
index=* EventCode=4672
β Persistence
index=* EventCode=4720
β Malware Execution
index=* powershell "EncodedCommand"
β Lateral Movement
index=* EventCode=4624 Logon_Type=10
Use cases = foundation of SOC detection.
𧩠5. SOC Maturity Levels (Very Easy Table)
| Level | Name | Description |
|---|---|---|
| 0 | No SOC | Logs not collected |
| 1 | Basic SOC | Manual monitoring |
| 2 | Intermediate SOC | Alerts + automation |
| 3 | Advanced SOC | Threat hunting, SOAR |
| 4 | Mature SOC | AI detection, full automation |
Goal: Move from level 1 β level 3.
π 6. Day 18 Hands-On Tasks
Task 1 β Students pick 1 use case
Example: Failed Login Detection
They must write:
- Description
- MITRE mapping
- SPL Query
- Expected output
Task 2 β KPI Calculation
Give students:
- 20 alerts
- Time analyst responded
Ask them to calculate MTTA & MTTR.
Task 3 β SLA Table
Students build their own SLA model.
Task 4 β SOC Maturity Assessment
Students determine:
- Which level their lab is currently at
- How to improve to next level
π€ Trainer Script
Say this:
βToday you learned how SOC teams are measured.
Detection alone is not enough β KPIs, SLAs, and use cases define SOC quality.
High maturity SOC = fewer incidents, faster response, more automation.β
π Homework (Day 18)
Students submit:
- One SOC use case
- MITRE mapping
- KPI calculation example
- SLA table
- SOC maturity level of the lab
"Share Knowledge" 
Leave a comment