⭐ Day 18 – SOC KPIs, SLAs, Use Cases & SOC Maturity Levels
Today students learn how professional SOCs are measured and evaluated.
This is critical for interviews, real SOC jobs, and leadership understanding.
🧠 1. What are SOC KPIs? (Simple Explanation)
KPIs = Key Performance Indicators
They measure how well a SOC team is performing.
Think of KPIs as “SOC scorecards.”
📊 2. Important SOC KPIs (Easy for Students)
1️⃣ MTTA – Mean Time to Acknowledge
How fast SOC sees the alert and acknowledges it.
Goal:
2–5 minutes for critical alerts.
2️⃣ MTTD – Mean Time to Detect
How long it takes to detect an attack.
Goal:
< 30 minutes for most events.
3️⃣ MTTR – Mean Time to Respond
How long to fully stop and fix the issue.
Goal:
1–2 hours for high severity.
4️⃣ False Positive Rate
Less noise = better SOC.
Goal:
< 10% false positives.
5️⃣ Alert Fatigue Score
If analysts receive too many alerts → burnout.
Goal:
< 60 alerts per analyst per day.
6️⃣ SLA Adherence
SLA = Service Level Agreement
Controls how fast SOC must respond.
Example:
- Critical Alert: respond in 5 min
- High: 10 min
- Medium: 30 min
- Low: 1 hour
🧾 3. SOC SLAs (Explain to Students Simply)
SLA = “Time commitment for handling alerts.”
Example SOC SLA table:
| Severity | SLA for Response |
|---|---|
| Critical | 5 minutes |
| High | 10 minutes |
| Medium | 30 minutes |
| Low | 60 minutes |
SOC analysts must meet these SLAs.
🔥 4. SOC Use Cases (Very Important)
Use case = security problem + detection logic.
Examples:
✔ Brute Force Detection
index=* EventCode=4625 | stats count by IpAddress
✔ Privilege Escalation
index=* EventCode=4672
✔ Persistence
index=* EventCode=4720
✔ Malware Execution
index=* powershell "EncodedCommand"
✔ Lateral Movement
index=* EventCode=4624 Logon_Type=10
Use cases = foundation of SOC detection.
🧩 5. SOC Maturity Levels (Very Easy Table)
| Level | Name | Description |
|---|---|---|
| 0 | No SOC | Logs not collected |
| 1 | Basic SOC | Manual monitoring |
| 2 | Intermediate SOC | Alerts + automation |
| 3 | Advanced SOC | Threat hunting, SOAR |
| 4 | Mature SOC | AI detection, full automation |
Goal: Move from level 1 → level 3.
🛠 6. Day 18 Hands-On Tasks
Task 1 – Students pick 1 use case
Example: Failed Login Detection
They must write:
- Description
- MITRE mapping
- SPL Query
- Expected output
Task 2 – KPI Calculation
Give students:
- 20 alerts
- Time analyst responded
Ask them to calculate MTTA & MTTR.
Task 3 – SLA Table
Students build their own SLA model.
Task 4 – SOC Maturity Assessment
Students determine:
- Which level their lab is currently at
- How to improve to next level
🎤 Trainer Script
Say this:
“Today you learned how SOC teams are measured.
Detection alone is not enough — KPIs, SLAs, and use cases define SOC quality.
High maturity SOC = fewer incidents, faster response, more automation.”
📝 Homework (Day 18)
Students submit:
- One SOC use case
- MITRE mapping
- KPI calculation example
- SLA table
- SOC maturity level of the lab
"Share Knowledge" 
Leave a comment