{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/soc/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["agentic-soc","mdr","soc","ai"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCrowdStrike has announced agentic MDR and SOC Transformation Services to improve the effectiveness of security operations centers (SOCs). The agentic MDR solution is designed to leverage machine-speed execution with expert accountability to stop breaches more efficiently. This involves combining deterministic automation with expert-defined guardrails, adaptive AI agents, and human oversight to ensure rapid and precise responses to threats. SOC Transformation Services aim to modernize the foundational aspects of SOC operations, including SIEM systems, data pipelines, workflows, talent models, and governance frameworks. These services are designed to help organizations establish the necessary operating conditions for agentic SOC operations, enabling them to evolve their security practices safely and deliberately. This addresses the challenge organizations face in scaling agentic security due to a lack of clean data foundations, modern workflows, and governance structures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eGiven the nature of this announcement focusing on services rather than specific attacks, the following represents a generalized attack chain that CrowdStrike\u0026rsquo;s Agentic MDR and SOC Transformation Services aim to disrupt and mitigate.\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to a system or network through various means, such as phishing, exploiting vulnerabilities, or using stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e The attacker executes malicious code on the compromised system, often using scripting languages like PowerShell or Python.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence mechanisms to maintain access to the system, such as creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker attempts to escalate privileges to gain higher-level access to the system and network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker moves laterally within the network, compromising additional systems and expanding their control.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The attacker identifies and exfiltrates sensitive data from the compromised systems to an external location.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their final objective, which could include data theft, ransomware deployment, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe potential impact of successful attacks on organizations without adequate security measures can be significant. This includes data breaches, financial losses, reputational damage, and disruption of critical services. Organizations lacking modern security operations capabilities may struggle to detect and respond to advanced threats, leading to prolonged incidents and increased damage. CrowdStrike\u0026rsquo;s agentic MDR and SOC Transformation Services aim to mitigate these risks by providing faster detection, automated response, and expert guidance to improve overall security posture.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEvaluate your current SIEM and logging architecture and create a migration plan to a modern SIEM solution like CrowdStrike Falcon Next-Gen SIEM, focusing on log source onboarding, parsing, normalization, and retention strategy.\u003c/li\u003e\n\u003cli\u003eRedesign your triage, escalation, containment, and recovery workflows to align with your team structure, staffing model, and business risk tolerance, as described in the \u0026ldquo;SOC Transformation Services\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003ePrioritize the development and deployment of detection rules and automation, incorporating AI use case development and guardrails for safe response actions, leveraging the capabilities outlined in the \u0026ldquo;SOC Transformation Services\u0026rdquo; section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-28T09:23:42Z","date_published":"2026-03-28T09:23:42Z","id":"/briefs/2026-03-agentic-mdr-soc/","summary":"CrowdStrike introduces agentic MDR and SOC Transformation Services to enhance breach prevention through machine-speed execution and expert oversight, while SOC Transformation Services aim to modernize security operations by focusing on SIEM, data pipelines, workflows, talent models, and governance.","title":"CrowdStrike Agentic MDR and SOC Transformation Services","url":"https://feed.craftedsignal.io/briefs/2026-03-agentic-mdr-soc/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["soc","blueteam","threat-hunting"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA security practitioner has released a free, offline SOC toolkit intended for Tier 1 analysts and those new to blue team operations. This toolkit, contained within a single HTML file, provides resources for incident response, alert triage, threat hunting, and analyst onboarding. Released in March 2026, the toolkit includes interactive IR checklists for common incident types (Phishing, Malware, Brute Force, Data Exfil, Suspicious PowerShell), alert triage playbooks with decision trees, threat hunting guides mapped to MITRE ATT\u0026amp;CK, and a structured curriculum for new Tier 1 hires. The threat hunting guides are noteworthy, as they include Splunk and Elastic queries for specific attack techniques like Kerberoasting, Pass-the-Hash, LOLBAS abuse, scheduled task persistence, and C2 communication on non-standard ports. Defenders can leverage the shared hunting queries to enhance their detection capabilities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eThis toolkit is designed to aid in the \u003cem\u003edetection\u003c/em\u003e of the following attack chains:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e (Phishing, Malware) An attacker gains initial access through methods such as phishing emails or malware-infected attachments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e (Kerberoasting, Pass-the-Hash) After gaining initial access, the attacker attempts to harvest credentials using techniques like Kerberoasting to target service accounts or Pass-the-Hash to reuse existing credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e (Pass-the-Hash) Using compromised credentials, the attacker moves laterally within the network, accessing additional systems and resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e (LOLBAS) The attacker utilizes Living-Off-The-Land Binaries and Scripts (LOLBAS) to execute malicious commands and evade detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e (Scheduled Task Persistence) The attacker establishes persistence by creating scheduled tasks that execute malicious code at regular intervals.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e (C2 on non-standard ports) The attacker establishes a command and control channel, communicating with compromised systems over non-standard ports to evade detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration:\u003c/strong\u003e (Data Exfil) The attacker exfiltrates sensitive data from the compromised systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e (Data Exfil) The attacker achieves their final objective of data exfiltration, resulting in data loss or exposure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe toolkit helps defenders to mitigate the impact of attacks by providing resources for incident response, alert triage, and threat hunting. Successful implementation of the toolkit\u0026rsquo;s recommendations can lead to faster detection and containment of security incidents, reducing the potential for data breaches, financial losses, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview the threat hunting guides within the toolkit and adapt the provided Splunk and Elastic queries for Kerberoasting, Pass-the-Hash, LOLBAS, scheduled task persistence, and C2 on non-standard ports to your environment.\u003c/li\u003e\n\u003cli\u003eUtilize the provided IR Checklists (Phishing, Malware, Brute Force, Data Exfil, Suspicious PowerShell) to standardize and improve incident response procedures.\u003c/li\u003e\n\u003cli\u003eCustomize and integrate the Alert Triage Playbooks into your existing security operations workflows to assist with the analysis of alerts related to impossible travel, lateral movement, and DNS beaconing.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-18T12:00:00Z","date_published":"2026-03-18T12:00:00Z","id":"/briefs/2026-03-soc-analyst-hub/","summary":"A free, offline SOC toolkit aimed at Tier 1 analysts includes IR checklists, triage playbooks, and threat hunting guides mapped to MITRE ATT\u0026CK, with Splunk and Elastic queries for threats such as Kerberoasting, Pass-the-Hash, LOLBAS, scheduled task persistence, and C2 on non-standard ports.","title":"SOC Analyst Toolkit with Threat Hunting Queries","url":"https://feed.craftedsignal.io/briefs/2026-03-soc-analyst-hub/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["SharePoint"],"_cs_severities":["medium"],"_cs_tags":["soc","metrics","threat-hunting","detection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe National Cyber Security Centre (NCSC) blog post highlights the detrimental effects of using inappropriate metrics to evaluate SOC performance. Focusing on easily quantifiable metrics like \u0026rsquo;number of tickets processed\u0026rsquo;, \u0026rsquo;time taken to close a ticket\u0026rsquo;, \u0026rsquo;number of detection rules written\u0026rsquo;, and \u0026lsquo;volume of logs collected\u0026rsquo; can incentivize analysts to prioritize metric optimization over effective threat detection. These perverse incentives can lead to a high number of false positives, alert fatigue, and a failure to identify genuine security incidents. The blog emphasizes the importance of focusing on metrics that truly reflect a SOC\u0026rsquo;s efficacy in detecting and responding to attacks in a timely manner, using red and purple teaming to simulate attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eThis attack chain describes how an attacker might evade detection in a SOC environment using ineffective metrics.\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Foothold:\u003c/strong\u003e An attacker gains initial access via a vulnerability or credential compromise. This is not directly measured by common SOC metrics.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInternal Reconnaissance:\u003c/strong\u003e The attacker performs internal reconnaissance, such as \u003ccode\u003esearching for passwords in a SharePoint\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses discovered credentials to move laterally within the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Access:\u003c/strong\u003e The attacker accesses sensitive data, potentially including intellectual property or personal information.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration Preparation:\u003c/strong\u003e The attacker prepares the data for exfiltration, such as compressing or encrypting it.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration:\u003c/strong\u003e The attacker exfiltrates the data to an external server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence mechanisms to maintain access for future operations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their objective, which could be data theft, system disruption, or financial gain. The lack of focus on TTD/TTR means the breach goes unnoticed until significant damage is done.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe use of poor metrics can lead to a significant increase in dwell time, allowing attackers more time to achieve their objectives. Organizations may experience data breaches, financial losses, reputational damage, and regulatory fines. The NCSC observed SOCs with great potential rendered entirely ineffective through poor choice and application of metrics. If \u0026ldquo;time to close a ticket\u0026rdquo; is prioritized, analysts may quickly dismiss alerts as false positives, missing crucial indicators of a real attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement TTD/TTR as primary metrics to measure SOC effectiveness, using red/purple teaming to generate data.\u003c/li\u003e\n\u003cli\u003ePrioritize hypothesis-led threat hunting to proactively identify potential threats and improve detection capabilities.\u003c/li\u003e\n\u003cli\u003eEstablish and maintain hard thresholds for false positive rates to minimize alert fatigue and ensure analysts focus on genuine threats.\u003c/li\u003e\n\u003cli\u003eEvaluate and refine detection rules to maximize true positives and minimize false positives.\u003c/li\u003e\n\u003cli\u003eFocus on the value of collected logs rather than sheer volume to ensure relevant data is available for threat detection.\u003c/li\u003e\n\u003cli\u003eDevelop detection rules based on understanding likely attackers and their techniques mentioned in the overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-02-soc-metrics/","summary":"Poorly chosen performance metrics can significantly impair a SOC's ability to detect and respond to threats, leading to ineffective security operations and potential compromise.","title":"Impact of Poor Security Operation Center (SOC) Metrics","url":"https://feed.craftedsignal.io/briefs/2024-01-02-soc-metrics/"}],"language":"en","title":"CraftedSignal Threat Feed — Soc","version":"https://jsonfeed.org/version/1.1"}