Everyday Tasks

Customer Operational Guide

Overview

This document outlines your operational responsibilities based on your ThreatDefence service subscription. We offer two primary service models to match your organization's security maturity and resource availability.

1. For Managed SOC Customers

Your Role: The Incident Commander

When you subscribe to our Managed SOC service, our security analysts become an extension of your team. We handle the 24/7 monitoring, investigation, and initial containment, allowing you to focus on strategic business decisions.

Primary Responsibility: Respond to Escalations

• You will receive critical notifications via email or phone when our SOC requires your input or action.

• These escalations are typically for:

  • Validation: "We see a critical action from user [X]. Is this authorized?"

  • Action: "We have contained a threat on endpoint [Y]. Please inform the user."

  • Decision: "An incident has been declared. Activate your incident response plan."

Technical Requirement:

• No daily login to the platform is required.

• You only need to monitor the communication channels (email/phone) used for escalations.

Strong Recommendation: Leverage the Platform for Awareness

While not mandatory, logging into the Security Dashboard provides significant benefits:

• Operational Awareness: View real-time security posture, active incidents, and threat trends.

• Skill Uplift: Observe how our analysts investigate and respond to threats—a free training resource for your team.

• Proactive Oversight: Access customized reports and dashboards for compliance and management reviews.

Best Practice: We recommend a weekly login to review the Security Posture Dashboard and any closed incident reports to maintain situational awareness.

2. For SIEM Platform Only Customers

Your Role: The Security Operator

With the SIEM Platform, your team is in full control of your security operations. The platform provides the tools and intelligence; you provide the analysis and response.

Primary Responsibility: Daily Alert Triage You must actively manage the security alerts generated by the platform. This can be done through two primary methods:

Method 1: Direct Console Login (Recommended)

1. Log into the ThreatDefence Security Dashboard daily.

2. Navigate to the “Security Detections” queue.

3. Triage Alerts: Review, investigate, and action each alert by:

   • Closing false positives.

   • Escalating true positives to your IT team for remediation.

   • Adding notes for audit trails.

Method 2: Email Alert Monitoring (Minimum Requirement)

• Ensure email alerts are enabled for your security team.

• Review all email notifications for new detections.

• You must log into the console to fully investigate and close alerts. Email is for notification only.

Technical Requirement:

• Daily interaction with the platform is required to maintain security efficacy.

• Your team is responsible for the end-to-end process: Detection → Triage → Response → Closure.

Summary of Responsibilities

Getting Started Checklist

For Managed SOC Customers:

• Provide emergency contact details for escalations.

• Bookmark the ThreatDefence Customer Portal.

• Schedule a monthly review meeting with your assigned analyst.

For SIEM Platform Only Customers:

• Designate primary analysts for daily triage.

• Configure email alert recipients.

• Complete ThreatDefence Analyst Console training.

• Establish an internal workflow for alert response and closure.

Need Help? Our support team is here to assist with:

• Technical configuration and onboarding.

• Analyst training for the platform.

• Defining escalation workflows.

Contact Support: [email protected]

This document ensures clarity of roles and responsibilities, setting both our teams up for a successful security partnership.