Security Operations Center Analyst L3 at Sandisk

The Security Operations Center (SOC) Analyst L3 is a critical member of the Information Security team responsible for monitoring, detecting, analyzing, and responding to cybersecurity threats across the organization's environment. This role serves as the frontline defense against adversarial activity, operating within a 24×7 detection-first SOC model. The primary responsibility of this position is the security alert workflow — the continuous triage, investigation, and disposition of security alerts and events generated across our security tooling ecosystem. Beyond queue operations, this role offers structured growth into threat hunting, detection engineering, incident response, vulnerability management, insider risk management and cross-functional InfoSec support. This is a shift-based role supporting 24×7 operations; schedules may include evenings, overnight shifts, weekends, and holidays as business needs require. ESSENTIAL DUTIES AND RESPONSIBILITIES: DETECTION & MONITORING (PRIMARY FOCUS) • Oversee detection queue health and ensure consistent SLA adherence, assisting with prioritization during high-volume or high-severity events • Conduct advanced investigations involving complex, multi-stage attacks across endpoint, identity, network, cloud, and third-party environments • Provide expert-level case documentation that supports executive reporting, compliance, and post-incident reviews • Act as a primary escalation point for major incidents, coordinating with Incident Response, Threat Intelligence, IT, and business stakeholders • Drive continuous improvement of detection logic, escalation criteria, and investigative workflows • Ensure effective shift transitions, including direct briefings when required • Author and maintain SOC documentation, including playbooks, SOPs, runbooks, training content, and detection standards • Support SOC maturity initiatives, such as detection tuning, automation use cases, metrics refinement, and analyst skill developmentINCIDENT RESPONSE (AS NEEDED) • Support incident response efforts during active security events, including evidence gathering, containment actions, and timeline construction • Assist in the preparation of incident summaries, post-incident reports, and lessons-learned documentation • Execute containment and remediation actions under the guidance of IR leads (e.g., endpoint isolation, account disablement) • Participate in tabletop exercises and IR simulations to develop and validate response readinessTHREAT HUNTING (STRUCTURED OPPORTUNITIES) • Participate in threat hunting missions derived from threat intelligence reporting, new TTPs, or internal hypotheses • Query SIEM, EDR, and log sources proactively to identify undetected malicious activity or policy gaps • Document hunting findings and translate confirmed gaps into detection use cases or tuning recommendations • Leverage frameworks such as MITRE ATT&CK to structure hunting hypotheses and report on coverage gapsDETECTION ENGINEERING (COLLABORATIVE SUPPORT) • Contribute to the development, testing, and refinement of detection rules and correlation logic in the SIEM • Analyze emerging threats and map indicators and behaviors to proposed detection logic • Validate new detections in a test environment and provide real-world feedback from queue experience • Assist with SIEM content library management including periodic rule review and retirement of stale logicVULNERABILITY MANAGEMENT (SUPPORTING ROLE) • Review vulnerability scan results and assist in triaging findings based on severity, exploitability, and asset criticality • Support the coordination of remediation activities with IT asset owners, tracking tickets through to closure • Cross-reference active vulnerabilities with threat intelligence to identify weaponized CVEs that require prioritization • Assist in producing vulnerability reporting for team leads and stakeholders on a periodic basisINSIDER RISK MANAGEMENT (SUPPORTING ROLE) • Support the review and triage of alerts generated by User and Entity Behavior Analytics (UEBA) platforms, Data Loss Prevention (DLP) tools, and insider threat-specific monitoring solutions • Correlate insider risk indicators across identity, endpoint, email, and cloud data sources to build a complete picture of potential policy violations or malicious intent • Assist in the investigation of data exfiltration attempts, unauthorized access to sensitive systems, and anomalous after-hours or off-network activity • Maintain strict confidentiality and chain-of-custody standards when handling insider risk cases, ensuring investigations are properly documented and legally defensible • Contribute to the ongoing refinement of the Insider Threat Program by surfacing patterns, gaps, and lessons learned from completed investigationsCROSS-FUNCTIONAL INFOSEC SUPPORT (AD HOC/STRUCTURED) • Serve as an available resource to other InfoSec teams, lending hands-on support for security-related tasks, reviews, and initiatives on an as-needed basis • Assist with security awareness initiatives, phishing simulations, and education campaigns • Support access reviews, security tool deployments, and policy compliance assessments as directed