L2 Security Operations Center Analyst

Role Overview

Key Responsibilities

• Receive and investigate escalations from L1, performing in-depth event correlation and contextual analysis within Google SecOps (Chronicle).
• Validate true positives and initiate incident response workflows per defined playbooks.
• Validate and, where necessary, reclassify incident priority (P1-P4) against the severity matrix defined in the SOP, ensuring the correct SLAs and escalation paths are followed.
• Lead false positive identification and submit tuning recommendations to the detection engineering function.
• Conduct threat hunting activities on a scheduled or ad-hoc basis using Chronicle’s YARA-L rules and UDM search.
• Perform root cause analysis (RCA) for confirmed incidents and document findings.
• Develop and execute remediation plans -- containment actions, eradication steps, and recovery sequencing aligned to incident severity.
• Coordinate with client stakeholders for containment and remediation guidance where applicable.
• Review and provide feedback on L1 triage quality; support L1 analyst upskilling.
• Contribute to SOP refinement based on operational experience.
• Track and manage open incidents to closure within defined SLA thresholds.
• Prepare shift summary reports and escalation-to-resolution case documentation.

Required Skills & Experience

• 3–5 years of SOC experience, with at least 1–2 years at L2 or equivalent.
• Proficiency in one or more SIEM platforms: Google Chronicle/SecOps, Splunk, Microsoft Sentinel, IBM QRadar, ArcSight, or LogRhythm -- Chronicle experience preferred for this engagement.
• Hands-on experience with SOAR platforms: Palo Alto XSOAR, Splunk SOAR, IBM Resilient, or equivalent -- including playbook execution and case management.
• Strong incident analysis skills across network, endpoint, identity, and cloud telemetry.
• Solid understanding of MITRE ATT&CK TTPs and their application in alert investigation.
• Strong understanding of attack surface analysis -- ability to assess exposure across network, endpoint, identity, and cloud vectors in the context of an active or potential incident.
• Experience developing and executing remediation plans -- containment actions, eradication steps, and recovery sequencing aligned to incident severity.
• Proven incident management capability -- end-to-end ownership from detection through closure, including stakeholder communication, escalation management, and post-incident review.
• Experience with false positive management and detection tuning processes.
• Knowledge of common threat actor patterns, malware behaviours, and lateral movement indicators.
• Strong written communication -- incident reports, RCA documentation, and stakeholder updates.

Behavioural & Operational Requirements

• Willingness to work in a 24x7 shift-based environment with rotational scheduling across day, evening, and night shifts.
• Flexible to adjust availability during major incidents, escalations, or critical operational periods.
• Strong team orientation -- actively supports L1 analysts, contributes to shift debriefs, and ensures seamless handovers.
• Collaborative approach when coordinating with client stakeholders, peer analysts, and detection engineering teams.
• Leads by example in shift discipline, documentation standards, and operational accountability.

Education

• Minimum qualification required:
• Bachelor’s Degree in Cybersecurity, Computer Science, Information Technology, or a related technical discipline.
• Master’s Degree in Cybersecurity or Computer Science is an added advantage.

• EC-Council Certified Security Analyst (ECSA)

• CompTIA Security+
• SIEM Tool Certifications: (Good to have)

• IBM QRadar SIEM Foundation

• Google Professional Cloud Security Engineer

• CompTIA Cloud+

Additional

• Hands-on experience or working knowledge of Agentic AI in SOC operations -- including AI-powered investigation workflows, LLM-integrated SOAR playbooks, autonomous triage agents, or AI-driven threat hunting assistants.
• Experience working in managed SOC or MSSP environments.
• Exposure to threat intelligence platforms and IOC enrichment workflows.
• Prior work in critical infrastructure, government, or regulated sector SOCs.