The big plus working in a SOC is the possibility to be on-site with other Security Analysts rather than being separated in the home office.
Working in a MSSP SOC means to keep an eye on multiple customer SIEM’s simultaneously in terms of security incidents and anomalies/availability of mandatory log data. In addition, the Security Analyst should keep an eye on new and emerging threats which are (thankfully/hopefully) not (yet) impacting our customers.
In this blog series we (Christoph Düggeli and Thomas Kurth) will share their experience and technical solutions for a professional and helpful SOC Wall. Credits also to Athiraiyan who was involved in the initial phase.
Link to other Parts:
- Planning the Setup
- Develop your Video Wall Application
- Build your Content
Planning the setup
To share a common set of important information within the team, we decided to spin up a SOC Monitor wall and query data with KQL and display the data with Microsoft Sentinel Workbooks.
There are multiple options which can be used. 4 different Monitors connected to a dedicated computer as seen above is one option. But much more professional is the usage of frameless monitors which have also more options to configure like exposing all monitors as a single display to the computer. But caution, the computer needs support the resolution which the monitors have. Video wall monitors are a little bit more expensive, but all the possibilities are in our opinion definitely very helpful. A good starting point is for example the NEC Videowall configurator.
Workstation and display configuration
The workstation can be managed via MEM Intune. The usage of the Kiosk profile/Assigned Access profile allows the auto-logon and automated launch of the SOC Monitor Wall software (Custom made, see Part 2 for more information). The usage of MEM Intune reduces the attack surface and configuration effort drastically.
As written above it’s also important that your chosen workstation supports the planned resolution. For example, if a graphic driver supports 4 K (2 x 2 monitors) this does not also mean it supports (4 x 1 monitors) … #LessonLearned
As soon you have to correct hardware and an up and running Windows, then we can start developing the Video Wall content. Details on how to build a Video Wall application and how to design dashboards is part of the next blogs of this series.
- Sentinel Automation use case – custom Alerting with LogicApps - March 6, 2023
- Microsoft Sentinel Security Incident statistics with Workbooks - February 20, 2023
- Sentinel Incident Automation – Playbook dependencies - January 16, 2023
SOC Monitor wall – Develop your Video Wall Application (Part 2) - Workplace Ninja's · August 30, 2022 at 15:31
[…] Planning the Setup […]
SOC Monitor wall – Build your Content (Part 3) - Workplace Ninja's · September 1, 2022 at 07:36
[…] Planning the Setup […]