A Day in the Life of a Threat Analyst, WFH Edition (Swim, Coffee, XDR, Repeat)
Making this post so that all of you get an idea on exactly how is a life of a Threat Analyst(MDR) and what are my D2D activity.
6:30 AM. Swim first, before my brain fully gets activated. Best decision I've made this year. Relaxes the mind.
8:15. Coffee. Non negotiable. I've tried skipping it twice. Both days ended badly(consider it as a superstition or the screen effect).
9:30, I log in. WFH, so I just need to walk from the kitchen to my desk. First thing I check isn't the XDR portal, it's email, calendar, Slack, and Teams, in that order, because half the time overnight shift has already flagged something for me and I don't want to walk into a case cold.
10:00 onward is when it actually starts. Into the XDR portal, sorting through alerts and detections that queued. MDR is a 24/7 job. Some days it's quiet. Some days I open the queue and immediately know it's going to be a long one, usually because three alerts from the same host are all pointing the same direction.
The investigation part is where time flies or disappears. Querying event logs, pulling process trees, checking parent child relationships, cross referencing against what the endpoint saw versus what the network saw. Verifying the Threat Intel. I've lost entire hours to a single suspicious PowerShell execution that turned out to be an IT admin running a script nobody informed us or documented anywhere.
Around midday, at around 1 or 2, I usually get on a call with a client if something needs explaining in technical POV. That's a different skill entirely. You can be great at reading a process tree and still fumble explaining it to someone who just wants to know if their business is on fire. I learnt it a hard way, don't want you guys to struggle on that aspect.
Response actions, if needed, isolating a host, killing a process, blocking an IOC. Then lunch, which I try to actually eat away from the screen, or watch some Sit Coms.
Afternoon is round two of the same loop. New alerts, new queries, sometimes picking back up a case from the morning that needed more eyes in investigation.
The fun part nobody tells you about this job is that you start recognizing patterns in things that have nothing to do with the job. Once this job gets into your head, it doesn't fully leave.
End of day is a wrap up meeting, log off, and then TV and sleep, trying not to think about tomorrow's queue.
If you're planning to go for SOC or threat analysis in near future, this is a glimpse of a day, which I am sure nobody told you about.