LOGBOOK

HELP

Quiz Entry - updated: 2026.06.20

In a SOC's tiered analyst model, how do Level 1 and Level 2 analysts differ in what they do?

Level 1 analysts triage and filter incoming alerts (exclude false positives, register and categorise); Level 2 analysts perform deeper analysis, propose counter-measures and escalate.

Event→Alert→L1 triage→L2 analysis→Incident→escalation, with false-positive branch.

* SOC escalation — Event becomes Alert; L1 triages (dropping false positives); L2 analyses real cases and escalates. *

A tiered SOC uses an escalation funnel. Level 1 (L1): the front line — they handle the high volume of alerts from the SOC platform, weed out false positives, register and categorise/prioritise the rest. Level 2 (L2): the deeper specialists — they analyse the genuine incidents L1 escalates, decide and propose counter-measures, and escalate further (to L3 or to customer/IT) when needed. This division keeps scarce senior expertise focused on real threats rather than noise.

From Quiz: ISM / Security Incident Management | Updated: Jun 20, 2026