What does a SOC (Security Operations Center) do?

A Security Operations Center (SOC) is a team of analysts that analyze logging and audit information from a specific system. Plus 1 Technology uses a SOC to analyze, log, and audit user activity that takes place in Microsoft 365. The SOC team works 24/7/365 to spot and remediate any attacks that may occur.

We use our SOC team to look for a variety of abnormal operations. The primary indications of issues we look for are:

1. Login from a foreign country
   1. If a user successfully logs in from a country outside the USA, we will be notified.
2. Impossible Travel
   1. If a user successfully logs in from two different places in a period that would not be possible to be traveled in that amount of time. An example would be if a user logs in from NYC at 10am EST and Los Angelos at 11am EST, we know you can not get to California in 1 hour from NYC.
3. New mail rules
   1. If new email forwarding rules are created on a mailbox to automatically move email from the inbox to another folder or externally forward email, we would be notified.
4. Large volume of deletion
   1. If many files are deleted from OneDrive or SharePoint, we would be notified.
5. Mailbox full
   1. If an email box is approaching, it’s maximum allowed storage we would be notified.

It is important for users to know that we are monitoring these activities. Pro active notifications from users to Plus 1 Technology can help minimize worrisome alerts. We recommend that leadership and stuff notify us of any international travel and if you plan to bulk delete a large number of files please let us know so we can quickly address any alarms that may be raised.