July 4, 2026
SOC Team Internals — part 3
Assets & Identities

By ExploitHunter
2 min read
Assets & Identities
Identity Inventory
Identity inventory is a catalogue of corporate employees (user accounts), services (machine accounts), and their details like privileges, contacts, and roles within the company. For the scenario above, identity inventory would help you get context about G.Baker and R.Lund, and make it simpler to decide if the activity was expected or not.
Solution, Examples & Description
- Active Directory — AD itself is an identity database, and it is commonly used by SOC. Example: On-prem AD, Extra ID
- SSO Providers — Cloud alternative for AD, an easy way to manage and search the users. Example: Okta, Google workspace
- HR Systems — Limited to employees only, but usually provides full employee data. Example: BambooHR, SAP, HiBob
- Custom Solution — It is common for IT or security teams to maintain their own solutions. Example: CSV or Excel Sheets.
Asset Inventory
Asset inventory, also called asset lookup, is a list of all computing resources within an organisation's IT environment. Note that while "asset" is a vague term and can also refer to software, hardware, or employees, this room emphasises servers and workstations only. For the scenario above, asset inventory would help you get context about the HQ-FINFS-02 server.
Solution, Examples & Description
- Active Directory — AD is not only an identity but also a solid asset inventory database. Example: On-prem AD, Entra ID
- SIEM or EDR — Some SIEM or EDR agents collect information about the monitored hosts. Example: Elastic CrowdStrike
- MDM Solution — A dedicated class of solutions created to list and manage assets. Example: MS intune, Jamf MDM
- Custom Solution — Same as with the identity inventory, custom solutions are common. Example: CSV or Excel Sheets
Workbooks Theory
SOC Workbooks
SOC workbook, also called playbook, runbook, or workflow, is a structured document that defines the steps required to investigate and remediate specific threats efficiently and consistently. Since L1 analysts are considered junior specialists and are not expected to triage every possible attack scenario perfectly, senior analysts often prepare workbooks to support their less experienced teammates. L1 analysts are recommended and sometimes even required to triage the alerts precisely according to workbooks to avoid mistakes and streamline the analysis.
Workbook Example
The diagram above is a typical example of an investigation workbook aimed to help L1 analysts triage alerts about atypical email, web, or corporate VPN login. Most workbook diagrams are supplemented with a detailed textual guide and links to the mentioned resources. Also, note how the workbook is divided into three logical groups. By following the steps in the correct order, you can guarantee high-quality alert triage and eliminate cases where the verdict is made without enough evidence:
- Enrichment: Use Threat Intelligence and identity inventory to get information about the affected user
- Investigation: Using the gathered data and SIEM logs, make your verdict if the login is expected
- Escalation: Escalate the alert to L2 or communicate the login with the user if necessary