Hey everyone! I work as a SOC analyst, mostly doing alert triage and helping with investigations. We check files, run lookups, search TI sources, collect verdicts and notes but the context ends up scattered across multiple systems: SIEM, SOAR, chats and reports written manually afterward. Because of that, work gets duplicated, tracking investigation progress becomes difficult and rebuilding the full picture later is not always easy. I'm curious how you deal with this. Do you have a centralized investigation workflow or is everything still spread across tools and chats? What happens automatically and what do you have to do manually? submitted by /u/malwaredetector [link] [comments]