Antisyphon Training Anticasts | How to Write SOC Tickets That Build Trust and Drive Action w/ Dan Rearden

What does the ideal SOC ticket look like?

🛝 Webcast Slides -
https://www.antisyphontraining.com/wp-content/uploads/2026/03/How-to-Write-SOC-Tickets-That-Build-Trust-and-Drive-Action.pdf

Technical skills matter, but clear communication is just as important.

Join SOC Analyst Dan Rearden for a free one-hour Antisyphon Anti-cast on using soft skills to level up your tickets.

Learn how to make alerts clear, findings impactful, and documentation useful now and later.

Chapters

(00:00) - Intro- How to Write SOC Tickets That Build Trust and Drive Action - Dan Rearden
(01:53) - About Dan Rearden
(03:27) - On Call at 2AM...
(05:16) - Beyond the Terminal
(06:22) - Talking to Humans
(09:11) - Reboot Your Vocabulary
(14:44) - Plain Text Protocol
(19:54) - Peer To Peer
(24:44) - The Client Session
(26:06) - The Client Session
(28:13) - Hotfix today
(31:53) - Final System Check
(34:32) - Q&A

Credits
Chat with your fellow attendees in the BHIS Discord server:
https://discord.gg/bhis
in the #🔴live-chat channel

🔗 Register for FREE Infosec Webcasts, Anti-casts & Summits –
https://poweredbybhis.com

Click here to watch a video of this episode.

Brought to you by:

Black Hills Information Security

https://www.blackhillsinfosec.com

Antisyphon Training

https://www.antisyphontraining.com/

Active Countermeasures

https://www.activecountermeasures.com

Wild West Hackin Fest

https://wildwesthackinfest.com

Creators and Guests

Guest

CJ Cox

CJ Cox is the Chief Operating Officer for Black Hills Information Security (BHIS). He joined the team in 2016 and is responsible for managing the day-to-day operations and business capture of BHIS. CJ has over 25 years of experience in the IT industry as a systems administrator as well as an information system security officer, manager, and engineer. CJ feels that this is his dream job and that his favorite parts are the people he gets to work with and making security better. He is a retired Marine reservist and father of 4 who enjoys skiing, camping, golfing, and playing chess in his free time.

Guest

Dan Rearden (Haircutfish)

Dan Rearden, known in the community as HaircutFish, is an experienced SOC Analyst who transitioned into cybersecurity following a career-changing injury in 2020. Driven by a passion for solving complex puzzles and an exploratory mindset, he evolved from hardware repair into a dedicated Blue Team professional. In his current role, Dan triages high-level security tickets while actively contributing to the community through technical discourse. Dan is dedicated to refining his skills at detection engineering and advancing the field of defensive security.

Producer

Meagan Bentley

Producer

Ryan Poirier

What is Antisyphon Training Anticasts?

Podcast audio-only versions of weekly webcasts from Antisyphon Training

Not Jason Blanchard: 00:12

Hello, everybody. Welcome to today's Antisyphon Training Anticasts. My name is Jason Blanchard, and here above me is Dan. He is also Haircutfish, and he's got a presentation about tickets, ticketings, or sock stuff. Yeah.

Not Jason Blanchard: 00:29

Something about that. Something about socks. Everybody's got socks. Some people have two different socks. That seems crazy.

Not Jason Blanchard: 00:39

But Dan, you got a fantastic presentation for us today. I'm going to let you take over. I'm gonna go backstage. We will come back at the end of the webcast to take on some some questions and and fun stuff maybe. Take it away.

Not Jason Blanchard: 00:56

I'll see you later. Bye.

Dan Reardon (Haircutfish): 00:57

Okay. Thank you Jason for the lovely introduction. Today we're actually gonna be talking about the meme path into cyber. So basically gonna talk using meme creation for scoring that first cyber role. We're gonna go over how what software you need, how to edit photos in a fun and inventive way and maybe if we have some time, show off some AI assistance for some of those harder to pull off ones.

Dan Reardon (Haircutfish): 01:30

And as much as I'm sure you guys wanna hear about that, that's actually not to talk today. So we are gonna go over Yes, it was my April fools prank. I thought it'd be fun. So we are I hope you're here to learn on how to write SOC tickets that build trust and drive action. And without further stalling, let's get started.

Dan Reardon (Haircutfish): 01:54

My name is Dan Rearden. Most of you know me as Haircutfish. I am currently a SOC analyst at ProCircular, an MSSP based out of Iowa. I've been with ProCircular for about a year and a half now, and while there, I've triaged over 2,500 SOC tickets, which include internals and client updates. I'm a husband to a super amazing supportive wife and I have three awesome kids.

Dan Reardon (Haircutfish): 02:24

Previously, I have written an article in the BHIS Survival Yellow Edition that I got here that it showed for a second. That was on cybersecurity training. My newest article, is out now for the Survival Guide SOC edition, is related to the very topic that we're gonna discuss today. Last thing about me, as you guys were made aware from that first slide, is I like to make memes of cybersecurity professionals, friends, etcetera. It's a fun hobby that helped kind of get me into cyber as well.

Dan Reardon (Haircutfish): 03:02

So I need everybody to do something. As long as you're not driving, kinda close your eyes for a second, I need you to calm down, I need you to relax, get into a nice calm state. I want everybody nice and relaxed and so now you can open your eyes, everybody's nice and calm like you're sleeping. So imagine it's it's 2AM, you're on call and suddenly your phone rings startling you from a wonderful dream. It's a high severity alert.

Dan Reardon (Haircutfish): 03:41

Blurry eyed, you get out of bed and you head to your work computer, waking it to life. The login page burns your eyes until you get to the safety of dark mode. You navigate to the ticket queue and click on the high severity alert. Your computer would rather be sleeping as well as it takes what feels like an eternity to load that ticket. You begin searching the ticket history to see if there's any of this type of event that has occurred prior, and you do, you find one.

Dan Reardon (Haircutfish): 04:14

Mentally you're cheering, you know that, hey, minimum brain power, got the triage steps, we know what to do. You load up that new that other ticket and all that's written is maybe a false positive with no other information, no link tickets, and all closed as false positive, or and it's closed out as false positive. It's time to hunker down, wake up, and triage this ticket. How many of you are having flashbacks right now? And how many of you, being honest, that you don't have to put it in chat, that have been the prior analyst that wrote that ticket that had nothing?

Dan Reardon (Haircutfish): 05:00

I will admit, I've done it maybe once or twice, and it happens. Now that I've traumatized everybody, let let's get on into it here. My talk today we're gonna learn not only how to convey pertinent information, but provide guidance for future incidents. In addition, we'll learn what the elements are that are needed to make a great SOC ticket. As SOC analysts, we hold unique position where we need to not only know how to talk technically, but how to talk to those who are not so tech savvy.

Dan Reardon (Haircutfish): 05:45

We need to become almost like a tech Rosetta Stone if you will. Our words need to convey weight to them. A weight that when you when applied to something as simple as an internal note on a ticket, it will tell the analyst months, maybe even years down the road what happened and how to solve it. But don't expect to be able to do this overnight. Like anything that matters in this life, it will take work.

Dan Reardon (Haircutfish): 06:12

We need to build sub routines and work them as if they were muscles in our own body. It only gets stronger the more it is being used. We interact with others several different ways in our day to day work lives. This could be using a messaging app like Teams or Slack or through a ticketing system like Jira or ServiceNow. It doesn't matter if you work in office, remote or hybrid.

Dan Reardon (Haircutfish): 06:42

The only difference would be more face to face interactions for people in person and hybrid workers. All this to say, we have multiple channels of communication we utilize and each one of them have their own standard that needs to be met to effectively get our point across. When we are talking with our coworkers or collaborating with other teams, there are usually two types of communication happening. The first type is work related. Some examples of this would be work item needs to be completed, leaving a note on a ticket you're triaging or relaying information on upcoming downtimes or environment changes.

Dan Reardon (Haircutfish): 07:25

The next type is the water cooler talk. This could be a coworker sharing that they went to a concert over the weekend, or the amount of energy drinks consumed today. For me, it's it's one and a giant cup of coffee. But this help this talk kinda helps us build bonds and connections between teams, especially those that work remotely. Another channel the SOC communicates on is between clients.

Dan Reardon (Haircutfish): 07:52

If you're an MSSP or the IT team if you're an in house SOC, as well as leadership like c suites. A lot of these interactions are going to be either through an email or ticket escalation, but there are some interactions over the phone or meetings that may occur as well. What this means is we have to tailor our communications whether written or verbal to match the person's skill level we are conversing with. If we're unsure of the person's skill level, the best course is to guide them like you would a family member or a friend that isn't very tech savvy. Because if we because if we're not clear with what we're trying to communicate, it could lead to misunderstandings, delays and even mismanagement of security incidents.

Dan Reardon (Haircutfish): 08:41

A mean time to understand starts with us and expands outward. If we don't understand an alert or a detection, then try to explain that to someone, they might walk away not realizing the extent of what has occurred, which means we need to put thought into our words that we use and how they are formatted so that our messaging is fully understood. To that end, the best way to start off a great sock ticket is to have an internal note. This internal should give clear indication of the thought process we went through while we investigated. We should be leaving detailed notes so that if the ticket is referenced at a later date, the person will know what evidence was found, exactly what the analyst did, and what next steps were taken which in turn will help speed up the mean time to remediation tremendously.

Dan Reardon (Haircutfish): 09:43

Do not overlook the power of and future impact of a good internal note. And as I mentioned on the last slide, our words should be tailored to the people we are speaking to. As SOC analysts, we are essentially messengers taking the information found and packaging it with our expert insight then delivering it to the respective parties. We want our message to come across clear and concise. By choosing our words wisely, it will instill trust in both the SOC and us as individuals to those on the receiving end of the message.

Dan Reardon (Haircutfish): 10:21

Let's take a quick look at a ticket escalation example. So we have just a simple ticket. Hey, everybody. A user jerry dot ozure triggered a u user risk event. Can you confirm the event was expected?

Dan Reardon (Haircutfish): 10:40

Kinderguard sock. So in the example, the ticket comes across a little too casual as well as not providing enough information for the client to go off of. When did it happen? What was the IP address? Was it successful?

Dan Reardon (Haircutfish): 10:56

The ticket is too vague in its messaging which can lead to mismanagement, delays and back and forth that ultimately can frustrate the the client. So let's take a look at another example here. Hello, Simply Cyber Team. On March 27 at 3AM UTC, the user jerry dot ozure triggered a risky user event logging into office home. The user's IP was x with the geolocation of Russia.

Dan Reardon (Haircutfish): 11:28

No successful attempts were observed. Can you confirm the event was expected? CounterGuard SOC. Now we can see in this example that we we've included the time that it occurred, the event type, application being logged into, source IP with its geolocation and if it was successful. Overall a great update giving the client plenty of information to make an informed decision.

Dan Reardon (Haircutfish): 11:56

From our examples we can see that not only having enough information will not having enough information will delay the resolution of an incident. On the other side of that, overloading the client with too much information would be like drinking from a fire hose. When you get I I want everybody to if you you would like to answer this in chat, feel free. But when you get either a long email or a message, how likely are you going to read the entire message right then? I know for myself, if it's an overly long one, it will take me at least two to three times looking at that message to fully read it.

Dan Reardon (Haircutfish): 12:43

I was gonna say I summarize, yes. Three lines max, 99%. It goes into chat GBT. Nice. I love the answers.

Dan Reardon (Haircutfish): 12:53

So yeah, when We tend to read the first couple sentences and our brains are already done. And to that end, we wanna watch how much information we provide as not to overload the client. We can do this by setting up standards that will help guide and organize what we are trying to convey. One way of doing this is by creating templates or canned responses for our most frequently typed items. A great example of this is how many of us use how many of us type out our signature when we send an email?

Dan Reardon (Haircutfish): 13:33

Or do we like, do you do it every time? Or is that already put in there so it already populates? The same thing can be true about templates. A good template is written in a way so that you fill in the appropriate spots and you're good to go. Here is just sample internal note template.

Dan Reardon (Haircutfish): 13:56

So it kind of has it set up with the IP rep location, device info so that you just fill in those blanks and the note is ready to go. Then at least half the typing is not, is already done. So during triaging, it helps you also keep focused on these key areas. So in this case, this would be a sample of say the the user login events. So once it's finished, you do have any blank spaces, you can just remove them so they're not applied to the ticket.

Dan Reardon (Haircutfish): 14:30

This also gives us a solid foundation to build an escalation upon. Templates help to augment our work so that we can focus on what really matters, keeping our clients safe and informed. So not only that but we also have to structure our writing and it matters. We don't wanna be sending people walls of text. A few years back, I was watching a job hunt like a hacker livestream with Jason Blanchard.

Dan Reardon (Haircutfish): 15:02

We all kind of saw him in the the pre show, but if you're curious that's what he he looks like right there. During this stream, he was roasting people's LinkedIn profiles and it was my turn. At the time, my experience section was literally a wall of text items. It was pretty egregious. Jason said that when a potential employer attempts to read over this section, their eyes will glaze over and begin to seize looking at the looming brick wall of text in front of them.

Dan Reardon (Haircutfish): 15:33

I'm paraphrasing of course, but the words still ring true. This is why when creating internal notes, escalations, emails, etcetera, we want to keep the text as visually friendly as possible. So looking back at the internal note template, it's broken down using a bulleted list. I use this style format every day, like several times daily. It helps to not only organize what I'm trying to convey, but also make it sit visually appealing so that I can easily glance over and understand what's going on.

Dan Reardon (Haircutfish): 16:09

The idea of using the bulleted list also came from that same Jason Blanchard stream I just mentioned. So now we we know to use templates and we understand the power of structure, but what do we do or like what do what do we fill it with? That is a great question me and I'm gonna answer it. We need to fill it with specific details from our investigation using the three what's. What were our findings?

Dan Reardon (Haircutfish): 16:40

This will be key pieces of evidence found that would support either if an alert was a true or false positive. What do we do? This will be actionable steps that were taken while investigating. This could be isolating a host machine, resetting users passwords, revoking active sessions, etcetera. What needs to be done next?

Dan Reardon (Haircutfish): 17:05

This will be a list of next steps for the ticket. If you found an alert was false positive, it would be listed here explaining why you came to the conclusion that you did is an enormous help for not only you, but anybody in the future that comes to that ticket. The details matter, so other teams and escalations would be without having a good ticket internal or having it well documented escalation, they would be vague and easily misinterpreted. With that, let's look at a good and bad example, starting with the bad. So here the ticket is suspicious activity detected and the analyst put, saw some weird PowerShell stuff on a dev machine, ran a scan and it came back clean.

Dan Reardon (Haircutfish): 18:00

Probably a false positive from a scheduled task. Closing out, false positive. So the analyst is using very vague descriptions while leaving out key pieces of evidence that would support the finding. What do you mean by weird power shell? What machine was it on?

Dan Reardon (Haircutfish): 18:17

How did they come to the conclusion they did? The internal note leaves more questions than it does answers, leading to double work to regather the evidence, thus wasting time, energy, and the sanity of another analyst that is gonna have to go back and redo all that work. So with that, let's look at the good example here. So the ticket is high unauthorized PowerShell execution. And so we have a summary here, detection detected an obfuscated power shell script attempting to connect to a known malicious IP on workstation w k at a time dash nineteen eighty five.

Dan Reardon (Haircutfish): 18:59

And so the analyst has included the investigation findings, as well as actions they took and then the next steps that need to be taken. So giving the specifics for each step of the investigation journey, we can see the findings the analyst provided and that they deem this as a true positive essentially. The analyst documented what steps they needed to do and isolated the machine and restarted the user or resetting the user's credentials. So in this case, the final conclusion was reimaging the machine and monitoring m McFly's account for unusual activity. While it seems like this slide has been focused on ticket internals, it is really for all types of social interactions we have on a daily basis.

Dan Reardon (Haircutfish): 19:55

One of our daily interactions is with fellow SOC analysts and members of other teams within our respective companies. By siloing new information or work work already completed, it could result in extra work being done by other analysts and wasting time and resources. Say you're working with a client on an important issue, they end then the end of the shift comes and you just peace out of there, you are gone. Not passing along what has been completed to the team, not documenting any findings or steps taken within the ticket, just no information whatsoever. The client tries to respond back but gets radio silence.

Dan Reardon (Haircutfish): 20:37

Finally, they call into the socket and like trying to get answers. The on call attempts to unravel what has been done and the client is upset, so the and so is the on call. It looks it it can be very frustrating for both the client and other analysts to have to go back through and redo work that was already done. But looking at the flip side of this, you're in a meeting with a client going over monthly SOC reports. At the conclusion, the client tells you that they're switching their RMM tool of choice from ScreenConnect to Ninja RMM.

Dan Reardon (Haircutfish): 21:16

Once the meeting is over, you send a message in Teams, Slack, what messaging app of choice to your fellow analysts informing them of the changes. So if any tickets come in, it should be expected, they can still look into it but you have proof that hey, this is gonna be happening. Additionally, you document those changes within the client's data page in your company's internal KB or knowledge base. This one will provide a resource for future reference of expected RMM tools when an alert triggers. A knowledge base or KB acts as a centralized information repository containing standards for daily SOC operation.

Dan Reardon (Haircutfish): 22:01

A KB is essentially a living document, meaning if new information regarding existing ones is found, the document should be updated to reflect it. If a page hasn't been created or information isn't in there, find out why. Maybe one maybe no one has taken on the challenge of making it or maybe a page doesn't exist but it it's not being maintained. You should be striving to improve upon these resources for both our own benefit and future analysts as well. So I have a couple KB pages that are great to have if you don't already have them in.

Dan Reardon (Haircutfish): 22:45

So a client datasheet which is information regarding clients and their environments, so any changes that are made can be reflected on there and referenced if alerts occur. Then there is the frequently used sim queries. This is one that I reference in my own organization quite frequently, several times a day, but these are the sim queries that are used daily by SOC analysts that have been tested and approved by the team. Then there's the vetted SOC tools, tools that can help aid a SOC analyst in their daily work or with triaging, as well as the triaging playbooks, a step by step instruction manual on how to triage a certain ticket type or category. And so referencing my company's KB daily, not only the frequently used sim, but the playbooks.

Dan Reardon (Haircutfish): 23:44

Having those referenced in there will help to not only speed up the process, but also you'll become more familiar with how it should be and in turn becoming better every day. They are an amazing resource and I can't say enough about KBs, I love them. So But it isn't just our immediate team we converse with. At times we may have sales reaching out asking for an explanation on a certain alert so they can end up going back to a client and explaining it to them. While some may be on different teams within our org, and granted those internal conversations may be more casual than that of client instructions or interactions, they're still they still should be informative and helpful and again, taking into account the person's skill level.

Dan Reardon (Haircutfish): 24:41

And so speaking of conversing with clients though, as we craft our communications with them, we should be setting expectations. This could be explaining what we are doing from our end or if further information is needed. Letting clients understand what to expect will help them to be better prepared for the next steps. So we have some examples here, here's just a, the first one is we are currently investigating and we'll update you within the hour once completed. It's setting a time frame for to tell the client, hey, this is being worked on, we will get you updated shortly.

Dan Reardon (Haircutfish): 25:26

So it kinda reassures them that it's not just hanging in limbo. Then the second one, Splunk has mitigated the file y two k dot exe. Was this file expected? Here we're getting confirmation from the client side on the legitimacy of events, files or applications so that the ticket will be documented proof for future events. So if we're starting to see a bunch of tickets come in for this application, we'd wanna reach out and be like, hey, is this something you guys typically use?

Dan Reardon (Haircutfish): 25:59

Would you like an escalation put in? So having that clear form of communication can help tremendously. Additionally, we don't wanna flood the client with long technical deep dives into say a threat actor's history or their favorite tools. But we what we need to do is pass along that key information regarding what has either occurred or actions that need to be taken So the client is both informed as well as given enough information to investigate on their end. So our example here, hello, at 10:23AM UTC we identified a successful login from Karl dot Chonk at thesyndicate.com originating from a known malicious IP located in Cuba.

Dan Reardon (Haircutfish): 26:48

We've revoked the user's active sessions and forced a password reset. At this time, the account is secure. Please confirm with the user if they are traveling. Here we are providing the client with all the relevant information of what occurred, actions that were taken, and set the expectation of what will need to be done next. Who knows, maybe Carl was in Cuba with his cat sightseeing.

Dan Reardon (Haircutfish): 27:11

Stranger things have occurred. But what the purpose but what's the purpose of all of this essentially? Which is another great question, Dan. You're on fire today. It says when an alert comes in, it isn't just sitting in a queue till we decide to take it to take it.

Dan Reardon (Haircutfish): 27:33

No. It's being handled with care. It is handled as if it's our own personal problem. Once we have finished investigating and have escalated the ticket to the client, we want the client to feel like they aren't alone during what could be the most difficult work day of their lives. Even if it is just a ticket we see daily within environments, a mundane ticket to us could be catastrophic to a client.

Dan Reardon (Haircutfish): 28:02

The purpose is to show our clients that we are the right people for the job and they can trust us to detect, mitigate, and respond when that occurs. So I've shown you both good and bad examples, but how can we put what we learned today into practice? The easiest and quickest way is to read what we've already wrote. Sometime sometimes my wife does like to yell at me about I like to use voice to text in my text messages to her, and I do not like to read them before I send them, and they usually get sent over very wrong. So she she likes to tell me about that.

Dan Reardon (Haircutfish): 28:49

But just reading what we're we have put down onto a ticket, an internal, we can easily see where there could be grammatical errors, sentences that don't flow properly, and correct those. My biggest thing is as I'm typing, if I don't like how it sounds, I usually will erase and redo a sentence five or six times until it goes perfectly. So which actually will then give the final product of an accurate, clear, and concise. So to that end, if you haven't already, begin creating a repository of canned responses for your most frequent ticket types. These will be a pre written escalation with areas that need to be updated with the evidence found during investigations.

Dan Reardon (Haircutfish): 29:48

So here I've taken the ticket escalation example from the previous slide and turned it into a canned response. Hello team, at timestamp we identified a successful login, a username, and so we can easily see what needs to be updated prior to sending it to the client. I write my canned responses like this to make it make sure that no data is forgotten before sending it. The last thing you want to do is send a client a half filled canned response. It makes us look unprofessional and could degrade the trust that we are working so hard to build.

Dan Reardon (Haircutfish): 30:28

But even if we have a fully crafted canned response, don't feel that you have to rigidly stick to what it says. There may be times you need to update it with more details or include things that are not originally in the template. The point is that we have a good skeleton essentially to work with that we can build upon to create an amazing response. And then as well, if you've created the escalation and you're still not quite sure it sounds and even looks right, ask your fellow SOC analysts. Sometimes it takes a fresh perspective to see what has been staring you in the face the whole time.

Dan Reardon (Haircutfish): 31:16

A forest through the trees type of scenario. Don't be afraid to reach out to them. I'm sure they will be willing to to proofread a ticket update to ensure the client is getting the best possible response. And the same thing goes for internals. You can put an internal on a ticket and be like, hey, this was my findings on this.

Dan Reardon (Haircutfish): 31:38

Can you check it out and see if you're seeing the same thing or if I interpreted it correctly? And so it's an ever improving life cycle. So utilizing templates and ticket history allows us to expedite responses while making our investigation process repeatable. This sets a high standard for written communication and enables clear, concise conversations with our clients. By establishing these consistent patterns, we not only improve our immediate response times but also significantly reduce long term risk through better documentation and faster incident resolution.

Dan Reardon (Haircutfish): 32:27

The effective communication effective communication is the bridge between technical detection and business resilience. When we move beyond just checking boxes and starting to use templates to provide the clear context and actionable steps, we demystify the work of the SOC. This will demonstrate our true capabilities and shift the client's perspective of us from a source of friction to a vital extension of their own team. At the end of the day, a well crafted ticket is a handshake. It proves we aren't just watching a dashboard, we are working with them to protect what matters.

Dan Reardon (Haircutfish): 33:15

And cyber security is a field of constant evolution and learning. While you current while your current responses get the job done, they may not be as as good as they can be. Consistently refining your communication and technical capabilities will yield better results over time. Take the initiative to build out shared resources like KB pages, templates and internal tools. As you improve your individual skills, you will elevate the entire SOC.

Dan Reardon (Haircutfish): 33:53

This collective growth ensures that the team remains effective and that our clients stay protected against ever the ever changing threat landscape. And now as the webcast comes to a close, I know I'm a little early, I I wanna send you forth, Go and earn your client's trust one well crafted sock ticket at a time. I thank you guys for attending, I hope you enjoyed it, I hope you learned, and if you have any questions, please feel free to reach out.

Not Jason Blanchard: 34:33

Yeah, guys, we've done, Dan.

CJ Cox: 34:35

Yes, well done. You've obviously done... We we were talking about your background back there about why does he present so well? How come he's just sitting there like just spieling it

Dan Reardon (Haircutfish): 34:46

out without like stumbling all over? I I go through and I literally write my script out because if I don't, I will be stumbling around all over the place. Yeah. It's like what I said during the template, I believe, or the clear communication. I will go and rewrite sections Mhmm.

Dan Reardon (Haircutfish): 35:10

Constantly. And I hate the dreaded red squiggle, it makes me mad. And so I will go through and correct the spelling and all that right away so that it because I just don't like it, so. So like I said, I worked at

CJ Cox: 35:27

a help desk. I know why I sometimes did shoddy work. Sometimes you're just tired, sometimes you're Oh, yeah. Whatever. But what is your finding like in socks?

CJ Cox: 35:40

Is there enough time to do a good job?

Dan Reardon (Haircutfish): 35:43

Yes. Yeah. There there's always enough time to do a good job. It depends on your behavior, essentially, or your attitude. Are there gonna be times where you don't wanna write down everything?

Dan Reardon (Haircutfish): 35:58

Yeah. That's just about everybody. But setting those standards in place and essentially also having those templates ready so it's less work you do have to do also eases that burden a lot.

CJ Cox: 36:16

Yeah, that's templating, I made a comment in there about if you write the same thing three times and you haven't made a template, you're now remiss. And look, so I don't work in the SOC. I don't work at the help desk anymore. I have to respond to customers' questions, complaints, and things like boilerplating it. And I loved what you did with the flag in there.

CJ Cox: 36:38

You turned the template into a checklist to make sure you hit all the elements. Oh, yeah. And then the other thing you were talking about, knowledge base and building the team's knowledge, I said that SOC analyst is a very monastic pursuit. You know, you're just all You're like you're working in the library or whatever in a big university. You're just building up the knowledge.

CJ Cox: 37:04

And if you don't contribute to building that knowledge base, that's what's gonna pick up your pace is when you can tap into that.

Dan Reardon (Haircutfish): 37:11

Oh, yeah. At the previous job I worked at, their knowledge base was very slim. Mhmm. And that was one of my tasks is I wanted to build in there some information. And the at ProCircular now, we do have a very robust one, but one of the things that me and the other analysts have been doing is building out that the the team triage queries.

Dan Reardon (Haircutfish): 37:43

So that we have that standard of, hey, this ticket comes in, this is the query you wanna use for that to get the relevant information. And we're additionally like working on these playbooks as well to help not only have that checklist in there of, okay, start off, I wanna check for ticket history. Does this user or does this endpoint have a history of doing this? Okay. They don't mark that in the ticket.

Dan Reardon (Haircutfish): 38:13

No history. Like, it's simple things like that that just elevate those internals and those escalations so much that it it seems insignificant, but it truly is like it helps dividends. Yeah. There's So there's a little comment going on

CJ Cox: 38:32

that said, is there a public accessible KB we can use as a reference? Yeah. What's your

Dan Reardon (Haircutfish): 38:39

I don't I can't say that I know of any at this time, but it would I'm sure somebody would has some kind of framework out there on GitHub or whatnot that would be like, hey, this is kind of how a KB should should be set up. I honestly, I never set one up myself, but it basically is just a location that your team can go to that has like the SOPs that need done. It could be, hey, I have a monthly meeting, what do I need, how do I discuss these things with the client? As I said, the triage, what I ended up doing, because I I've been trying to build out those, the queries, is I have what the query is, what it's it pulls, any changes that need to be made to it, as well as the query itself and a link into the sim that already populates the query in there. So like, I try and give as much information as possible so that you can learn what it is and be able to effectively use it.

CJ Cox: 39:54

Yeah. Yeah. I was gonna ask the people who are still here. On a scale of one to 10, you have a knowledge base for one? And if you do, how good is it on a one to 10?

CJ Cox: 40:08

How useful is it? Because I've all built So I wanted to build one in the pen testing, and we have. We build knowledge base. Means on the offensive side, when we try to build that. But again, problem is people are so pressed to produce results, they tend to slack on making the contribution.

CJ Cox: 40:29

So like one of things that I'd like, how do I incentivize this? So we try to recognize contributions to encourage other people. I would say as a company, if you're not bonusing people for making great contributions to build that thing, because we are nothing in IT and security other than the knowledge. And that knowledge is in individuals' heads. Well, how do you share it across?

CJ Cox: 40:50

Because we all know we're not gonna master all this subject matter.

Dan Reardon (Haircutfish): 40:55

It's Yeah. And to include in that, like for the people that are mentioning, like, they don't have one or it's low or or whatnot, don't feel like you have to get the entire thing built out right away. Build it in pieces. Like, that's exactly what that's that's what makes it a living document is you're building it out in pieces. Is it ever complete?

Dan Reardon (Haircutfish): 41:20

No. No. But you're gonna keep building on it, and then there'll be the changes being made. You're gonna improve upon it, what have you. If you're doing something constantly, put something in that KB.

Dan Reardon (Haircutfish): 41:34

If you if it's something that kinda calls to you as well, talk to your manager and be like, hey, I'd like to help with some of the documentation in this. Be that, a lot of the times you need to be the one that's like, yeah, I want to do this. Like people can't read your minds. You have to go to them. This is such a huge,

CJ Cox: 41:54

the perfection is the enemy of the good. We get paralyzed, just like when you get writer's block about writing. You're not gonna get it all in there. The thing is to build it. My thing is, hey, the knowledge base is wrong.

CJ Cox: 42:08

For God's sakes, if you see something wrong in the knowledge base, take action. It's like, can't wait. Oh my goodness. Yeah, we used Obsidian as well. There's a bunch of great tools out there.

CJ Cox: 42:22

I actually used, this is like I said way back in the help desk days. It was just I just used the date the ticket database, keyword searching, and that was in 1989.

Dan Reardon (Haircutfish): 42:36

I think looking at ticket history is also overlooked as being as helpful as it can be. Like, looking for the times that you've already written something helps you to, one, not have to rewrite it, and it's less brainpower you have to work on that. Though, again, templates. One of the things that I like to do with my queries, depending on what it is, is I try to bake the response right into the query, so that if it tends to be true positive, hey, that response is already made with the information populated, and it's just a copy paste and making sure that it's formatted properly. And it's not that you're doing it to not work as hard, it's you're still working as hard.

Dan Reardon (Haircutfish): 43:30

You're you're trying not to work as much on the formatting issues as you are I'm looking at this information to ensure that it is correct. It it does lead to this, and I'm explaining how I got there.

CJ Cox: 43:47

Someone asked, okay, which do you think is worse? KB with missing entries, or KB with entries that are not, no longer correct? I'm gonna go with the missing is worse, because I love building on other people's failure. It's just so much easier. It's just so easy to go on what they've got.

Dan Reardon (Haircutfish): 44:04

It Yeah. Oh, that is a hard one.

CJ Cox: 44:06

Now

Dan Reardon (Haircutfish): 44:06

I Of course, I'm like probably overthinking it like I do everything. Because I'm thinking the stuff that's not correct, is it just outdated and it needs updated? Which it they're both they're both bad, in my opinion, because the outdated could mislead the analyst down a road that, hey, that's not supposed to go. But if you don't have it there, it also is like, they don't know what to do.

CJ Cox: 44:36

Mike, is there a wrong There's a reason for the wrong entry, and it's an opportunity to flag that and have that person learn. Because if they walked away from that ticket wrong, I mean, maybe it's just history, right? They learned after the fact, but it's a chance to flag the wrong stuff and move forward. Mhmm. So it's like somebody who complains.

CJ Cox: 44:57

It's like I'd rather have the complainer, I'd rather have the customer who complains because I know about it, and I can start taking action.

Dan Reardon (Haircutfish): 45:05

Yeah. You can fix what you know, you can't fix what you don't know. A great help that that I've had in in previous jobs, and I have it this one, is a QA. Having like a a meeting with with fellow analysts or whatnot where you're critiquing your tickets. You'll go through a swath of different tickets from ranging from high severity to low.

Dan Reardon (Haircutfish): 45:34

You're gonna you want to not maliciously poke holes in what they're doing, but you wanna construct it to be like, hey, these were the spots that were missed that we need to improve upon, here were the spots that did hit and you did good. And you wanna not ever leave that feeling like, hey, I'm being attacked. No. Use it as points of improvement going forward. Yeah.

CJ Cox: 46:00

Someone said, I do like criticizing people. Yes, we all like throwing rocks. But we have a saying here, and that's one of the cultural points we have is when you lose, don't lose the lesson. So you really gotta have that, again, sort of like said, the monastic knowledge focus is kinda part of the culture you need to succeed. Also, it's gotta be the learning, and that failure's just a step on the way to success.

CJ Cox: 46:28

So you've gotta turn those around from failures and ego crushes and those things to, hey, why was why was this wrong? You know, what what what caused this error and and to grow from that, I

Dan Reardon (Haircutfish): 46:39

think, so. I think some of that too is you have to take accountability and responsibility. I've seen a lot where people are quick to ship the blame, and I know in the past I have done that myself, but yes, it sucks to be like, yeah, that was my fault, I'm I'm sorry. It is that step in the right direction being like, I'm acknowledging I did wrong, now I can improve upon it. But the people that don't ever admit that, hey, yeah, I didn't include that in the ticket are just, they're saying, no, I did it right the first time, I'm good.

Dan Reardon (Haircutfish): 47:18

But that's a culture.

CJ Cox: 47:19

The cultures can't be punishing, It's gotta be learning focused. Exactly. That comes from your top. You can try to generate it at the grassroots. And then just my thing is, because I'm looking for aspiring leaders, right?

CJ Cox: 47:35

Like, if you're in a bad culture, take notes on what's bad, and try to fix it, and then when you go somewhere else, and when you get a little power,

Dan Reardon (Haircutfish): 47:44

do some good. So Oh, yeah. Yeah. Always question Oh, go ahead.

CJ Cox: 47:50

Oh, yeah.

Dan Reardon (Haircutfish): 47:51

I'm looking at the Zoom.

Brett Jones: 47:52

There's a couple questions in there. One was, what guidance or best practices can help analysts ensure their wording remains objective and avoids subjective language?

Dan Reardon (Haircutfish): 48:06

So I would say when you're writing it out, are you writing your opinion or are you writing facts?

CJ Cox: 48:16

Mhmm.

Dan Reardon (Haircutfish): 48:16

Because you should be writing facts. If you start straying into the realm of opinion, that's when you're hitting it to be subjective. So it could end up being I find myself doing this and I have to keep like stopping, like, It it'll be, hey, the the firewall stopped this. And I started out actually writing a ticket, and I was like, hey, this should be the result of that. I was like, no, it it is the result.

Dan Reardon (Haircutfish): 48:49

Like, this is the result. Like, being factual will help in that if you remain factual, essentially. Yes. I think you wanna be clear. Clearly identify facts.

Dan Reardon (Haircutfish): 49:03

I'm

CJ Cox: 49:05

not hesitant to state an opinion, but I try to make it clear that it is an opinion. I know that when we did military writing, you did investigations, you would specifically cite due to fact a, b, and c, I believe that boom, right? I think hypotheses are not a bad thing to do. There's, I mean, complex SOC situations are probably gonna call it So you'll have super simple tickets, but you might have bigger involved things. I think being clear is the be clear when you're waging an opinion.

Dan Reardon (Haircutfish): 49:39

Yes. Yes. So I was gonna say, I pulled up the QA here. Let's see what we got. I'll try and answer a few of these in here.

Dan Reardon (Haircutfish): 49:51

So there was a really Looking good

Not Jason Blanchard: 49:54

at that, there's a thought I had while you're talking about Oh, yeah. Learning and improving on stuff. And it's that there's a lot of skills out there that are like a practice. Call their work practice. Lawyers call their work practice.

Not Jason Blanchard: 50:09

It sounds like SOC stuff is similar in that way. A lot of similarities, at least from my perspective, that, you know, it's all it's always an evolution. You're always looking to improve. You you never like CJ said, you're never gonna stop learning. You're never gonna stop working towards improving your your efforts, your practice.

Not Jason Blanchard: 50:34

I mean, hosting a webcast is a practice.

Dan Reardon (Haircutfish): 50:40

It the nature Mine appear on it. But It's the nature of cybersecurity. It's a constantly evolving landscape that requires diligence and learning. If you are not willing to be learning every day and making changes, it's probably not the best career path for you to be completely honest. But that doesn't mean that you it's not a good experience.

Dan Reardon (Haircutfish): 51:08

And a lot of what I discussed today doesn't necessarily have to strictly be SOC related. A lot of it can be involve can involve sales, it can involve any department, not even cybersecurity. It's great skills to help speak to humans essentially, like how we speak to each other. It's a great way of doing that.

CJ Cox: 51:31

That curiosity is obviously required around the tech stuff. But this soft skill and pointing at the writing, same thing as Ryan just said, It's a practice. And you're writing, you can continually improve. The question is you gotta get to a balance point. You've got time constraints.

CJ Cox: 51:48

You have energy constraints. You're trying to do the best job you can, and you're trying to get better and more efficient at it as you go. So And that's why I like your soft skilled focus Dan talking about

Dan Reardon (Haircutfish): 52:00

Thank you. The nuts and bolts down here. I do see a question that says how anonymous attendee, how to explain things to non technical teams, what analogy should we use? And so my thought on this is this goes back to when I was doing my talk doing my write ups on try hack me rooms. I was writing them in a way that it's somebody maybe coming to the computer for the first time.

Dan Reardon (Haircutfish): 52:33

Try use like you can use analogies and I can't speak to one specifically because it's all gonna depend on the situation, but try and speak in terms that are not necessarily technical that would end up equating, if that makes sense. Like, you have somebody, risky user alert. Hey, this is somebody logged in from from an IP that is saying it's located in, in my example, Russia. Can you confirm with us that the user is where they say they are and that it is expected. And so giving them the information they need, timestamp please include timestamps in your your updates because if you ever have to look something up and you don't have a timestamp, it makes it so much more frustrating.

Dan Reardon (Haircutfish): 53:36

So include a timestamp. But, yeah, explain What can explain those timestamps? I I recently started switching to Central because of that's where my company is based out of, so a lot of our clients are there. So I switched that, but for the longest time, I used UTC because I feel that's it's universal. Everybody will end up knowing, and it could be less translation from that point.

CJ Cox: 54:06

Excellent stuff. Oh, the last little chew I wanted is I was talking to our pen test team about when they're taking technical notes during a test. Are you going to using any audio voice to text stuff in taking notes? Are you starting to see any traction for doing that?

Dan Reardon (Haircutfish): 54:25

Honestly, I've never thought about doing that, especially with my track record voice to text. I I don't mind the typing aspect of it. I I don't really mind typing things out. But yeah, if I'm typing stuff more than three times, I'm making something that it Our testers gets copy paste.

CJ Cox: 54:48

Said. They're like, no, I'm good with typing. Copying from the screen and pasting. I just got an app called Whisper Flow, and it's for Mac and iOS stuff only. But it's actually, it's got a lot of AI built into it.

CJ Cox: 55:02

And it can learn your lingo. It can correct things like, one of the things you can do is you can say, Let's meet tomorrow No, let's make that next week at seven. And it doesn't type everything you said, it fixes it. And so the ability for me to like dump a stream, and you know, I do softer things responding to clients, but to me that can be some time savings. But I I don't think it's all there yet, so I was just curious.

Dan Reardon (Haircutfish): 55:29

Okay. I see two questions here. What time are we done with this, Ryan?

Not Jason Blanchard: 55:36

We've got about four minutes left on the official webcast. We can go a little bit over if if you

Dan Reardon (Haircutfish): 55:43

want, I'm if you have gonna try and answer some of these questions I'm seeing here in Zoom. The first one that's real quick, do you recommend a specific clipboard manager? I use Sublime Text. That's where I put them in. I've been transferring certain ones over to the KB, depending on the queries, but I usually have a Sublime Text and I have just folders and I try and make it nice, but I do have a document that's just literally canned responses that I will copy and paste from.

Dan Reardon (Haircutfish): 56:21

Then my how did I get started in the SOC? So my SOC I started a year and a half, like a year and a half ago, essentially. I I started a sock at another company, and I was there for about three months, and that that was actually the first year I went to Wild West Hackenfest, which was super fun. Hey, that's coming up in October. You guys, hey, come to Wild West.

Dan Reardon (Haircutfish): 56:50

I plan on being there. You can Hi. We can say hi. Meet up. Meet you.

Dan Reardon (Haircutfish): 56:56

It took me probably from 2020 to to 2023 till I got a role in cyber. My learning experience has all been YouTube, some Udemy, just going out there and finding the knowledge, try hack me. But the key thing to getting a a sock role other than learning and putting that in is networking. Meet people in the community. Meet go talk with them.

Dan Reardon (Haircutfish): 57:33

Go learn. Go to a b sides. Learn all all that you can. Meet all these wonderful people because you are fighting against countless amounts of people trying to get the same job you are. You need to find that leg up, and one of it is making friends in the community.

Not Jason Blanchard: 57:56

And one way to do that is to go to Wild West Hacking Fest.

Dan Reardon (Haircutfish): 57:59

That's right.

Not Jason Blanchard: 58:00

Or your b sides.

CJ Cox: 58:01

Little I b

Dan Reardon (Haircutfish): 58:04

I was gonna say, the conferences I'm going to this year, b side charm, I will be at. B sides Harrisburg, I will though my head might be down in my laptop there because I like to do the CTF, which if it is and you wanna say hi, come over and say hi. Feel free to bother me, I don't care. And then I'll be at Wild West Hackin Fest. I'm volunteering again this year.

Dan Reardon (Haircutfish): 58:30

I went the last two and I love it every time.

Not Jason Blanchard: 58:35

Awesome. We are right about at the top of the hour. So any any final questions there that are really should address before we go? Well, think we're good to go.

CJ Cox: 58:46

Who's Final thoughts. Perfect execution, Dan.

Not Jason Blanchard: 58:50

Thank you. They're awesome. Yes. Fantastic job. Slides are quite entertaining to look at.

Dan Reardon (Haircutfish): 58:57

Didn't see that one has it says, put your favorite John Strand meme into chat. Did anybody do that or did everybody miss it? There were bunches.

Not Jason Blanchard: 59:06

There

Dan Reardon (Haircutfish): 59:07

were. There's one.

Not Jason Blanchard: 59:11

If anybody's watching this right now and saying where are those slides, where can I get a copy of that, if you look into the resources channel in both Zoom or Discord, you can find the link to the slide deck? Check them out. There are URLs and resources in the slide deck, so you can have that for later use and come back and revisit this. That's that's it. Thank you everybody for coming to our Antisyphon Anticasts today.

Not Jason Blanchard: 59:44

We've got Dan. He did a fantastic job. We got CJ. Thank you, CJ. Thank you, Brett, or Sweden.

Not Jason Blanchard: 59:51

Sweden? Sweden? I I I'm calling you Brett. Joyce. Thank you guys for tackling those questions at the end of today's Indicasts.

Not Jason Blanchard: 01:00:01

I appreciate it because I am not actually Jason Blanchard, by the way.

CJ Cox: 01:00:08

What? Oh my No. I it. It was a deepfake the whole time.

Not Jason Blanchard: 01:00:14

You've been deepfaked. So if if you're new to this webcast, and you're like, wait a minute, he's not Jason? No, I am not. Jason had a sick day today, or an ill day, or what he's just he's just not here. And I came in to be substitute Jason Blanchard for the day, which just happened to be April 1 sort of a day, so we went with it.

Not Jason Blanchard: 01:00:36

And if you're watching the YouTube recording, you may be like, what was that all about? And because that's probably because the preshow banter has been trimmed off already. So, yeah, I pretended to be Jason for the first thirty minutes of our of our live webcast. And if you missed preshow banter and you're like, what's what's that all about? Join us early on our next scenicast.

Not Jason Blanchard: 01:00:59

You'll find out how that goes. You'll you'll be in the know. So we do trim that off later on on YouTube. But again, thanks everybody. The recording's on YouTube.

Not Jason Blanchard: 01:01:10

You're registered on Zoom. You'll get an email for the recording, and until next time. Substitute Ryan. Not really a substitute, but April 1, Ryan. Go ahead and kill it with fire.

CJ Cox: 01:01:26

Bye bye.