On-call SOC workflows that fit on a phone.

The problem

A SOC team of six analysts rotates the on-call duty across nights and weekends. The team needs every analyst to be able to triage incoming alerts and take containment actions, but only the person on rotation should be woken up. Sharing API credentials by email is a non-starter. Letting every analyst configure their own credentials means inconsistent scope and no central revocation. There has to be a way to manage this from one place.

The PocketSOC workflow

1. A SOC admin configures vendor connections (CrowdStrike, Defender, GuardDuty) once in the PocketSOC Portal
2. Admin creates groups (e.g., "Tier 2 On-Call") and assigns the vendor configs to each group
3. Analysts are invited to the appropriate groups via the portal
4. On-call schedule is configured so only the active rotation gets push notifications
5. Each analyst signs into PocketSOC; the app pulls the vendor configs assigned to their groups
6. Devices are visible in the portal — admins can deactivate any device immediately if it's lost or an analyst departs
7. All actions are logged with the analyst's identity in the vendor audit trail and in PocketSOC

Outcomes

• Centralized credential management — rotate, revoke, or update vendor secrets in one place
• Group-based scoping — junior analysts see what they need to, senior analysts see more
• Push notification routing follows the on-call schedule, not the whole team
• Per-device audit visibility — every action is attributable to a user and a device
• New hires onboard in minutes; departing analysts are removed centrally

Supported vendors for this workflow

• CrowdStrike Falcon
• Microsoft Defender for Endpoint
• Microsoft Defender for Cloud
• AWS GuardDuty

Related pages