Case Study · Enterprise SOC
IT Operations Center Analyst
Environment
24/7 enterprise SOC — regional transit authority
Operational context
Sound Transit operates light rail, commuter rail, and bus service across the greater Seattle metropolitan area — critical public infrastructure running around the clock. The SOC operated on a 24/7 continuous monitoring model with no scheduled downtime windows, requiring strict SLA discipline and rapid escalation capability.
The environment combined traditional enterprise IT with transit-specific operational technology integrations, including law enforcement adjacencies that triggered CJIS Level 4 compliance requirements across the security operations team.
Security toolchain
Splunk served as the primary SIEM — the backbone for correlation rules, alert triage, and post-incident investigation. SolarWinds and Blackrock3 provided complementary network and endpoint visibility. ServiceNow was the ITSM platform for ticket lifecycle management and SLA tracking.
Compliance Framework
Zero violations across all frameworks
Sound Transit's SOC operated under a layered compliance obligation. Law enforcement integrations within the transit authority required full CJIS Level 4 clearance and strict data handling protocols. Healthcare-adjacent employee systems introduced HIPAA requirements. All security operations were governed against the NIST 800-53 control framework throughout the engagement.
Contributions
What I built and how it moved the numbers
Python alert validation pipeline
The SOC's highest-friction problem was false-positive fatigue — analysts spending significant time triaging alerts that first-pass logic could have dismissed or auto-classified. I built a Python automation layer that performed first-pass validation on incoming alerts: IP reputation checks against threat intelligence feeds, asset classification lookups to contextualize the affected endpoint, and historical behavior comparison to identify known-safe patterns. Alerts that failed validation were flagged for analyst review with enriched context already populated. This eliminated the manual enrichment step on a large percentage of inbound alerts and compressed mean time to response by 40%.
Correlation rule tuning on network and endpoint telemetry
Out-of-the-box Splunk correlation rules generate signal appropriate for generic environments — not for a transit authority with law enforcement integrations and transit-specific operational technology. I tuned the correlation rule set on both network traffic and endpoint telemetry data sources, adjusting thresholds, adding environment-specific exclusions for known-safe operational patterns, and building new rules targeting the threat patterns most relevant to the environment. The result was a cleaner alert queue with higher signal-to-noise and fewer analyst interruptions for non-actionable events.
Rebuilt ServiceNow ITSM workflows
The existing ServiceNow workflows were designed around generic ITSM process flows that did not reflect how the SOC actually operated — escalation paths were wrong, SLA tracking was misaligned with real incident severity classifications, and analysts were spending time managing ticket state rather than managing incidents. I rebuilt the workflows to match actual SOC escalation paths: correct routing, accurate SLA windows tied to incident priority, and reduced manual state management. The rearchitected workflows allowed analysts to stay focused on incident work rather than ticket administration.
SOPs and incident playbooks
The team lacked standardized written procedures for common incident types — knowledge was informal, distributed across individuals, and not transferable at scale. I wrote a standardized SOP and playbook library covering the most common incident categories the SOC handled, including escalation protocols, handoff procedures for shift transitions, and step-by-step response guidance for specific alert types. The documentation became the primary reference material for new analyst onboarding and reduced the time required to bring new analysts to independent operational capability by 25%.
Skills Demonstrated