2. Analyst Profile
The analyst profiles help you to understand which skills are recommended and required to complete a successful log analysis. The THOR scanner actually performs a live forensic analysis on the end systems and highlights elements using the internal signature database. The best possible analyst for these events is someone with experience in digital forensics, incident response or malware analysis.
The expert in digital forensics knows how to spot and qualify suspicious elements.
The incident responder understands adversary tactics, hack tools, lateral movement methods and the many different ways to achieve persistence on an end system.
And the malware analyst has the right mindset and experience to evaluate at least the elements that involve backdoors and persistence methods.
We recommend a two-tiered analysis process in which a second level analyst, with the skill set described above, processes log lines that have been pre-qualified by first level analysts.
2.1. Recommended / 2nd Level
Incident Response Specialist
2.2. Required / 1st Level
Professional with security background
Knowledge of Microsoft Windows internals (Administration, Development)
Security analyst with Antivirus log analysis background