Security Operations Centre — SIEM, EDR, forensics, MITRE-aligned detection
Primary statement
SOC capability operates as: (1) SIEM with correlation across log sources, MITRE ATT&CK-aligned detection rules (SEBI DE.4); (2) EDR on all endpoints with continuous behavioural monitoring + automated containment (RBI DE.7); (3) potentially adverse event analysis (NIST DE.AE-02); (4) forensic capability — internal team OR CERT-In empanelled retainer (SEBI RS.3 + RBI RS.3); (5) post-incident lessons learned feeding IR plan, control improvements, awareness updates (SEBI RC.4); (6) Cyber Capability Index (CCI) for SEBI MIIs and Qualified REs.
Audit-fatigue payoff
A unified SOC programme — SIEM with MITRE-aligned rules + EDR + forensics retainer + lessons-learned cycle — satisfies SOC requirements across all 9 contributing frameworks. The MITRE ATT&CK alignment is the audit-defensible technical anchor.
Strictness matrix
Scope
Scope: SIEM correlating logs across ALL sources — identity providers, network devices, endpoints, applications. Detection rules covering MITRE ATT&CK tactics relevant to the organisation's threat model.
Ceiling source: sebi_cscrf:CSCRF.DE.4
Rationale: SEBI CSCRF DE.4 with MITRE ATT&CK alignment specifies the broadest detection scope.
Threshold
Forensic threshold: internal team OR CERT-In empanelled external vendor on retainer. Chain-of-custody preserved. Industry-standard tools. The empanelment requirement is binary for sectoral audit defensibility.
Ceiling source: sebi_cscrf:CSCRF.RS.3
Rationale: SEBI CSCRF RS.3 CERT-In empanelment is the binary forensic threshold.
Method
Method: (1) SIEM correlating logs across all sources; (2) MITRE ATT&CK-aligned detection rules tuned to threat model; (3) EDR on all endpoints with behavioural monitoring + automated containment (RBI DE.7); (4) adverse event analysis (NIST DE.AE-02); (5) forensic capability — internal team or CERT-In retainer (SEBI RS.3); (6) post-incident lessons learned cycle (SEBI RC.4); (7) Cyber Capability Index (CCI) for SEBI MIIs.
Ceiling source: sebi_cscrf:CSCRF.DE.4
Rationale: SEBI CSCRF DE.4 with MITRE alignment is the most prescriptive method.
Frequency
SIEM correlation: continuous (real-time). Detection rule tuning: continuous + per MITRE ATT&CK technique addition. EDR behavioural rules: continuous. Forensic retainer test: annual exercise. Post-incident lessons learned: per incident. CCI re-assessment: annual minimum.
Ceiling source: sebi_cscrf:CSCRF.DE.4
Rationale: Continuous detection cadence with annual retainer test is the audit-defensible reference.
Evidence
Required evidence: (1) SIEM configuration + log source inventory; (2) MITRE ATT&CK rule coverage matrix; (3) EDR deployment + sample behavioural alerts (RBI DE.7); (4) forensic retainer agreement + CERT-In empanelment certificate; (5) sample forensic engagement records; (6) post-incident lessons learned records (SEBI RC.4); (7) CCI assessment for SEBI MIIs.
Ceiling source: sebi_cscrf:CSCRF.DE.4
Rationale: SEBI CSCRF DE.4 evidence with MITRE coverage matrix is uniquely strict.
Auditor test pattern
Step 1: Inspect SIEM configuration and log source inventory. Step 2: Inspect MITRE ATT&CK rule coverage matrix; verify alignment with threat model. Step 3: Sample 3 recent SIEM alerts; trace to analyst response. Step 4: Inspect EDR deployment + sample behavioural alert. Step 5: Inspect forensic retainer agreement + verify CERT-In empanelment. Step 6: For SEBI MIIs, inspect CCI assessment. Step 7: Inspect post-incident lessons learned for sample incident.
Common findings
Common 2024–26 findings: (1) SIEM correlates network + endpoint but not identity provider or application logs; (2) MITRE ATT&CK coverage matrix absent — rules ad-hoc; (3) EDR deployed but behavioural rules untuned; (4) Forensic retainer with non-empanelled firm; (5) Lessons learned not driving control improvements; (6) CCI assessment annual but findings never closed.