EDR Flagged a File as Suspicious, but SOC Took No Action

20 May 2025

CybersecurityThreatDetectionIncidentResponseSecurityOperations

A file was flagged as "suspicious" by the EDR, but no one in the SOC (Tier 1, Tier 2, IR) took action. The author wonders if this situation is normal and how other teams handle "gray" files. They ask about common practices such as reverse engineering, sandboxing, automating behavior extraction, or simply ignoring these files.

Read the original article on reddit.com