• SIEM Alert Validation: Monitor Jira/BlinkOps for alerts pertaining to: Identity issues, compromised passwords, impossible travel, travel to restricted countries, Superadmin creation in Okta, Admin created in SentinelOne, Google admin account activity (creation/deletion), Splunk data deletion, HoneyCred access in Keeper, and suspected malicious access by Okta, Google, and other systems.

• Investigation: Perform manual investigation (running searches in Splunk, SentinelOne, and Client apps) to confirm alert details, determine False Positive/True Positive status, and engage the on-call IR lead.

• Manual IR Escalation: Identify True Positive events and provide the IR team with a handoff summary including impacted users, systems, and IP information.