1) Reports of unusual system behavior.
2)Intrusion detection/prevention alerts
3)Work experience as security professional, with at least 2 years insecurity operation center.
4)Experience with SIEM tools , thorough understanding of TCP/IP, networking concepts and internet protocols, especially HTTP, SMTP, DNS, and TLS
5) Monitor what is happening in the cyber security industry, and on various newsfeeds/mailing lists regarding security threats and countermeasures.