SOC is mainly waiting for alerts and doing incident response (could include cyber threat attribution, forensics for in-house SOC, not those third party MSSPs).

If got alerts means busy, no alert means wait for shift to be over, that's pretty much the nature of shift work.