Key Responsibilities
1. Alert Triage & Continuous Monitoring
Real-Time Surveillance: Maintain high vigilance monitoring of the Microsoft Sentinel Incident queue to identify anomalies and potential security breaches.
Noise Reduction: Distinguish between benign environmental behaviour and malicious activity to reduce alert fatigue within the SOC.
Severity Assessment: Categorize and prioritize incidents based on business impact, asset criticality, and the MITRE ATT&CK framework.
2. Initial Investigation & Hunting
KQL Proficiency: Utilize Kusto Query Language (KQL) to perform deep-dive log analysis across Security Event, Sign in Logs, and Office Activity tables.
Root Cause Analysis: Conduct forensic to reconstruct timelines to validate the legitimacy of alerts.
Evidence Gathering: Correlate data across the Microsoft 365 Defender stack (Endpoint, Identity, Cloud Apps) to build a comprehensive picture of the threat actor's movements.
3. Playbook Execution & Containment
Automated Response: Execute Azure Logic App Playbooks to perform rapid containment actions, such as revoking AAD sessions or isolating compromised hosts.
Standard Operating Procedures (SOPs): Establish SOP to ensure a consistent and compliant response to known threat vectors.
Manual Remediation: Perform manual intervention when automated flows are inapplicable, ensuring the "Time to Remediate" (TTR) is minimized.
4. Incident Documentation & Reporting
Audit Trail Management: Maintain meticulous, chronological records of all investigative steps and findings within the ITSM ticketing system (e.g., ServiceNow).
Technical Summaries: Draft clear, concise post-incident summaries detailing the scope of the impact and the steps taken for resolution.
Knowledge Base Contribution: Update internal wikis or "Runbooks" with new findings to improve the team's collective response capability.
5. Advanced Escalation & Collaboration
Structured Handoffs: Identify complex or high severity true positives and escalate using the SAR (Situation, Assessment, Recommendation) communication model.
Collaborative Hunting: Assist senior analysts and security lead in threat hunting exercises by providing localized data and initial telemetry gathered during triage.
6. Health Checks & Platform Maintenance
Data Integrity Monitoring: Perform daily checks on Sentinel Data Connectors to ensure continuous log ingestion from Firewalls, Azure Activity, and O365.
Agent Health: Monitor the status of the Azure Monitor Agent (AMA) and Log Analytics workspace to identify and troubleshoot data gaps or silent connectors.
Workspace Optimization: Monitor ingestion volumes and alert the engineering team of unexpected spikes that may indicate misconfigured assets.
7. Core Technical Skills
SIEM Expertise: Minimum of 2–3 years of hands-on experience with Microsoft Sentinel, including workspace configuration, data connector management, and incident investigation.
KQL Proficiency: Advanced ability to write and optimize Kusto Query Language (KQL) for hunting, detection rules, and workbook visualization.
Microsoft 365 Defender Stack: Strong operational knowledge of the broader Defender suite (Defender for Endpoint, Identity, Office 365, and Cloud Apps).
Cloud Infrastructure: Familiarity with Azure Resources, including Virtual Machines, Storage Accounts, and Log Analytics Workspaces.
Automation: Experience triggering and troubleshooting Azure Logic Apps (Playbooks) for automated incident response.
8. Professional Experience
Onboarding & Engineering: Proven track record of onboarding diverse assets to Sentinel (Syslog, CEF, Azure Activity, and Third-party APIs).
Detection Engineering: Experience creating and tuning Analytics Rules to reduce false positives while maintaining high detection coverage.
Network Security: Understanding of TCP/IP, DNS, and HTTP/S, with the ability to interpret logs from Firewalls, Proxies, and WAFs.
9. Required Qualifications
Bachelor’s degree in computer science, Information Technology, Cybersecurity, or a related discipline.
Professional certifications such as ECIH, GCIH, CISSP or CISM are preferred.
Microsoft certifications such as SC-200: Microsoft Security Operations Analyst Associate, AZ-500: Microsoft Azure Security Technologies, SC-300: Microsoft Identity and Access Administrator Associate would be advantageous.
#LPS
1. Alert Triage & Continuous Monitoring
Real-Time Surveillance: Maintain high vigilance monitoring of the Microsoft Sentinel Incident queue to identify anomalies and potential security breaches.
Noise Reduction: Distinguish between benign environmental behaviour and malicious activity to reduce alert fatigue within the SOC.
Severity Assessment: Categorize and prioritize incidents based on business impact, asset criticality, and the MITRE ATT&CK framework.
2. Initial Investigation & Hunting
KQL Proficiency: Utilize Kusto Query Language (KQL) to perform deep-dive log analysis across Security Event, Sign in Logs, and Office Activity tables.
Root Cause Analysis: Conduct forensic to reconstruct timelines to validate the legitimacy of alerts.
Evidence Gathering: Correlate data across the Microsoft 365 Defender stack (Endpoint, Identity, Cloud Apps) to build a comprehensive picture of the threat actor's movements.
3. Playbook Execution & Containment
Automated Response: Execute Azure Logic App Playbooks to perform rapid containment actions, such as revoking AAD sessions or isolating compromised hosts.
Standard Operating Procedures (SOPs): Establish SOP to ensure a consistent and compliant response to known threat vectors.
Manual Remediation: Perform manual intervention when automated flows are inapplicable, ensuring the "Time to Remediate" (TTR) is minimized.
4. Incident Documentation & Reporting
Audit Trail Management: Maintain meticulous, chronological records of all investigative steps and findings within the ITSM ticketing system (e.g., ServiceNow).
Technical Summaries: Draft clear, concise post-incident summaries detailing the scope of the impact and the steps taken for resolution.
Knowledge Base Contribution: Update internal wikis or "Runbooks" with new findings to improve the team's collective response capability.
5. Advanced Escalation & Collaboration
Structured Handoffs: Identify complex or high severity true positives and escalate using the SAR (Situation, Assessment, Recommendation) communication model.
Collaborative Hunting: Assist senior analysts and security lead in threat hunting exercises by providing localized data and initial telemetry gathered during triage.
6. Health Checks & Platform Maintenance
Data Integrity Monitoring: Perform daily checks on Sentinel Data Connectors to ensure continuous log ingestion from Firewalls, Azure Activity, and O365.
Agent Health: Monitor the status of the Azure Monitor Agent (AMA) and Log Analytics workspace to identify and troubleshoot data gaps or silent connectors.
Workspace Optimization: Monitor ingestion volumes and alert the engineering team of unexpected spikes that may indicate misconfigured assets.
7. Core Technical Skills
SIEM Expertise: Minimum of 2–3 years of hands-on experience with Microsoft Sentinel, including workspace configuration, data connector management, and incident investigation.
KQL Proficiency: Advanced ability to write and optimize Kusto Query Language (KQL) for hunting, detection rules, and workbook visualization.
Microsoft 365 Defender Stack: Strong operational knowledge of the broader Defender suite (Defender for Endpoint, Identity, Office 365, and Cloud Apps).
Cloud Infrastructure: Familiarity with Azure Resources, including Virtual Machines, Storage Accounts, and Log Analytics Workspaces.
Automation: Experience triggering and troubleshooting Azure Logic Apps (Playbooks) for automated incident response.
8. Professional Experience
Onboarding & Engineering: Proven track record of onboarding diverse assets to Sentinel (Syslog, CEF, Azure Activity, and Third-party APIs).
Detection Engineering: Experience creating and tuning Analytics Rules to reduce false positives while maintaining high detection coverage.
Network Security: Understanding of TCP/IP, DNS, and HTTP/S, with the ability to interpret logs from Firewalls, Proxies, and WAFs.
9. Required Qualifications
Bachelor’s degree in computer science, Information Technology, Cybersecurity, or a related discipline.
Professional certifications such as ECIH, GCIH, CISSP or CISM are preferred.
Microsoft certifications such as SC-200: Microsoft Security Operations Analyst Associate, AZ-500: Microsoft Azure Security Technologies, SC-300: Microsoft Identity and Access Administrator Associate would be advantageous.
#LPS