Owner: Security Operations Centre (SOC) · SIEM: Microsoft Sentinel · Review Cycle: Quarterly
The Security Operations Centre (SOC) operates 24×7 and is responsible for monitoring, detecting, and triaging security events across all environments. The primary detection platform is Microsoft Sentinel (SIEM/SOAR), supported by Microsoft Defender XDR (XDR/EDR), Palo Alto Cortex (network), and Falco (container runtime).
| Layer | Tool | Coverage |
|---|---|---|
| Endpoint (EDR) | Microsoft Defender for Endpoint (MDE) | All Windows, macOS, Linux endpoints |
| Identity | Microsoft Defender for Identity | Entra ID, AD DS, lateral movement |
| Microsoft Defender for Office 365 P2 | All M365 email, SharePoint, Teams | |
| Cloud (CSPM/CWPP) | Microsoft Defender for Cloud | Azure, AWS (agentless + agent) |
| Network | Palo Alto Cortex XDR + PAN NGFW logs | North-south and DMZ traffic |
| Container Runtime | Falco | EKS and RKE2 pod activity |
| DNS | Cisco Umbrella | All DNS queries from endpoints |
| SIEM / SOAR | Microsoft Sentinel | Aggregation, correlation, automation |
| Threat Intel | Microsoft Sentinel TI + Recorded Future | IOC enrichment |
Data Sources Microsoft Sentinel
──────────────── ─────────────────────────────────────
MDE (endpoints) ──────────────────► Log Analytics Workspace
Entra ID logs ──────────────────► ├── Analytics Rules (KQL)
M365 Defender ──────────────────► │ ├── Scheduled (detection)
Azure Activity ──────────────────► │ ├── NRT (near-real-time)
AWS CloudTrail ──────────────────► │ └── Fusion (ML correlation)
Palo Alto logs ──────────────────► │
Cisco Umbrella ──────────────────► ├── Incidents → Triage → SOC
Falco events ──────────────────► │
Infoblox DDI ──────────────────► ├── Automation (SOAR Playbooks)
Veeam B&R logs ──────────────────► │ Azure Logic Apps
└── Threat Intelligence
MITRE ATT&CK Mapping
Log Retention: Hot tier (Sentinel) — 90 days. Cold tier (ADX / Azure Data Lake) — 13 months.
Detection rules are mapped to the MITRE ATT&CK framework. Current coverage (self-assessed):
| Tactic | Coverage | Priority Rules |
|---|---|---|
| Initial Access | 🟡 Moderate | Phishing detection, external port scanning |
| Execution | 🟢 Good | Suspicious PowerShell, LOLBAS, macro execution |
| Persistence | 🟡 Moderate | Registry run keys, scheduled task creation |
| Privilege Escalation | 🟢 Good | UAC bypass, token manipulation, PIM abuse |
| Defence Evasion | 🟡 Moderate | Log clearing, binary padding, masquerading |
| Credential Access | 🟢 Good | LSASS dump, kerberoasting, password spray |
| Discovery | 🟡 Moderate | Network scanning, AD enumeration |
| Lateral Movement | 🟢 Good | Pass-the-hash, RDP from unusual source |
| Collection | 🟡 Moderate | Bulk download, email auto-forward |
| Exfiltration | 🟡 Moderate | Large data transfer, DNS tunnelling |
| Command & Control | 🟢 Good | Beaconing patterns, Tor, unusual outbound |
| Impact | 🟢 Good | Mass file encryption (ransomware indicators) |
| Severity | Definition | Response Time | Escalation |
|---|---|---|---|
| P1 — Critical | Active breach, ransomware, data exfiltration | 15 minutes | CISO + IR Lead immediately |
| P2 — High | Confirmed compromise indicator, account takeover | 1 hour | SOC Manager |
| P3 — Medium | Suspicious activity requiring investigation | 4 hours | Senior SOC Analyst |
| P4 — Low | Informational — potential indicator, low confidence | 24 hours | SOC Analyst |
| Tier | Role | Responsibility |
|---|---|---|
| L1 | SOC Analyst | Alert triage, initial classification, playbook execution |
| L2 | Senior SOC Analyst | Deep investigation, threat hunting, containment |
| L3 | DFIR / Threat Hunter | Incident response, forensics, red team liaison |
| MDR | Managed Detection & Response (partner) | Out-of-hours L1 coverage, overflow |
| Shift | Hours | Coverage |
|---|---|---|
| Day (in-house) | 07:00–19:00 local | L1, L2, L3 on-site |
| Night (MDR partner) | 19:00–07:00 local | MDR L1 + on-call L2 |
| Weekend | 00:00–24:00 | MDR L1 + on-call L2 |
| Rule Name | Source | Tactic | Severity |
|---|---|---|---|
Impossible Travel — Entra Sign-in |
Entra ID Logs | Initial Access | P2 |
LSASS Memory Access (non-system) |
MDE | Credential Access | P1 |
Mass File Rename / Encryption |
MDE | Impact (Ransomware) | P1 |
New Admin Account Created (Entra) |
Entra Audit | Persistence | P2 |
DNS Exfiltration Pattern (long queries) |
Umbrella | Exfiltration | P2 |
Anomalous CloudTrail API calls |
AWS CloudTrail | Exfiltration | P2 |
Falco — Pod exec into container |
Falco | Execution | P3 |
Palo Alto — C2 category blocked |
NGFW | C2 | P3 |
Kerberoasting (SPNs — high volume) |
Defender Identity | Credential Access | P2 |
The SOC conducts proactive threat hunting on a monthly cadence, using hypotheses derived from:
Hunt reports are filed in SharePoint (Security > Threat Hunting > Reports) and reviewed by the CISO quarterly.
https://portal.azure.com → Sentinel workspace sec-sentinel-prodhttps://app.recordedfuture.com (SSO via Entra ID)