Key Responsibilities

1. Alert Triage & Continuous Monitoring

• Real-Time Surveillance: Maintain high vigilance monitoring of the Microsoft Sentinel Incident queue to identify anomalies and potential security breaches.
• Noise Reduction: Distinguish between benign environmental behaviour and malicious activity to reduce alert fatigue within the SOC.
• Severity Assessment: Categorize and prioritize incidents based on business impact, asset criticality, and the MITRE ATT&CK framework.

2. Initial Investigation & Hunting

• KQL Proficiency: Utilize Kusto Query Language (KQL) to perform deep-dive log analysis across Security Event, Sign in Logs, and Office Activity tables.
• Root Cause Analysis: Conduct forensic to reconstruct timelines to validate the legitimacy of alerts.
• Evidence Gathering: Correlate data across the Microsoft 365 Defender stack (Endpoint, Identity, Cloud Apps) to build a comprehensive picture of the threat actor's movements.

3. Playbook Execution & Containment

• Automated Response: Execute Azure Logic App Playbooks to perform rapid containment actions, such as revoking AAD sessions or isolating compromised hosts.
• Standard Operating Procedures (SOPs): Establish SOP to ensure a consistent and compliant response to known threat vectors.
• Manual Remediation: Perform manual intervention when automated flows are inapplicable, ensuring the "Time to Remediate" (TTR) is minimized.

4. Incident Documentation & Reporting

• Audit Trail Management: Maintain meticulous, chronological records of all investigative steps and findings within the ITSM ticketing system (e.g., ServiceNow).
• Technical Summaries: Draft clear, concise post-incident summaries detailing the scope of the impact and the steps taken for resolution.
• Knowledge Base Contribution: Update internal wikis or "Runbooks" with new findings to improve the team's collective response capability.

5. Advanced Escalation & Collaboration

• Structured Handoffs: Identify complex or high severity true positives and escalate using the SAR (Situation, Assessment, Recommendation) communication model.
• Collaborative Hunting: Assist senior analysts and security lead in threat hunting exercises by providing localized data and initial telemetry gathered during triage.

6. Health Checks & Platform Maintenance

• Data Integrity Monitoring: Perform daily checks on Sentinel Data Connectors to ensure continuous log ingestion from Firewalls, Azure Activity, and O365.
• Agent Health: Monitor the status of the Azure Monitor Agent (AMA) and Log Analytics workspace to identify and troubleshoot data gaps or silent connectors.
• Workspace Optimization: Monitor ingestion volumes and alert the engineering team of unexpected spikes that may indicate misconfigured assets.

7. Core Technical Skills

• SIEM Expertise: Minimum of 2–3 years of hands-on experience with Microsoft Sentinel, including workspace configuration, data connector management, and incident investigation.
• KQL Proficiency: Advanced ability to write and optimize Kusto Query Language (KQL) for hunting, detection rules, and workbook visualization.
• Microsoft 365 Defender Stack: Strong operational knowledge of the broader Defender suite (Defender for Endpoint, Identity, Office 365, and Cloud Apps).
• Cloud Infrastructure: Familiarity with Azure Resources, including Virtual Machines, Storage Accounts, and Log Analytics Workspaces.
• Automation: Experience triggering and troubleshooting Azure Logic Apps (Playbooks) for automated incident response.

8. Professional Experience

• Onboarding & Engineering: Proven track record of onboarding diverse assets to Sentinel (Syslog, CEF, Azure Activity, and Third-party APIs).
• Detection Engineering: Experience creating and tuning Analytics Rules to reduce false positives while maintaining high detection coverage.
• Network Security: Understanding of TCP/IP, DNS, and HTTP/S, with the ability to interpret logs from Firewalls, Proxies, and WAFs.

9. Required Qualifications

• Bachelor’s degree in computer science, Information Technology, Cybersecurity, or a related discipline.

• Professional certifications such as ECIH, GCIH, CISSP or CISM are preferred.
• Microsoft certifications such as SC-200: Microsoft Security Operations Analyst Associate, AZ-500: Microsoft Azure Security Technologies, SC-300: Microsoft Identity and Access Administrator Associate would be advantageous.