Operational Tasks for Microsoft Sentinel

 





Dividing SOC Duties

There are multiple roles required to built a well-developed SOC in order to divide responsibilities so that everyone can easily focus on their specific tasks. The high level of operation of an SOC needs experts (SOC engineers) having information about installation as well as maintain the technology solutions required to run the SOC, and the other experts (SOC analysts) to use the solutions to hunt for threats while responding to the security incidents (SOC analysts).   

SOC Engineers

They are the initiator of the Microsoft Sentinel's initial design as well as configuration along with the connection of data sources, configuring any Threat Intelligence (TI) feeds, and securing access to the platform including the data present within them.

After making the service functional, SOC engineers have to look after the ongoing improvements, creating analytic rules for threat detection, and fine-tuning to make sure that the service remains operationally cost-effective and efficient. Then, they can easily implement the new features given by the Microsoft to develop automation and other improvements according to the feedback given by SOC analysts. 

SOC Analysts

Their main focus is how to to use the available tools as well as data available to respond to the alerts and hunt for other threats that may not have been automatically detected. Their role is generally based on the regular development of new detection methods, the advancements as well as integration of machine learning algorithms, and the automation of threat responses so that the SOC analysts can react quickly to new alerts. 

The SOC analysts allows the SOC engineers to create as well as maintain their own playbooks and define their standard operating procedures to identify and respond the suspicious events and behaviors, so that SOC analysts can only focus on threat detection.

Operational Tasks for SOC Engineers

Daily Tasks

  • It includes the monitoring of the service health of all core components like Azure platform, Azure AD for Identity and Access Management (IAM), and any data collection server, to make sure the dashboards are available while the alerts are triggering as expected.
  • Review the planned maintenance, service health, and availability monitoring of the Microsoft Azure platform.                                                                                                                     

Weekly Tasks

  • Reviewing of the Data connectors page for any new or preview connectors as well as updating the existing connectors while also ensuring that all the enabled connectors are functioning correctly.
  • Reviewing the Workbook page for any new workbook templates as well as updates while also ensuring the proper functioning of the existing workbooks.

Monthly Tasks

  • It includes the regular review of the trends for data ingestion to carry out projected cost analysis, adjust the piercing tier to reflect the most cost-effective option. 
  • Validation of the quality of the logs ingested as well as carrying out noise reduction tuning mainly after the introduction of the new data sources, is also one of the important tasks.
  • They should also do scenario-mapping exercise with SOC analysis to identify additional and response requirements. 

Ad Hoc Tasks

  • Any changes made to the IT infrastructure must be reviewed, extra log data should be integrated to gain key insights, and automated responses according to the attack scenarios must be configured.
  • All the Microsoft announcements for potential changes to the Microsoft Sentinel platform should be reviewed along with the third-party announcements (of any), and any integrated services as well as solutions.
  • The Microsoft Sentinel architecture documentation to reflect the made changes must be updated.
  • Use the external services offering advanced security practices to further test as well as train your SOC abilities like penetration testing, social engineering, etc. 

Operational Tasks for SOC Analysts

Daily Tasks

  • You have to regularly check the Incidents page to know if any new incident is assigned to an owner and if all open or in-progress incidents are actively investigated until completion or not. 
  • Go to Hunting page and select Run all queries.                                                                                                                   

Weekly Tasks

  • Go to Hunting page and review all the created bookmarks to make sure that they are still associated with an active incident. You delete the irrelevant ones to keep this list short. 
  • TI feeds should be reviewed to make sure they are still active, and also find recommended new TI feeds appropriate for the specific industry as well as region.
  • Review all existing analytics queries, check the disabled ones and decide if they should be completely removed or enabled. 

Monthly Tasks

  • Scenario-mapping exercise should be done with the help of SOC engineers to determine additional detection and response requirements.
  • Review all Microsoft Sentinel workbooks to make sure that they are relevant and running correctly.
  • They should also review the tag taxonomy.

Ad Hoc Tasks

  • The naming conventions created manually and used for various components, should be checked as keeping track of naming conventions along with the other standards ensures easier communication across the team while handing over the incidents for review. 
  • Use the external services offering advanced security practices to further test as well as train your SOC abilities like penetration testing, social engineering and purple team activities.  











Comments

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

Work with String Data Using KQL Statements

Threat Hunting in Microsoft Sentinel (part 1)