The cyber security threat landscape is evolving and the threats that ordinary companies of all sizes must handle is getting more advanced for every year. Even non-technical industries are looking into traditionally advanced security capabilities like XDR based protection and SIEM solutions. With the cloud comes the ability for anyone to technically deploy a SOC function relatively easy. Microsoft provides a great SIEM service in the form of Microsoft Sentinel. But building a SOC is not so much about that technology, as the people running it, and what they do on a daily basis. The key is to have great detect capabilities and response procedures.
I wanted to create something simple for someone new to Sentinel to start from. Someone trying to deploy a Microsoft Sentinel based SOC. Microsoft have some guidelines here and I’ve tried to organize them and adding some of my own experiences and recommendations.
This is the Microsoft Sentinel SOC Activities cheat sheet and the purpose of it it to give you a simple overview of some of the daily, weekly, and monthly expected tasks the SOC will perform in Microsoft Sentinel.
Of course, this is not a complete list of everything a SOC needs to do, but it’s something to start with.
Daily tasks are focusing on investigating and responding to incidents, hunting results, and anomalies. This is of course the core function of the SOC and this is where the action happens. However, to make sure that the right things are captured and investigated, the weekly and monthly tasks are just as, or maybe even more important.
Weekly tasks are focusing on keeping the detect capabilities of Sentinel in good shape. Make sure connectors are working, agents are running, rules and workbooks are up-to-date, etc. This is also where updates of newly released analytics rules comes into play. One might argue that this should be performed more often, but make sure you do this at least weekly. One great source of hunting queries is Microsoft Threat Analytics articles.
Monthly tasks are focusing on reviewing the overall performance of Sentinel. Who has access to the sensitive data of Sentinel, how is the Log Analytics workspace looking, retention, cost, etc. It is also important to keep track of all the new features that Microsoft deploys in Sentinel. Microsoft provides a monthly update of Sentinel updates, and it is also a good idea to keep track of the Microsoft Sentinel GitHub repo where new Sentinel and Microsoft 365 Defender content is published.
I hope this cheat sheet is helpful for some of you new to Microsoft Sentinel, or organisations who is looking into deploying a Microsoft Sentinel based SOC. I am also looking into extending this to other Microsoft security products, and the different security signals that the SOC might be interested in in them. Stay tuned for that!
Please follow me here, on LinkedIn and on Twitter!