As with any service or solution, an ongoing maintenance routine is a critical process to ensure timely service improvements, maintain operational efficiency, control costs, and—most importantly—ensure the service remains highly effective in detecting and responding to security issues.
In general, Security Operations Center (SOC) operations are performed by two distinct roles: SOC engineers and SOC analysts. In a small organization, this may be a single person carrying out both roles; in larger organizations, these roles will span many teams and will be carried out by dedicated professionals. In this chapter, we will provide details of the daily, weekly, and monthly tasks required for each role, and any ad hoc tasks that should be carried out as required. You can use this list as a starting point for building your own tasks list to ensure optimal SOC operations.
The information in this chapter is meant to provide a starting point for your own planning and ongoing improvement, so you can carry out the necessary processes to produce a high-performing team and ensure a well-managed Microsoft Sentinel solution.
In this chapter, we will cover the following topics:
A well-developed SOC will be made up of multiple roles to divide up responsibilities and ensure that everyone can focus on their specific tasks. Depending on the size of the team, there could be many roles and many layers of management, leadership, and expertise, or it could be a smaller team in which two or three individuals carry out all the roles between them.
At a high level, the operation of an SOC will require experts that know how to install and maintain the technology solutions required to run the SOC (that is, SOC engineers) and another set of experts that are able to use the solutions to hunt for threats and respond to security incidents (that is, SOC analysts). These two roles work together to provide constant feedback on what works well and where improvements are required.
Let's review the primary differences between these two roles to understand the type of operational tasks they carry out. For detailed role guidance and permissions, please see this article: https://docs.microsoft.com/en-us/azure/sentinel/roles.
SOC engineers are responsible for the initial design and configuration of Microsoft Sentinel. Their role includes the connection of data sources, setting retention policies, and configuring any threat intelligence (TI) feeds. The SOC engineer is responsible for implementing and managing role-based access controls (RBACs) to secure access to the platform and the data it contains (review Azure Active Directory (AD) as an additional research topic).
Once the service is operational, SOC engineers are then responsible for ensuring that data connectors remain healthy, providing ongoing improvements, creating analytic rules for threat detection, and fine-tuning the service to ensure it remains operationally cost-effective and efficient.
The SOC engineers will implement new features made available by Microsoft and develop automation functionalities and other improvements based on feedback from the SOC analysts and recommendations from the wider security community.
SOC analysts focus on using the tools and data available to respond to alerts and hunt for other threats that may not have been automatically detected.
This role relies on the continuous development of new detection methods, the advancement and integration of machine learning algorithms, and the automation of threat responses to ensure SOC analysts can react quickly to new alerts.
To ensure they can focus on threat detection, SOC analysts offload the tooling and rule configuration to SOC engineers, allowing the engineers to create and maintain their playbooks, and define their standard operating procedures for identifying and responding to suspicious events and behaviors.
In this section, we will provide an initial list of tasks that have been identified as engineering tasks. You can use this list as a starting point and then add your own tasks based on what works for your specific requirements. Each component that is added to the SOC architecture will have its own task requirements—for example, if you integrate a cloud access security broker (CASB) solution, you will need to carry out similar tasks within that platform to ensure it is well maintained and sending the appropriate information to Microsoft Sentinel.
A list of daily tasks for SOC engineers is as follows:
A. Ensure the data ingestion is consistent with the expected volume; if the volume drops below the average daily rate it could be caused by a configuration error on the source, preventing the data from being sent to Microsoft Sentinel. This should be investigated immediately to ensure no loss of security log data.
B. Ensure the total ingestion per day does not exceed the expected ingestion rates. There may be multiple reasons for an increased ingestion rate on a single day, such as a spike in the volume of threats or an increase in business activity, such as higher sales or increased remote work. However, if the volume continues to increase day by day, there will be an impact on the expected budget for the costs, and this will need to be reviewed with the management teams.
There is a workbook available to assist with this monitoring: https://docs.microsoft.com/en-us/azure/sentinel/monitor-data-connector-health.
Monitor the service health of all core components, for example, the Azure platform, Azure AD for Identity and Access Management (IAM), and any data collection servers (syslog), ensuring dashboards are available and alerts are triggering as expected.
Do this using the following resources:
A. Publicly viewable information: https://status.azure.com/en-us/status
B. Signing in to your Azure portal and viewing specific details: https://portal.azure.com/#blade/Microsoft_Azure_Health/AzureHealthBrowseBlade/serviceIssues
A list of weekly tasks for SOC engineers is as follows:
A list of monthly tasks for SOC engineers is as follows:
A list of ad hoc tasks for SOC engineers is as follows:
In this section, we will provide an initial list of tasks that have been identified as operational requirements for SOC analysts. These tasks focus on the work required to create, maintain, and organize Microsoft Sentinel components to ensure operational efficiency.
A list of daily tasks for SOC analysts is as follows:
A. Review the results for each query that returns at least one result.
B. If any queries return a result of N/A, then investigate why the results are not available (you should at least receive a return of 0 as a result).
A list of weekly tasks for SOC analysts is as follows:
A. When possible, each analytic rule should be associated with an appropriate automated task to ensure notifications are sent, a case is raised in the ticketing system, or other runbooks are triggered to carry out remediation activities.
B. Work with SOC engineers to implement any changes to further automate detection and response capabilities.
C. Review tuning metrics to ensure analytic rules are not overly suppressed, which may cause important events to be missed. These metrics are as follows: rule period and frequency, rule threshold, and suppression.
A list of monthly tasks for SOC analysts is as follows:
A list of ad hoc tasks for SOC analysts is as follows:
While this is one of the shorter chapters in this book, it has covered the importance of the ongoing maintenance that will ensure SOC teams remain vigilant with respect to ongoing changes in the threat landscape and will also keep Microsoft Sentinel tuned for efficient and effective security operations.
In the final chapter of this book, we will introduce some resources you can use to continue gaining the knowledge required to implement and operate Microsoft Sentinel and its related solutions.
Review the following questions to test your knowledge of this subject:
3.238.195.81