SUMMARY:
Role Overview
The Microsoft Sentinel Specialist is accountable for the full lifecycle of Microsoft Sentinel as a cloud-native SIEM and SOAR platform, from architecture and onboarding through to detection engineering, incident response, automation, operational reporting, cost optimisation, and continual service improvement.
The role requires a practitioner who can operate across architecture, engineering and SOC operations. The successful candidate must be able to translate security monitoring requirements into Sentinel workspaces, data connectors, analytics rules, automation rules, Logic Apps playbooks, workbooks, hunting queries, incident workflows and operational processes that can be reused and scaled across multiple customers or business units.
POSITION INFO:
The role covers the end-to-end Sentinel service lifecycle, including: Sentinel architecture, workspace design and platform deployment Data connector onboarding, log ingestion, parsing and normalisation Detection engineering, analytics rules and MITRE ATT&CK-aligned use cases Incident triage, investigation, escalation and response coordination Threat hunting using KQL, behavioural analytics and threat intelligence SOAR automation using automation rules, Logic Apps playbooks and approval-based workflows SOC process design, runbooks, SOPs, service reporting and continuous improvement Key Responsibilities: Core Accountability Own the technical design, implementation, operationalisation and continuous improvement of Microsoft Sentinel services, ensuring that the platform provides actionable visibility, reliable detections, efficient response workflows, controlled automation and clear service reporting. SOC Build & Service Establishment Design and implement Microsoft Sentinel as the primary SIEM\/SOAR platform for managed security operations. Define workspace architecture, subscription\/resource group design, RBAC, retention, data residency, naming standards and deployment patterns. Establish the Sentinel landing zone, including Log Analytics workspaces, diagnostic settings, data collection rules, permissions and baseline configurations. Onboard telemetry from Microsoft Defender XDR, Microsoft Entra ID, Microsoft 365, Azure, on-premises infrastructure, firewalls, identity systems, endpoints, servers, network devices and supported third-party platforms. Define the SOC operating model, escalation paths, incident severity model, service catalogue, handover process and transition-to-operations approach. Create reusable Sentinel deployment artefacts, templates, runbooks and implementation standards that support repeatable delivery across multiple customers or environments Continuous Monitoring & Incident Response Monitor Sentinel incidents, alerts and correlated security signals across cloud, hybrid and third-party environments. Perform alert triage, incident validation, severity assessment, scoping, enrichment and escalation in line with defined SLAs. Investigate incidents using Sentinel, Microsoft Defender XDR, Entra ID logs, endpoint telemetry, cloud activity logs, network logs and relevant third-party sources. Document investigation timelines, affected entities, evidence, containment actions, business impact, root cause and recommended remediation steps. Coordinate response with SOC analysts, infrastructure teams, identity teams, endpoint teams, network teams, service desk, customer stakeholders and incident commanders. Support containment and remediation actions such as disabling accounts, revoking sessions, isolating endpoints, blocking indicators, raising change requests and creating ITSM tickets where approved. Detection Engineering & Analytics Design, develop, test and maintain Sentinel analytics rules using KQL and Microsoft-provided content as a baseline. Create detection use cases aligned to business risk, threat scenarios, attacker behaviours and MITRE ATT&CK techniques. Tune detections to reduce false positives while preserving visibility into meaningful security events. Develop correlation logic across identity, endpoint, email, cloud, network and application telemetry. Maintain a detection backlog, use case catalogue, tuning log, rule lifecycle register and coverage matrix. Validate detections through simulation, test events, purple-team exercises, incident lessons learned and threat intelligence updates. SOAR & Automation Design and implement Sentinel automation rules to streamline incident handling, tagging, assignment, enrichment and escalation. Build and maintain Logic Apps playbooks for enrichment, notification, ticket creation, containment and remediation workflows. Integrate Sentinel with ITSM, collaboration, identity, endpoint, firewall, vulnerability management and threat intelligence systems. Define approval-based automation controls for high-impact actions and auto-execution rules for low-risk repetitive tasks. Implement error handling, audit logging, retry logic and operational monitoring for automated workflows. Continuously improve SOC efficiency by automating repeatable analyst tasks and reducing manual investigation effort. Threat Hunting & Proactive Security Conduct proactive threat hunting using advanced KQL queries, Sentinel hunting capabilities, Defender XDR signals, threat intelligence and behavioural analytics. Identify anomalous activity, emerging attack patterns, suspicious identity behaviour, lateral movement, persistence, exfiltration indicators and cloud control-plane abuse. Convert hunting findings into formal detections, analytics rules, watchlists, automation opportunities and customer recommendations. Maintain a hunting library mapped to high-risk scenarios and relevant MITRE ATT&CK tactics and techniques. Produce threat hunting summaries, findings, evidence, recommendations and service improvement actions. SOC Operations & Service Management Define SOC processes for alert triage, incident classification, escalation, handover, closure, evidence capture and post-incident review. Develop and maintain runbooks, SOPs, knowledge articles, escalation matrices and service operating procedures. Track service metrics including alert volume, incident volume, MTTD, MTTA, MTTR, SLA adherence, false-positive rate, automation success rate and detection coverage. Prepare daily, weekly and monthly SOC reports for technical, operational and executive stakeholders. Participate in governance forums, service review meetings, operational risk reviews and customer security briefings. Drive continuous service improvement based on incident trends, recurring issues, automation opportunities and customer feedback. Platform Engineering & Integration Configure and manage Sentinel data connectors, diagnostic settings, API-based integrations, CEF\/Syslog ingestion, agent-based collection and Azure-native log sources. Design ingestion patterns for cloud, hybrid, on-premises and third-party security telemetry. Implement data normalisation and parsing standards, including ASIM-aligned approaches where appropriate. Create and maintain workbooks, dashboards and operational views for SOC analysts, service managers and executive stakeholders. Optimise ingestion, retention, archive, query performance and cost by reviewing data volume, table usage, noisy sources and value of telemetry. Support infrastructure-as-code and repeatable deployment practices where required, including templates, scripts and controlled change processes. Governance, Compliance & Risk Maintain audit-ready documentation for Sentinel configuration, detection logic, automation workflows, access permissions and operational procedures. Ensure Sentinel operations align with customer security policies, ISO 27001-aligned controls, POPIA, GDPR and applicable regulatory or contractual requirements. Support audit evidence collection, control testing, incident reporting and management assurance activities. Apply least privilege, separation of duties, privileged access controls and controlled change management to Sentinel administration. Identify and document risks relating to blind spots, data gaps, unmanaged connectors, excessive ingestion cost, unsupported automation and weak escalation processes. Documentation, Handover & Knowledge Transfer Produce high-quality technical and operational documentation for Sentinel architecture, connector onboarding, analytics rules, playbooks, incident workflows and support processes. Create handover packs for SOC analysts, service managers, customer teams and operational support functions. Train SOC analysts on triage logic, detection context, investigation steps, escalation criteria and playbook execution. Maintain a living knowledge base covering common incidents, investigation patterns, known false positives and remediation guidance. Minimum Qualifications & Experience: Experience Minimum 5+ years' experience in cybersecurity, SOC operations, security engineering, cloud security or incident response. Minimum 3+ years' hands-on experience with Microsoft Sentinel, including deployment, configuration, analytics rules, incidents, workbooks, automation and KQL. Proven experience designing, building or operating a 24x7 or managed SOC environment. Experience integrating security telemetry from Microsoft and non-Microsoft sources into a SIEM platform. Experience working in an MSSP, managed services, enterprise SOC or multi-customer security operations model is highly advantageous. Technical Skills Microsoft Sentinel architecture, configuration and operations Advanced KQL for detection engineering, hunting, investigation and reporting Microsoft Defender XDR, Defender for Endpoint, Defender for Office 365, Defender for Identity and Defender for Cloud Microsoft Entra ID logs, identity security, conditional access and privileged access concepts Azure Monitor, Log Analytics, diagnostic settings, data collection rules and retention management Data connectors including Microsoft native connectors, CEF, Syslog, API-based sources and third-party security tools SOAR automation using automation rules, Azure Logic Apps and secure workflow design Workbooks, dashboards, reporting and operational visualisation ITSM integration, ticketing workflows and service management processes Scripting or automation experience using PowerShell, Python, ARM, Bicep, Terraform or similar tools is advantageous Security Expertise Incident response lifecycle, evidence handling, containment, eradication and recovery concepts Threat hunting methodology and hypothesis-driven investigations MITRE ATT&CK framework and mapping of detections to tactics, techniques and procedures Threat intelligence ingestion, enrichment and operationalisation Cloud security monitoring for Azure and Microsoft 365 environments Security governance, risk management, compliance reporting and audit support Education Relevant degree, diploma or equivalent experience in Information Security, Computer Science, Information Technology, Cybersecurity, Cloud Engineering or a related discipline. Equivalent practical experience in enterprise SOC, managed security operations or Microsoft security engineering may be accepted in place of formal qualifications. Preferred Certifications Microsoft Certified: Security Operations Analyst Associate (SC-200) Microsoft Certified: Azure Security Engineer Associate (AZ-500) Microsoft Certified: Cybersecurity Architect Expert (SC-100) advantageous Microsoft Certified: Azure Administrator Associate (AZ-104) advantageous CISSP, CISM, CEH, GCIH, GCIA, GMON or equivalent security operations certifications advantageous ITIL Foundation or service management certification advantageous for managed services environments Key Competencies Strong analytical, investigative and problem-solving capability Ability to work under pressure during high-severity security incidents Strong written documentation and evidence presentation skills Ability to communicate technical findings to both engineers and executives Service-oriented mindset with strong awareness of SLAs, governance and customer outcomes Ability to balance security risk, operational impact, automation benefits and business continuity Continuous improvement mindset with focus on standardisation, reuse and scale Success Measures (KPIs) Reduction in mean time to detect, acknowledge and respond to incidents Improved detection coverage against agreed threat scenarios and MITRE ATT&CK techniques Reduction in false positives and noisy alerts through effective tuning Increased automation coverage for repeatable enrichment, notification and containment activities SLA adherence for incident triage, escalation and reporting Completeness and quality of Sentinel onboarding, documentation and operational handover Improved SOC maturity, repeatability and standardisation across customers or business units Cost optimisation through effective ingestion, retention and data source management Key Deliverables Sentinel architecture and design document Data source onboarding plan and connector register Analytics rule catalogue mapped to use cases and MITRE ATT&CK KQL hunting query library Automation rule and playbook catalogue SOC runbooks, SOPs and escalation matrix Incident response workflow and severity model Operational dashboards and workbooks Monthly SOC service report and continuous improvement register Transition-to-operations and knowledge transfer pack
