Security Monitoring Analyst

Security Monitoring Analyst

Purpose of the Role

The role staffs the Network Operations Centre on a rotating shift pattern to deliver continuous service monitoring of availability, performance, capacity, and security signals across Active Directory, Entra ID, Microsoft 365, SharePoint, Power Platform, Microsoft Fabric, and Azure - for the services that require 24/7 coverage as defined in the technical scope. The post-holder triages incoming alerts, performs first-pass diagnostics, executes documented runbooks for known incident patterns, escalates to the relevant L2/L3 specialist within agreed timelines, opens communication bridges for P1 events, and ensures customer stakeholders are kept informed during major incidents. The role is the heartbeat of the SLA: it determines whether the contractual P1 1-hour response is met.

Requirements Key Technical Responsibilities Continuous Monitoring and Alert Triage

• Operate the monitoring console stack - Microsoft Sentinel, Azure Monitor, Microsoft Defender for Cloud, Microsoft 365 Admin Center service health, Defender XDR alerts, Log Analytics workbooks, and the integrated ITSM ticketing platform - for the duration of every shift.
• Monitor availability and performance of Active Directory domain controllers, DNS / DHCP / time service, ADFS, AAD Connect sync health, Entra ID sign-in service health, Exchange Online, SharePoint Online, Teams, OneDrive, Power Platform environments, Microsoft Fabric capacity, Azure VMs, storage, networking, and PaaS services.
• Triage incoming alerts within 5 minutes of generation, applying the documented severity matrix; classify alerts as actionable, suppressible, or false-positive, and record the rationale in the ticketing platform.
• Correlate alerts across multiple sources (Sentinel, Defender, Azure Monitor, M365 service health) to identify the underlying incident rather than reacting to individual symptoms.
• Acknowledge alerts and update tickets at the agreed cadence (every 60 minutes during P1; every 4 hours during P2) until handover or closure.

Incident Response and Runbook Execution

• Execute Tier 1 incident response runbooks for known and documented patterns: Conditional Access misconfiguration rollback, AAD Connect sync failure restart, expired application secret rotation, Defender alert containment, mailbox / Teams reset operations, SharePoint sharing link restoration, and Power Platform environment health checks.
• Initiate the major incident process for any P1 incident: page the duty L2/L3 specialist, open the Microsoft Teams incident bridge, notify the Service Delivery Manager and customer stakeholders per the agreed comms plan, and assume scribe duties on the bridge call.
• Maintain accurate incident timelines in the ticketing platform - every action, every status check, every communication - with timestamp and operator initials, suitable for post incident review and audit.
• Execute documented automated containment playbooks (Sentinel Logic Apps) for high confidence security events: disable risky users, force password reset, isolate device in Defender for Endpoint, block sender in Exchange Online.
• Hand over open incidents at shift change using the structured handover template (active incidents, watch items, scheduled changes, planned maintenance, expected escalations).

Service Request Fulfilment During Out of Hours Windows

• Fulfil pre approved standard service requests during out of hours windows where authorised - for example licence assignment for emergency onboarding, Teams meeting policy adjustments for live events, or pre approved Conditional Access exclusions - strictly within the documented standing change envelope.

Monitoring Hygiene and Improvement

• Participate in alert tuning to reduce false positive rate and alert fatigue: review noisy rules weekly, propose threshold or filter changes through change control, and validate post change.
• Maintain monitoring runbook accuracy: every time a runbook is executed, capture deviations and feed back to the engineering team for runbook updates.
• Contribute weekly to the Service Delivery Manager's service review with a shift summary report (alerts handled, incidents raised, false positive trends, runbook gaps).

Communication and Stakeholder Management

• Provide clear, factual, non speculative communication during incidents in line with the proposed SLA Communication Plan - initial notification within 15 minutes of P1 declaration, updates at 60 minute intervals, and a wrap up notification within 1 hour of resolution.
• Maintain the operational status page / Teams channel for customer stakeholders during major incidents.
• Comply strictly with EEA only data processing requirements: no customer data is to leave the EEA boundary at any point during incident handling, and no screenshots / logs are to be transmitted via non approved channels.

Mandatory Technical Skills

• Hands on experience operating Microsoft Sentinel and Azure Monitor in a production NOC / SOC: ingesting alerts, working incidents, executing playbooks, and authoring basic KQL queries.
• Working knowledge of the Microsoft 365 service health framework, Defender XDR alert lifecycle, and the Azure Service Health portal.
• Active Directory and Entra ID fundamentals - enough to triage authentication failures, replication issues, MFA / Conditional Access blocks, and PIM activations.
• Basic PowerShell and KQL - sufficient to run prepared queries, validate state, and capture evidence; not expected to author advanced detection content (that sits with the Security & Governance Specialist).
• ITIL v4 foundation - incident, problem, change and event management; understanding of priority matrix, SLA clocks, and major incident process.
• Strong written English for incident notes, comms, and handover; ability to write clearly and unambiguously under time pressure.

Desirable Technical Skills

• KQL beyond basics - ability to extend prepared hunting queries with new filters under L2 supervision.
• Familiarity with ServiceNow / Jira Service Management / Freshservice (or equivalent ITSM).
• Experience with Power BI service health dashboards and Microsoft 365 Usage Analytics.
• Exposure to Azure DevOps work item tracking and Microsoft Teams incident bridge management.
• Awareness of GDPR Article 33 personal data breach notification timelines and EEA data residency obligations.

Required Certifications

• Microsoft Certified: Security, Compliance, and Identity Fundamentals (SC 900) - mandatory.
• Microsoft Certified: Azure Fundamentals (AZ 900) - mandatory.
• Microsoft 365 Certified: Fundamentals (MS 900) - mandatory.
• Microsoft Certified: Security Operations Analyst Associate (SC 200) - preferred (mandatory within 12 months of starting).
• ITIL 4 Foundation - preferred.
• CompTIA Security+ or equivalent - desirable.