SOC Lead - Microsoft Sentinel (Security Operations Center)

Role summary:

Lead the SOC team that monitors, detects, investigates, and responds to security threats using 

Microsoft Sentinel and integrated telemetry (Defender XDR, Entra ID/Azure AD, M365, EDR, network, 

and cloud sources). 

Owns day-to-day operational readiness, detection tuning, playbook orchestration & automation, 

incident handling quality, and people management for a 24×7 Sentinel SOC.

Location:

Kozhikode (Calicut) Kerala.

Core responsibilities:

• Lead incident response for major security events: coordinate containment, evidence 

collection, root-cause analysis, remediation guidance, and post-incident reviews.

• Oversee Sentinel analytics, detection rule lifecycle, hunting content, notebooks, and KQLbased investigations to reduce false positives and improve mean time to detection.

• Manage and tune ingestion and parsers (data connectors, normalization, Fusion/analytics 

rules) and ensure log completeness from critical sources (Entra ID, M365, Defender, EDR, 

firewalls, proxies, cloud platforms).

• Develop, maintain, and improve incident response playbooks (SOAR/Logic Apps), runbooks, 

and standard operating procedures for triage and escalation.

• Lead and drive Automation initiatives in SOC for improvement of response and reducing the 

TAT for an incident.

• Mentor, coach, and technically lead L1–L3 analysts: run shift handovers, quality reviews, 

training, and career development.

• Serve as the primary escalation point for complex investigations and as technical liaison with 

engineering, threat intelligence, vulnerability management, and client/stakeholder teams

• Drive continuous improvement: run RCA and lessons-learned, reduce alert noise, optimize 

use cases, and track detection effectiveness.

• Ensure SOC meets SLAs, reporting cadence, dashboards, and executive/status reporting for 

operations and incidents.

• Maintain situational awareness of threat landscape and incorporate relevant threat 

intelligence into Sentinel content and hunting programs.

• Familiarity with opensource threat intelligence platforms like MISP and integration with 

other TI Feeds.

Required qualifications:

• 5+ years in security operations or incident response with at least 2 years leading SOC teams 

or shifts.

• Hands-on experience with Microsoft Sentinel: KQL, analytics rules, workbooks, playbooks 

(Logic Apps), data connectors, and threat hunting.

• Strong experience across Defender XDR, Entra ID/Azure AD signals, Microsoft 365 logging, 

EDR tooling, and network/security device telemetry.

• Deep incident response skills: triage, containment, forensic evidence collection, root-cause 

analysis, and remediation guidance.

• Solid scripting/querying skills (KQL mandatory; PowerShell, Python or similar desirable).

• Hands-on with SOAR/automation technologies and experience operationalizing playbooks.

• Excellent leadership, stakeholder communication, and client-facing skills; able to run postincident briefings and executive summaries.

• Relevant certifications preferred: e.g., CISSP, CISM, Microsoft Security certifications (SC200/SC-300), or GIAC incident response certs.

Preferred experience:

• Prior work in managed SOC or MSSP environment, delivering 24×7 services to clients.

• Experience with detection engineering, building Sigma rules or translating detections into 

Sentinel analytics.

• Knowledge of compliance frameworks (NIST, ISO 27001, PCI-DSS) and experience mapping 

SOC processes to controls.

Ownership, metrics, and KPIs:

• Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) for incidents; percentage 

of incidents resolved within SLA.

• False positive rate, analyst closure rate, and detection coverage (critical use cases 

implemented).

• Analyst QA score (quality of investigations), training hours per analyst, and shift coverage 

adherence.

• Number of tuned/retired analytics, playbooks implemented, and successful

tabletop/incident response exercises.

Shift, escalation, and on-call expectations:

• Lead should support 24×7 SOC operations through shift leadership and a structured on-call 

rotation; available for high-severity incidents and executive briefings.

• Act as technical escalation point for L2/L3 cases and coordinate with external IR or client 

teams when needed.

Deliverables and artifacts:

• Sentinel analytics catalogue, playbook library, workbooks/dashboard suite, runbooks, and 

post-incident reports.

• Monthly Quarterly performance reports for the client.

• Quarterly detection roadmap, SOC staffing plan, and incident trend reports for stakeholders