01
What SOC Monitoring Actually Means
A Security Operations Centre (SOC) is a team that monitors an organisation's security posture continuously, detecting threats, investigating alerts, and responding to incidents. For large enterprises, this is a dedicated team of security analysts. For SMBs, it means having access to continuous monitoring without the overhead of a full internal team.
Most SMBs don't need a full internal SOC. They need SOC outcomes: threats detected before damage occurs, incidents responded to quickly, and a clear picture of their security posture.
02
SIEM: Microsoft Sentinel
Microsoft Sentinel is Microsoft's cloud-native SIEM and SOAR (Security Orchestration, Automation, and Response) platform. It collects security signals from across your Microsoft 365 environment and applies analytics rules to detect threats.
What Sentinel ingests
βMicrosoft 365 sign-in and audit logs
βMicrosoft Defender endpoint alerts
βAzure activity logs
βFirewall and network device logs (via connectors)
βThird-party security product alerts
What it produces
βSecurity incidents with automated triage
βAlert correlation β linking related events into a single incident
βThreat intelligence correlation β matching activity against known attack indicators
βAutomated response playbooks β isolate device, reset password, block IP
04
Alert Fatigue β and How to Avoid It
SIEM deployments often produce thousands of alerts. Without tuning, alert fatigue sets in β analysts stop investigating because most alerts are false positives.
βStart with high-fidelity rules only β a small number of rules that produce reliable, actionable alerts
βTune rules based on your environment β baseline normal activity, suppress expected alerts
βUse SOAR for tier-1 response β automate the routine: block, isolate, reset on clear indicators
βPrioritise incidents over alerts β Sentinel correlates related alerts into incidents, reducing noise
A well-tuned SIEM produces 5β10 actionable incidents per week for a 50-person organisation. An untuned SIEM produces 500 alerts per day and gets ignored.
05
24/7 Monitoring vs. Business Hours
Attackers don't keep business hours. Ransomware is frequently deployed between midnight and 6am β when there's no one watching and maximum damage can be done before detection.
| Coverage Model | Detection Window | De4sec Offering |
|---|
| Business hours only | 8amβ6pm, MonβFri | Basic monitoring package |
| 24/5 | 24 hours MonβFri | Standard managed security |
| 24/7/365 | All hours including weekends | Premium managed security |
For most SMBs, 24/5 monitoring with after-hours alerts for critical incidents (ransomware, account compromise) provides 95% of the benefit of 24/7 coverage at lower cost.
SIEM Deployment
Microsoft Sentinel configured for your environment. Connectors, analytics rules, incident configuration.
Managed Monitoring
Security analyst review of incidents. Critical incidents escalated immediately. Weekly security summary report.
Threat Hunting
Proactive search for threats that didn't trigger automated alerts β review of historical logs for indicators of compromise.
Incident Response
When a real incident is identified, De4sec responds: contain, investigate, remediate, report.
