{"id":32453,"date":"2019-12-23T17:00:57","date_gmt":"2019-12-23T17:00:57","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=90403"},"modified":"2019-12-23T17:00:57","modified_gmt":"2019-12-23T17:00:57","slug":"ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\/","title":{"rendered":"CISO series: Lessons learned from the Microsoft SOC\u2014Part 3b: A day in the life"},"content":{"rendered":"<p>The <a href=\"https:\/\/www.microsoft.com\/security\/blog\/tag\/lessons-learned\/\" target=\"_blank\" rel=\"noopener noreferrer\">Lessons learned from the Microsoft SOC<\/a> blog series is designed to share our approach and experience with security operations center (SOC) operations. We share strategies and learnings from our SOC, which protects Microsoft, and our Detection and Response Team (DART), who helps our customers address security incidents. For a visual depiction of our SOC philosophy, <a href=\"https:\/\/aka.ms\/minutesmatter\" target=\"_blank\" rel=\"noopener noreferrer\">download our Minutes Matter poster<\/a>.<\/p>\n<p>For the next two installments in the series, we\u2019ll take you on a virtual shadow session of a SOC analyst, so you can see how we use security technology. You\u2019ll get to virtually experience a day in the life of these professionals and see how Microsoft security tools support the processes and metrics we discussed earlier. We\u2019ll primarily focus on the experience of the Investigation team (Tier 2) as the Triage team (Tier 1) is a streamlined subset of this process. Threat hunting will be covered separately.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/12\/Lessons-learned-from-the-Microsoft-SOC-Part-3b-A-Day-in-the-Life-1.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-90404 size-full\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/12\/Lessons-learned-from-the-Microsoft-SOC-Part-3b-A-Day-in-the-Life-1.jpg\" alt=\"Image of security workers in an office.\" width=\"1429\" height=\"985\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/12\/Lessons-learned-from-the-Microsoft-SOC-Part-3b-A-Day-in-the-Life-1.jpg 1429w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/12\/Lessons-learned-from-the-Microsoft-SOC-Part-3b-A-Day-in-the-Life-1-300x207.jpg 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/12\/Lessons-learned-from-the-Microsoft-SOC-Part-3b-A-Day-in-the-Life-1-768x529.jpg 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/12\/Lessons-learned-from-the-Microsoft-SOC-Part-3b-A-Day-in-the-Life-1-1024x706.jpg 1024w\" sizes=\"auto, (max-width: 1429px) 100vw, 1429px\"><\/a><\/p>\n<h3>General impressions<\/h3>\n<p>Newcomers to the facility often remark on how calm and quiet our SOC physical space is. It looks and sounds like a \u201cnormal\u201d office with people going about their job in a calm professional manner. This is in sharp contrast to the dramatic moments in TV shows that use operations centers to build tension\/drama in a noisy space.<\/p>\n<h3>Nature doesn\u2019t have edges<\/h3>\n<p>We have learned that the real world is often \u201cmessy\u201d and unpredictable, and the SOC tends to reflect that reality. What comes into the SOC doesn\u2019t always fit into the nice neat boxes, but a lot of it follows predictable patterns that have been forged into standard processes, automation, and (in many cases) features of Microsoft tooling.<\/p>\n<h3>Routine front door incidents<\/h3>\n<p>The most common attack patterns we see are phishing and stolen credentials attacks (or minor variations on them):<\/p>\n<ul>\n<li>Phishing email \u2192 Host infection \u2192 Identity pivot:<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/12\/Lessons-learned-from-the-Microsoft-SOC-Part-3b-A-Day-in-the-Life-2.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-90405 size-full\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/12\/Lessons-learned-from-the-Microsoft-SOC-Part-3b-A-Day-in-the-Life-2.png\" alt=\"Infographic indicating: Phishing email, Host infection, and Identity pivot\" width=\"381\" height=\"280\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/12\/Lessons-learned-from-the-Microsoft-SOC-Part-3b-A-Day-in-the-Life-2.png 381w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/12\/Lessons-learned-from-the-Microsoft-SOC-Part-3b-A-Day-in-the-Life-2-300x220.png 300w\" sizes=\"auto, (max-width: 381px) 100vw, 381px\"><\/a><\/p>\n<ul>\n<li>Stolen credentials \u2192 Identity pivot \u2192 Host infection:<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/12\/Lessons-learned-from-the-Microsoft-SOC-Part-3b-A-Day-in-the-Life-3.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-90406 size-full\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/12\/Lessons-learned-from-the-Microsoft-SOC-Part-3b-A-Day-in-the-Life-3.png\" alt=\"Infographic indicating: Stolen credentials, Identity pivot, and Host infection\" width=\"379\" height=\"278\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/12\/Lessons-learned-from-the-Microsoft-SOC-Part-3b-A-Day-in-the-Life-3.png 379w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/12\/Lessons-learned-from-the-Microsoft-SOC-Part-3b-A-Day-in-the-Life-3-300x220.png 300w\" sizes=\"auto, (max-width: 379px) 100vw, 379px\"><\/a><\/p>\n<p>While these aren\u2019t the only ways attackers gain access to organizations, they\u2019re the most prevalent methods mastered by most attackers. Just as martial artists start by mastering basic common blocks, punches, and kicks, SOC analysts and teams must build a strong foundation by learning to respond rapidly to these common attack methods.<\/p>\n<p>As we mentioned <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/06\/06\/lessons-learned-from-the-microsoft-soc-part-2b-career-paths-and-readiness\/\" target=\"_blank\" rel=\"noopener noreferrer\">earlier in the series<\/a>, it\u2019s been over two years since network-based detection has been the primary method for detecting an attack. We attribute this primarily to investments that improved our ability to rapidly remediate attacks early with host\/email\/identity detections. There are also fundamental challenges with network-based detections (they are noisy and have limited native context for filtering true vs. false positives).<\/p>\n<h3>Analyst investigation process<\/h3>\n<p>Once an analyst settles into the analyst pod on the watch floor for their shift, they start checking the queue of our case management system for incidents (not entirely unlike phone support or help desk analysts would).<\/p>\n<p>While anything might show up in the queue, the process for investigating common front door incidents includes:<\/p>\n<ol>\n<li><strong>Alert appears in the queue<\/strong>\u2014After a threat detection tool detects a likely attack, an incident is automatically created in our case management system. The Mean Time to Acknowledge (MTTA) measurement of SOC responsiveness begins with this timestamp. See <a href=\"http:\/\/aka.ms\/ITSOC\" target=\"_blank\" rel=\"noopener noreferrer\">Part 1: Organization<\/a> for more information on key SOC metrics.<\/li>\n<\/ol>\n<blockquote>\n<p><strong>Basic threat hunting helps keep a queue clean and tidy<\/strong><\/p>\n<p>Require a 90 percent true positive rate for alert sources (e.g., detection tools and types) before allowing them to generate incidents in the analyst queue. This quality requirement reduces the volume of false positive alerts, which can lead to frustration and wasted time. To implement, you\u2019ll need to measure and refine the quality of alert sources and create a basic threat hunting process. A basic threat hunting process leverages experienced analysts to comb through alert sources that don\u2019t meet this quality bar to identify interesting alerts that are worth investigating. This review (without requiring full investigation of each one) helps ensure that real incident detections are not lost in the high volume of noisy alerts. It can be a simple part time process, but it does require skilled analysts that can apply their experience to the task.<\/p>\n<\/blockquote>\n<ol start=\"2\">\n<li><strong>Own and orient<\/strong>\u2014The analyst on shift begins by taking ownership of the case and reading through the information available in the case management tool. The timestamp for this is the end of the MTTA responsiveness measurement and begins the Mean Time to Remediate (MTTR) measurement.<\/li>\n<\/ol>\n<blockquote>\n<p><strong>Experience matters<\/strong><\/p>\n<p>A SOC is dependent on the knowledge, skills, and expertise of the analysts on the team. The attack operators and malware authors you defend against are often adaptable and skilled humans, so no prescriptive textbook or playbook on response will stay current for very long. We work hard to take good care of our people\u2014giving them time to decompress and learn, recruiting them from diverse backgrounds that can bring fresh perspectives, and creating a career path and shadowing programs that encourage them to learn and grow.<\/p>\n<\/blockquote>\n<ol start=\"3\">\n<li><strong>Check out the host<\/strong>\u2014Typically, the first priority is to identify affected endpoints so analysts can rapidly get deep insight. Our SOC relies on the Endpoint Detection and Response (EDR) functionality in <a href=\"https:\/\/www.microsoft.com\/en-us\/microsoft-365\/windows\/microsoft-defender-atp\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft Defender Advanced Threat Protection (ATP)<\/a> for this.<\/li>\n<\/ol>\n<blockquote>\n<p><strong>Why endpoint is important<\/strong><\/p>\n<p>Our analysts have a strong preference to start with the endpoint because:<\/p>\n<ul>\n<li>Endpoints are involved in most attacks\u2014Malware on an endpoint represents the sole delivery vehicle of most commodity attacks, and most attack operators still rely on malware on at least one endpoint to achieve their objective. We\u2019ve also found the EDR capabilities detect advanced attackers that are \u201cliving off the land\u201d (using tools deployed by the enterprise to navigate). The EDR functionality in Microsoft Defender ATP provides visibility into normal behavior that helps detect unusual command lines and process creation events.<\/li>\n<li>Endpoint offers powerful insights\u2014Malware and its behavior (whether automated or manual actions) on the endpoint often provides rich detailed insight into the attacker\u2019s identity, skills, capabilities, and intentions, so it\u2019s a key element that our analysts always check for.<\/li>\n<\/ul>\n<p>Identifying the endpoints affected by this incident is easy for alerts raised by the Microsoft Defender ATP EDR, but may take a few pivots on an email or identity sourced alert, which makes integration between these tools crucial.<\/p>\n<\/blockquote>\n<ol start=\"4\">\n<li><strong>Scope out and fill in the timeline<\/strong>\u2014The analyst then builds a full picture and timeline of the related chain of events that led to the alert (which may be an adversary\u2019s attack operation or false alarm positive) by following leads from the first host alert. The analyst travels along the timeline:<\/li>\n<\/ol>\n<ul>\n<li><strong>Backward in time<\/strong>\u2014Track backward to identify the entry point in the environment.<\/li>\n<li><strong>Forward in time<\/strong>\u2014Follow leads to any devices\/assets an attacker may have accessed (or attempted to access).<\/li>\n<\/ul>\n<p>Our analysts typically build this picture using the <a href=\"https:\/\/attack.mitre.org\/\" target=\"_blank\" rel=\"noopener noreferrer\">MITRE ATT&amp;CK\u2122<\/a> model (though some also adhere to the classic <a href=\"https:\/\/www.lockheedmartin.com\/en-us\/capabilities\/cyber\/cyber-kill-chain.html\" target=\"_blank\" rel=\"noopener noreferrer\">Lockheed Martin Cyber Kill Chain<sup>\u00ae<\/sup><\/a>).<\/p>\n<h3>True or false? Art or science?<\/h3>\n<p>The process of investigation is partly a science and partly an art. The analyst is ultimately building a storyline of what happened to determine whether this chain of events is the result of a malicious actor (often attempting to mask their actions\/nature), a normal business\/technical process, an innocent mistake, or something else.<\/p>\n<p>This investigation is a repetitive process. Analysts identify potential leads based on the information in the original report, follow those leads, and evaluate if the results contribute to the investigation.<\/p>\n<p>Analysts often contact users to identify whether they performed an anomalous action intentionally, accidentally, or was not done by them at all.<\/p>\n<blockquote>\n<p><strong>Running down the leads with automation<\/strong><\/p>\n<p>Much like analyzing physical evidence in a criminal investigation, cybersecurity investigations involve iteratively digging through potential evidence, which can be tedious work. Another parallel between cybersecurity and traditional forensic investigations is that popular TV and movie depictions are often much more exciting and faster than the real world.<\/p>\n<p>One significant advantage of investigating cyberattacks is that the relevant data is already electronic, making it easier to automate investigation. For many incidents, our SOC takes advantage of security orchestration, automation, and remediation (SOAR) technology to automate investigation (and remediation) of routine incidents. Our SOC relies heavily on the AutoIR functionality in Microsoft Threat Protection tools like Microsoft Defender ATP and Office 365 ATP to reduce analyst workload. In our current configuration, some remediations are fully automatic and some are semi-automatic (where analysts review the automated investigations and propose remediation before approving execution of it).<\/p>\n<\/blockquote>\n<h3>Document, document, document<\/h3>\n<p>As the analyst builds this understanding, they must capture a complete record with their conclusions and reasoning\/evidence for future use (case reviews, analyst self-education, re-opening cases that are later linked to active attacks, etc.).<\/p>\n<p>As our analyst develops information on an incident, they capture the common, most relevant details quickly into the case such as:<\/p>\n<ul>\n<li>Alert info: Alert links and Alert timeline<\/li>\n<li>Machine info: Name and ID<\/li>\n<li>User info<\/li>\n<li>Event info<\/li>\n<li>Detection source<\/li>\n<li>Download source<\/li>\n<li>File creation info<\/li>\n<li>Process creation<\/li>\n<li>Installation\/Persistence method(s)<\/li>\n<li>Network communication<\/li>\n<li>Dropped files<\/li>\n<\/ul>\n<blockquote>\n<p><strong>Fusion and integration avoid wasting analyst time<\/strong><\/p>\n<p>Each minute an analyst wastes on manual effort is another minute the attacker has to spread, infect, and do damage during an attack operation. Repetitive manual activity also creates analyst toil, increases frustration, and can drive interest in finding a new job or career.<\/p>\n<p>We learned that several technologies are key to reducing toil (in addition to automation):<\/p>\n<ul>\n<li><strong>Fusion<\/strong>\u2014Adversary attack operations frequently trip multiple alerts in multiple tools, and these must be correlated and linked to avoid duplication of effort. Our SOC has found significant value from technologies that automatically find and fuse these alerts together into a single incident. Azure Security Center and Microsoft Threat Protection include these natively.<\/li>\n<li><strong>Integration<\/strong>\u2014Few things are more frustrating and time consuming than having to switch consoles and tools to follow a lead (a.k.a., swivel chair analytics). Switching consoles interrupts their thought process and often requires manual tasks to copy\/paste information between tools to continue their work. Our analysts are extremely appreciative of the work our engineering teams have done to bring threat intelligence natively into Microsoft\u2019s threat detection tools and link together the consoles for Microsoft Defender ATP, Office 365 ATP, and Azure ATP. They\u2019re also looking forward to (and starting to test) the Microsoft Threat Protection Console and <a href=\"https:\/\/azure.microsoft.com\/en-us\/services\/azure-sentinel\/\" target=\"_blank\" rel=\"noopener noreferrer\">Azure Sentinel<\/a> updates that will continue to reduce the swivel chair analytics.<\/li>\n<\/ul>\n<\/blockquote>\n<p>Stay tuned for the next segment in the series, where we\u2019ll conclude our investigation, remediate the incident, and take part in some continuous improvement activities.<\/p>\n<h3>Learn more<\/h3>\n<p>In the meantime, bookmark the <a href=\"https:\/\/www.microsoft.com\/security\/blog\/\" target=\"_blank\" rel=\"noopener noreferrer\">Security blog<\/a> to keep up with our expert coverage on security matters and follow us at <a href=\"https:\/\/twitter.com\/@MSFTSecurity\" target=\"_blank\" rel=\"noopener noreferrer\">@MSFTSecurity<\/a> for the latest news and updates on cybersecurity.<\/p>\n<p>To learn more about SOCs, read previous posts in the <a href=\"https:\/\/www.microsoft.com\/security\/blog\/tag\/lessons-learned\/\" target=\"_blank\" rel=\"noopener noreferrer\">Lessons learned from the Microsoft SOC<\/a> series, including:<\/p>\n<p>Watch the <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/ciso-cybersecurity-strategy\" target=\"_blank\" rel=\"noopener noreferrer\">CISO Spotlight Series: Passwordless: What\u2019s It Worth<\/a>.<\/p>\n<p>Also, see our full <a href=\"https:\/\/www.microsoft.com\/security\/blog\/ciso-series\/\" target=\"_blank\" rel=\"noopener noreferrer\">CISO series<\/a> and download our <a href=\"https:\/\/aka.ms\/minutesmatter\" target=\"_blank\" rel=\"noopener noreferrer\">Minutes Matter poster<\/a> for a visual depiction of our SOC philosophy.<\/p>\n<p>READ MORE <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/12\/23\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this next post in our series, we provide insight into a day in the life of our SOC analysts investigating common front door attacks.<br \/>\nThe post CISO series: Lessons learned from the Microsoft SOC\u2014Part 3b: A day in the life appeared first on Microsoft Security. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":32454,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[6577,6579,6419,5345,8357,7220,6717],"class_list":["post-32453","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-secure","tag-ciso-series","tag-ciso-series-page","tag-endpoint-security","tag-incident-response","tag-lessons-learned","tag-microsoft-defender-advanced-threat-protection","tag-microsoft-defender-atp"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>CISO series: Lessons learned from the Microsoft SOC\u2014Part 3b: A day in the life 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CISO series: Lessons learned from the Microsoft SOC\u2014Part 3b: A day in the life 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2019-12-23T17:00:57+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/12\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1429\" \/>\n\t<meta property=\"og:image:height\" content=\"985\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"CISO series: Lessons learned from the Microsoft SOC\u2014Part 3b: A day in the life\",\"datePublished\":\"2019-12-23T17:00:57+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\\\/\"},\"wordCount\":1851,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/12\\\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life.jpg\",\"keywords\":[\"CISO series\",\"Ciso series page\",\"Endpoint security\",\"incident response\",\"Lessons learned\",\"Microsoft Defender Advanced Threat Protection\",\"Microsoft Defender ATP\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\\\/\",\"name\":\"CISO series: Lessons learned from the Microsoft SOC\u2014Part 3b: A day in the life 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/12\\\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life.jpg\",\"datePublished\":\"2019-12-23T17:00:57+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/12\\\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/12\\\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life.jpg\",\"width\":1429,\"height\":985},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CISO series\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/ciso-series\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"CISO series: Lessons learned from the Microsoft SOC\u2014Part 3b: A day in the life\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CISO series: Lessons learned from the Microsoft SOC\u2014Part 3b: A day in the life 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\/","og_locale":"en_US","og_type":"article","og_title":"CISO series: Lessons learned from the Microsoft SOC\u2014Part 3b: A day in the life 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2019-12-23T17:00:57+00:00","og_image":[{"width":1429,"height":985,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/12\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"CISO series: Lessons learned from the Microsoft SOC\u2014Part 3b: A day in the life","datePublished":"2019-12-23T17:00:57+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\/"},"wordCount":1851,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/12\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life.jpg","keywords":["CISO series","Ciso series page","Endpoint security","incident response","Lessons learned","Microsoft Defender Advanced Threat Protection","Microsoft Defender ATP"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\/","url":"https:\/\/www.threatshub.org\/blog\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\/","name":"CISO series: Lessons learned from the Microsoft SOC\u2014Part 3b: A day in the life 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/12\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life.jpg","datePublished":"2019-12-23T17:00:57+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/12\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/12\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life.jpg","width":1429,"height":985},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/ciso-series-lessons-learned-from-the-microsoft-soc-part-3b-a-day-in-the-life\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"CISO series","item":"https:\/\/www.threatshub.org\/blog\/tag\/ciso-series\/"},{"@type":"ListItem","position":3,"name":"CISO series: Lessons learned from the Microsoft SOC\u2014Part 3b: A day in the life"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/32453","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=32453"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/32453\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/32454"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=32453"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=32453"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=32453"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}