Executive Summary

Architected a cloud-native Security Operations Center (SOC) platform leveraging Microsoft Sentinel to centralise security visibility, automate incident response workflows, and improve threat detection across hybrid enterprise environments.

The architecture integrates identity, endpoint, infrastructure, cloud, and SaaS telemetry into a unified detection and response platform capable of correlating multi-stage attacks in real time — combining centralised SIEM capabilities, custom KQL-based detection engineering, MITRE ATT&CK-aligned threat hunting, and SOAR automation into a scalable cloud-native security operations model.

The design demonstrates how fragmented, tool-centric security monitoring can be transformed into an integrated detection and response ecosystem capable of operating effectively across complex hybrid enterprise environments.

Business Drivers

Modern enterprises operate across increasingly distributed technology environments spanning cloud infrastructure, SaaS platforms, hybrid identities, and on-premises systems. This operational complexity creates fundamental security operations challenges that fragmented, tool-centric monitoring approaches cannot address effectively.

This architecture was designed to address the SOC requirements of organisations where existing monitoring approaches result in:

• Fragmented visibility across disconnected security tools with no cross-domain correlation capability

• Limited ability to detect multi-stage attack chains that traverse identity, endpoint, and infrastructure domains

• Excessive alert fatigue and false positives consuming SOC analyst capacity without improving detection quality

• Slow manual incident investigation workflows extending mean time to detect and respond

• Inconsistent monitoring coverage across hybrid cloud and on-premises environments

• Difficulty demonstrating security posture and incident response effectiveness to governance and compliance stakeholders

Operational Constraints

The architecture was designed to operate within the following constraints typical of hybrid enterprise SOC environments:

• Security telemetry originates from multiple heterogeneous platforms requiring normalisation before correlation

• Detection rules require careful tuning to balance detection sensitivity against alert fatigue

• Incident response automation must operate within defined boundaries to avoid unintended operational disruption

• Hybrid infrastructure requires consistent monitoring coverage across both cloud-managed and on-premises assets

• SOC analyst workflows require scalable, tool-supported processes that reduce manual investigation effort

• Reporting and dashboards must support both operational SOC workflows and executive governance visibility

• Architecture must remain cost-manageable given Log Analytics ingestion-based pricing at enterprise telemetry volumes

Objectives

• Centralise security telemetry across cloud, SaaS, identity, and on-premises environments into a single SIEM platform

• Enable real-time threat detection and multi-domain event correlation across the full hybrid estate

• Define and target measurable reductions in Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR)

• Automate incident response workflows through SOAR capabilities reducing manual analyst intervention

• Improve detection coverage across MITRE ATT&CK tactic categories through structured detection engineering

• Strengthen threat hunting capabilities through KQL-based behavioural analytics

• Reduce operational overhead through orchestrated, playbook-driven response automation

• Establish a scalable cloud-native SOC architecture replacing fragmented on-premises monitoring tools

• Deliver governance-ready security posture reporting for operational and compliance visibility

SOC Operational Targets

These targets represent design objectives for the architecture scenario. Production SOC metrics would require baseline measurement and iterative tuning of detection rules and SOAR playbooks over an initial operational period.

Architecture Principles

• Centralised security visibility across all domains as a non-negotiable operational baseline

• Cloud-native scalability enabling telemetry ingestion growth without infrastructure overhead

• Detection-driven security operations prioritising behavioural analytics over static signature rules

• Automation-first incident response reducing manual analyst intervention for high-volume, repeatable actions

• Multi-source telemetry correlation enabling detection of attack chains that span multiple domains

• MITRE ATT&CK alignment structuring detection coverage across tactic and technique categories

• Continuous monitoring and hunting preventing detection gaps through proactive threat analysis

• Operational efficiency through orchestration freeing analyst capacity for high-value investigation work

Architecture Overview

The solution is structured as a six-layer cloud-native SOC platform integrating centralised telemetry ingestion, analytics, detection engineering, incident correlation, automated response, and operational reporting.

1. Data Ingestion Layer

The ingestion layer centralises security telemetry from multiple enterprise domains through Microsoft Sentinel data connectors, establishing a unified security telemetry pipeline across the full hybrid environment.

Identity & Access Telemetry

• Microsoft Entra ID connector — sign-in logs, audit logs, risky user and risky sign-in events

• Conditional access policy evaluation logs and MFA authentication events

Endpoint & Workload Security

• Microsoft 365 Defender connector — endpoint alerts, device telemetry, and advanced hunting data from Defender for Endpoint

• Microsoft Defender for Identity connector — identity-based threat alerts and lateral movement indicators

Cloud Security

• Microsoft Defender for Cloud connector — cloud workload protection alerts and security recommendations

• Azure Activity connector — Azure resource management operations and administrative activity logs

SaaS Platforms

• Microsoft 365 connector — Exchange Online, SharePoint, Teams, and Office 365 audit activity

Infrastructure Monitoring

• Syslog connector — Linux infrastructure logs from on-premises and Azure-hosted systems

• Azure Monitor Agent — structured log forwarding from hybrid infrastructure through Log Analytics

This multi-source ingestion model ensures no security domain operates outside SOC visibility — a prerequisite for detecting multi-stage attacks that traverse identity, endpoint, and infrastructure layers simultaneously.

2. Data Platform Layer

The analytics foundation leverages Azure Log Analytics Workspace as the centralised security data platform, providing storage, normalisation, and query capabilities across all ingested telemetry.

Capabilities:

• Centralised log storage with configurable retention periods aligned to compliance requirements

• Security telemetry normalisation enabling consistent querying across heterogeneous data sources

• KQL query engine supporting both real-time analytics rule evaluation and ad hoc threat hunting

• Security data lake functionality enabling long-term retention of raw telemetry for forensic investigation

• Cross-domain correlation across identity, endpoint, network, cloud, and SaaS event streams

3. Detection Engineering Layer

Threat detection capabilities are implemented through Microsoft Sentinel analytics rules using Kusto Query Language (KQL), structured around MITRE ATT&CK tactic and technique categories.

Detection Capabilities:

• Built-in Microsoft Sentinel detection templates covering common attack patterns across all integrated data sources

• Custom KQL detection rules engineered for environment-specific threat scenarios and behavioural baselines

• Behavioural analytics and anomaly detection identifying deviations from established operational patterns

• Scheduled and near-real-time analytics rules balancing detection latency against query cost

• Structured threat hunting workflows enabling proactive analyst-driven investigation of hypothesised attack patterns

MITRE ATT&CK Coverage Examples:

KQL-based detection engineering enables flexible, behaviour-based rules that adapt to emerging attack patterns — reducing dependency on static signature rules that fail against novel or modified attack techniques.

4. Correlation & Incident Layer

Microsoft Sentinel correlates security events across multiple domains into unified incidents, providing analysts with complete attack chain visibility rather than fragmented individual alerts.

Correlation Capabilities:

• Cross-domain event fusion combining identity, endpoint, infrastructure, and cloud telemetry into unified incident timelines

• Multi-stage attack chain reconstruction enabling analysts to visualise the complete attacker progression

• Entity mapping associating alerts with specific users, hosts, IP addresses, and cloud resources across all correlated events

• Alert grouping reducing incident noise by consolidating related alerts from multiple sources into single analyst-facing incidents

• Incident severity scoring based on entity risk, alert confidence, and correlated signal weight

Example Multi-Stage Attack Correlation:

Stage 1: Phishing email delivered → Microsoft 365 alert
Stage 2: User clicks malicious link → Defender for Endpoint alert  
Stage 3: Credential harvested → Entra ID risky sign-in event
Stage 4: Suspicious authentication from new location → Impossible travel detection
Stage 5: Lateral movement attempt → Defender for Identity alert
Stage 6: Privileged resource access → Azure Activity log anomaly
→ Sentinel correlates all six events into a single unified incident
   with complete attack timeline for analyst investigation

Stage 1: Phishing email delivered → Microsoft 365 alert
Stage 2: User clicks malicious link → Defender for Endpoint alert  
Stage 3: Credential harvested → Entra ID risky sign-in event
Stage 4: Suspicious authentication from new location → Impossible travel detection
Stage 5: Lateral movement attempt → Defender for Identity alert
Stage 6: Privileged resource access → Azure Activity log anomaly
→ Sentinel correlates all six events into a single unified incident
   with complete attack timeline for analyst investigation

Stage 1: Phishing email delivered → Microsoft 365 alert
Stage 2: User clicks malicious link → Defender for Endpoint alert  
Stage 3: Credential harvested → Entra ID risky sign-in event
Stage 4: Suspicious authentication from new location → Impossible travel detection
Stage 5: Lateral movement attempt → Defender for Identity alert
Stage 6: Privileged resource access → Azure Activity log anomaly
→ Sentinel correlates all six events into a single unified incident
   with complete attack timeline for analyst investigation

5. Response Automation Layer — SOAR

Automated response workflows are implemented using Azure Logic Apps as Sentinel playbooks, reducing manual analyst intervention for high-volume, repeatable response actions.

Automated Response Capabilities:

• Compromised account containment — automatic disabling of Entra ID accounts when high-confidence credential compromise indicators are detected, preventing further attacker progression before analyst review

• IP blocking automation — automatic NSG rule updates blocking malicious IP addresses identified through threat intelligence correlation or confirmed attack activity

• Incident enrichment — automatic querying of threat intelligence sources, geolocation data, and asset criticality information to enrich analyst-facing incidents before manual review begins

• Security team notification — structured alert notifications to SOC analysts and escalation to on-call responders for critical severity incidents requiring immediate human intervention

• Automated evidence collection — triggered collection of relevant logs, timeline data, and entity information at incident creation, reducing analyst investigation time

SOAR Governance Controls:

• Human approval gates for high-impact automated actions (account disabling, broad IP blocking)

• Audit logging of all automated actions for forensic and compliance review

• Playbook testing in isolated environments before production deployment

• Defined rollback procedures for automated actions requiring reversal

6. Visualisation & Reporting Layer

Operational dashboards and reporting are implemented through Microsoft Sentinel Workbooks, providing both real-time SOC operational visibility and governance-ready security posture reporting.

Capabilities:

• Real-time SOC operational dashboard — active incident queue, alert volume trends, and analyst workload visibility

• Incident trend analysis — historical incident volume, severity distribution, and resolution timeline tracking

• Sign-in and identity risk monitoring — Entra ID risky user tracking, MFA coverage, and authentication anomaly trends

• Threat distribution analysis — attack tactic distribution mapped to MITRE ATT&CK categories

• MTTD and MTTR operational KPI tracking — measured against defined SOC performance targets

• Security posture reporting — Defender Secure Score trends and compliance framework alignment for governance stakeholders

Architecture Diagram

Technologies Used

Key Challenges Addressed

Aggregating heterogeneous security telemetry into a unified platform — addressed through Microsoft Sentinel's native data connector ecosystem, normalising telemetry from identity, endpoint, cloud, SaaS, and infrastructure sources into a single queryable Log Analytics workspace.

Reducing false positives without degrading detection sensitivity — addressed through KQL-based custom detection rule tuning, combining threshold-based alerting with behavioural baseline comparison to improve signal-to-noise ratio across high-volume telemetry sources.

Correlating multi-domain security events into coherent incident timelines — addressed through Sentinel's entity mapping and alert fusion capabilities, which correlate events across multiple data sources into unified incidents with complete attacker progression visibility.

Automating response without introducing operational disruption — addressed through human approval gates on high-impact playbook actions, audit logging of all automated responses, and staged playbook testing before production deployment.

Maintaining consistent monitoring coverage across hybrid environments — addressed through Azure Arc-enabled Log Analytics agent deployment on on-premises systems, extending Sentinel's visibility to non-Azure infrastructure without requiring full cloud migration.

Structuring detection coverage systematically — addressed through MITRE ATT&CK framework alignment, mapping custom KQL detection rules to specific tactic and technique categories to identify and address coverage gaps systematically rather than reactively.

Design Decisions & Rationale

Centralised SIEM over Fragmented Tool Monitoring : Fragmented monitoring tools generate isolated alerts with no cross-domain correlation capability. Microsoft Sentinel as a centralised SIEM provides a single analytics engine across all telemetry sources — enabling detection of multi-stage attacks that would be invisible to individual tool monitoring and reducing the analyst effort required to manually correlate events across disconnected consoles.

KQL-Based Detection Engineering over Static Signature Rules : Static signature rules fail against modified attack techniques and novel attack patterns. KQL-based behavioural detection rules query telemetry patterns dynamically — detecting anomalies in authentication behaviour, access patterns, and resource usage that evolve with the environment's baseline rather than remaining fixed against known attack signatures.

MITRE ATT&CK Framework Alignment : Unstructured detection rule development creates coverage gaps that are difficult to identify and address systematically. MITRE ATT&CK alignment maps detection coverage to specific adversary tactic and technique categories — making coverage gaps visible, enabling structured prioritisation of detection engineering effort, and providing a common language for communicating detection capability to security leadership.

SOAR Automation Through Logic Apps : Manual incident response at SOC scale is operationally unsustainable. Azure Logic Apps playbooks automate high-volume, repeatable response actions — account containment, IP blocking, incident enrichment — reducing analyst intervention time and accelerating response for the majority of incidents while preserving human judgement for complex, high-impact decisions through approval gate controls.

Cloud-Native SOC over On-Premises SIEM : On-premises SIEM infrastructure requires hardware management, capacity planning, and operational maintenance that creates overhead and constrains scalability. Microsoft Sentinel's cloud-native architecture scales telemetry ingestion elastically without infrastructure management overhead — enabling the SOC to expand monitoring coverage without provisioning additional on-premises capacity.

Multi-Source Telemetry Correlation : Single-source monitoring cannot detect attack chains that traverse multiple domains. Integrating identity, endpoint, cloud, SaaS, and infrastructure telemetry into a unified correlation engine enables detection of sophisticated multi-stage attacks that exploit the boundaries between security domains — the attack pattern most likely to evade tool-specific monitoring.

Trade-offs & Design Constraints

Log Analytics Ingestion Cost at Enterprise Scale : Microsoft Sentinel pricing is based on Log Analytics ingestion volume. Centralising telemetry from Entra ID, Defender suite, Microsoft 365, Azure Activity, and infrastructure Syslog at enterprise scale generates significant ingestion volumes with corresponding cost implications. Data collection rules should be designed to prioritise security-relevant telemetry — retaining full fidelity for high-value sources (identity, endpoint, cloud security) while applying filtering to high-volume, lower-value sources (verbose infrastructure logs). Commitment tier pricing should be evaluated against pay-per-GB pricing for predictable high-volume deployments.

Detection Rule Tuning Operational Overhead : Custom KQL detection rules require ongoing tuning as the environment evolves — authentication patterns change, new services are deployed, and attacker techniques adapt. Initial rule deployment generates elevated false positive rates requiring analyst-intensive tuning cycles before detection quality stabilises. Organisations should plan for a structured 30–90 day tuning period following initial SOC deployment before operational detection targets are achievable.

SOAR Automation Risk for High-Impact Actions : Automated account disabling and IP blocking are high-impact actions that can disrupt legitimate operations if triggered by false positive detections. Overly aggressive SOAR automation without appropriate approval gates and confidence thresholds creates operational risk that may outweigh response time benefits. Human approval gates for broad-impact actions are essential — SOAR automation should target high-confidence, narrow-impact response actions in initial deployment phases.

Threat Intelligence Integration Gap : This architecture does not include dedicated threat intelligence platform (TIP) integration beyond Microsoft's built-in threat intelligence feeds. For organisations facing sophisticated adversaries, integrating external TAXII-based threat intelligence feeds or commercial TIP platforms (Recorded Future, ThreatConnect) would significantly enhance detection coverage — particularly for indicators of compromise (IOCs) not yet included in Microsoft's native intelligence. This represents a meaningful detection gap that should be addressed in a production deployment.

On-Premises Coverage Dependency on Arc Deployment : Sentinel's visibility into on-premises infrastructure depends on successful Azure Arc agent deployment and Log Analytics agent configuration across all relevant systems. Incomplete Arc deployment creates monitoring blind spots in the on-premises environment. Arc deployment completeness should be tracked as a SOC coverage metric and treated as a prerequisite for declaring full operational SOC coverage.

Projected Outcomes

The architecture is designed to deliver the following operational and security outcomes in a production hybrid enterprise environment:

• Centralised security monitoring across identity, endpoint, cloud, SaaS, and on-premises infrastructure through a single SIEM platform

• Significant reduction in MTTD through real-time KQL analytics rules and multi-source correlation replacing manual cross-tool investigation

• Meaningful reduction in MTTR through SOAR playbook automation of high-volume, repeatable response actions

• Improved threat detection accuracy through KQL behavioural rules tuned against environment-specific baselines

• Real-time correlation of multi-stage attack chains across identity, endpoint, and infrastructure domains

• Structured detection coverage across MITRE ATT&CK tactic categories with measurable gap identification

• Scalable cloud-native SOC platform capable of expanding telemetry coverage without infrastructure overhead

• Governance-ready security posture reporting for operational leadership and compliance stakeholders

Future Evolution

• Dedicated threat intelligence platform integration through TAXII connector for external IOC enrichment beyond Microsoft native feeds

• Microsoft Security Copilot integration for AI-assisted incident investigation and KQL query generation

• User and Entity Behaviour Analytics (UEBA) expansion for advanced insider threat and compromised account detection

• Automated threat hunting scheduled workflows triggered by new MITRE ATT&CK technique publications

• Cross-cloud SOC expansion integrating AWS CloudTrail and GCP Audit Logs into the centralised Sentinel platform

• Advanced SOAR playbook library expansion covering additional automated response scenarios

• SOC metrics dashboard with MTTD, MTTR, and detection coverage trending for continuous operational improvement visibility

• Zero Trust Network Access (ZTNA) telemetry integration for network-layer threat visibility

Key Takeaways

• Centralised SIEM is the operational prerequisite for effective multi-stage attack detection — fragmented tools cannot correlate attack chains that cross domain boundaries

• KQL-based behavioural detection engineering produces significantly better detection quality than static signature rules — flexibility and adaptability are essential for modern threat detection

• MITRE ATT&CK alignment transforms detection engineering from reactive and ad hoc into structured, measurable, and systematically improvable

• SOAR automation dramatically reduces analyst workload for repeatable response actions — but must include appropriate approval gates for high-impact automated decisions

• Cloud-native SIEM eliminates infrastructure overhead while providing elastic scalability — the operational model for modern enterprise SOC operations

• Threat intelligence integration is not optional for a production SOC — it is a detection capability gap that must be addressed in the architecture

• Detection rule tuning is an ongoing operational investment, not a one-time deployment task — SOC teams must plan for continuous rule maintenance as environments and adversary techniques evolve