Job Summary
Job Description – SOC L3 - SOC Lead
Role Overview
The SOC L3 is responsible for advanced threat detection, incident investigation, and response, handling major security incidents, performing root cause analysis (RCA), and driving security posture improvement. This role also focuses on SIEM use case optimization, threat hunting, and mentoring L1/L2 analysts.
Major Incident Management
Act as Incident Commander for P1/P2 security incidents
Coordinate with cross-functional teams (WinTel, AD, Network, Cloud, Application owners)
Drive war rooms, communication, and stakeholder updates (CISO level)
Ensure timely resolution and service restoration
Key Responsibilities
Key Responsibilities
Incident Investigation & Response
Lead end-to-end investigation of complex security incidents across endpoints, identity, email, and cloud
Perform deep forensic analysis using Microsoft Sentinel, Defender XDR, and other security tools
Execute and coordinate incident containment, eradication, and recovery actions
Validate alerts and reduce false positives through advanced correlation
Skill Requirements
3. Root Cause Analysis (RCA)
Conduct detailed post-incident RCA
Identify attack vectors, gaps, and control failures
Provide actionable recommendations and preventive controls
Prepare executive summaries and technical RCA reports
SIEM (Microsoft Sentinel) Engineering
fine-tune detection use cases and analytics rules
Optimize log ingestion, correlation, and alerting logic
Improve signal-to-noise ratio by reducing false positives
Perform proactive threat hunting using KQL and telemetry data
Map threats using MITRE ATT&CK framework
Identify hidden threats, lateral movement, persistence techniques
Develop and operationalize hunting queries into detections
MITRE ATT&CK Framework
Apply deep understanding of MITRE ATT&CK techniques (TTPs)
Map incidents and use cases to ATT&CK tactics (Initial Access, Lateral Movement, etc.)
Improve coverage by identifying detection gaps
Mentoring & Leadership
Provide guidance and mentoring to L1/L2 analysts
Review investigations and improve team capabilities
Conduct knowledge sharing sessions and training workshops
Documentation & Process Improvement
Develop and maintain:
SOPs (Standard Operating Procedures)
Runbooks / Playbooks
Knowledge Base (KB) articles
Drive SOC maturity and process standardization
Support audits and compliance requirements
Technical Skills Required
Strong expertise in:
Microsoft Sentinel (SIEM)
Microsoft Defender XDR (MDE, MDO, Identity, Cloud Apps)
Advanced KQL (Kusto Query Language)
Incident handling tools & EDR platforms
Understanding of:
Windows internals & logs
Identity (AD, Azure AD)
Email security (phishing, spoofing)
Network security concepts
Soft Skills
Strong analytical and problem-solving skills
Excellent communication (technical + executive level)
Ability to handle high-pressure incident scenarios
Strong coordination and stakeholder management