Security Monitoring Analyst in Maidenhead

Maidenhead, United Kingdom | Posted on 07/05/2026

VE3 is a technology and business consultancy focused on delivering end-to-end technology solutions and products. We have successfully serviced enterprises across multiple markets, including the public and private sectors. Our services span all aspects of business, providing a holistic approach to managing an organization. We are committed to providing technical innovations and tools that empower organizations with critical information to facilitate decision-making that results in business transformation through cost savings and increased operational efficiency. Our commitment to quality is adopted throughout the organization and sets the foundation for delivering our full suite of capabilities.

Purpose of the Role

The role staffs the Network Operations Centre on a rotating shift pattern to deliver continuous service monitoring of availability, performance, capacity, and security signals across Active Directory, Entra ID, Microsoft 365, SharePoint, Power Platform, Microsoft Fabric, and Azure — for the services that require 24/7 coverage as defined in the technical scope. The post-holder triages incoming alerts, performs first-pass diagnostics, executes documented runbooks for known incident patterns, escalates to the relevant L2/L3 specialist within agreed timelines, opens communication bridges for P1 events, and ensures customer stakeholders are kept informed during major incidents. The role is the heartbeat of the SLA: it determines whether the contractual P1 1-hour response is met.

Key Technical Responsibilities

• Continuous Monitoring and Alert Triage
  • Operate the monitoring console stack — Microsoft Sentinel, Azure Monitor, Microsoft Defender for Cloud, Microsoft 365 Admin Center service health, Defender XDR alerts, Log Analytics workbooks, and the integrated ITSM ticketing platform — for the duration of every shift.
  • Monitor availability and performance of Active Directory domain controllers, DNS / DHCP / time service, ADFS, AAD Connect sync health, Entra ID sign-in service health, Exchange Online, SharePoint Online, Teams, OneDrive, Power Platform environments, Microsoft Fabric capacity, Azure VMs, storage, networking, and PaaS services.
  • Triage incoming alerts within 5 minutes of generation, applying the documented severity matrix; classify alerts as actionable, suppressible, or false-positive, and record the rationale in the ticketing platform.
  • Correlate alerts across multiple sources (Sentinel, Defender, Azure Monitor, M365 service health) to identify the underlying incident rather than reacting to individual symptoms.
  • Acknowledge alerts and update tickets at the agreed cadence (every 60 minutes during P1; every 4 hours during P2) until handover or closure.
• Incident Response and Runbook Execution
  • Execute Tier-1 incident response runbooks for known and documented patterns: Conditional Access misconfiguration rollback, AAD Connect sync failure restart, expired application secret rotation, Defender alert containment, mailbox / Teams reset operations, SharePoint sharing-link restoration, and Power Platform environment health checks.
  • Initiate the major incident process for any P1 incident: page the duty L2/L3 specialist, open the Microsoft Teams incident bridge, notify the Service Delivery Manager and customer stakeholders per the agreed comms plan, and assume scribe duties on the bridge call.
  • Maintain accurate incident timelines in the ticketing platform — every action, every status check, every communication — with timestamp and operator initials, suitable for post-incident review and audit.
  • Execute documented automated containment playbooks (Sentinel Logic Apps) for high-confidence security events: disable risky users, force password reset, isolate device in Defender for Endpoint, block sender in Exchange Online.
  • Hand over open incidents at shift change using the structured handover template (active incidents, watch-items, scheduled changes, planned maintenance, expected escalations).
• Service Request Fulfilment During Out-of-Hours Windows
  • Fulfil pre-approved standard service requests during out-of-hours windows where authorised — for example licence assignment for emergency onboarding, Teams meeting policy adjustments for live events, or pre-approved Conditional Access exclusions — strictly within the documented standing change envelope.
• Monitoring Hygiene and Improvement
  • Participate in alert tuning to reduce false-positive rate and alert fatigue: review noisy rules weekly, propose threshold or filter changes through change control, and validate post-change.
  • Maintain monitoring runbook accuracy: every time a runbook is executed, capture deviations and feed back to the engineering team for runbook updates.
  • Contribute weekly to the Service Delivery Manager's service review with a shift-summary report (alerts handled, incidents raised, false-positive trends, runbook gaps).
• Communication and Stakeholder Management
  • Provide clear, factual, non-speculative communication during incidents in line with the proposed SLA Communication Plan — initial notification within 15 minutes of P1 declaration, updates at 60-minute intervals, and a wrap-up notification within 1 hour of resolution.
  • Maintain the operational status page / Teams channel for customer stakeholders during major incidents.
  • Comply strictly with EEA-only data processing requirements: no customer data is to leave the EEA boundary at any point during incident handling, and no screenshots / logs are to be transmitted via non-approved channels.

Mandatory Technical Skills

• Hands-on experience operating Microsoft Sentinel and Azure Monitor in a production NOC / SOC: ingesting alerts, working incidents, executing playbooks, and authoring basic KQL queries.
• Working knowledge of the Microsoft 365 service health framework, Defender XDR alert lifecycle, and the Azure Service Health portal.
• Active Directory and Entra ID fundamentals — enough to triage authentication failures, replication issues, MFA / Conditional Access blocks, and PIM activations.
• Basic PowerShell and KQL — sufficient to run prepared queries, validate state, and capture evidence; not expected to author advanced detection content (that sits with the Security & Governance Specialist).
• ITIL v4 foundation — incident, problem, change and event management; understanding of priority matrix, SLA clocks, and major incident process.
• Strong written English for incident notes, comms, and handover; ability to write clearly and unambiguously under time pressure.

Desirable Technical Skills

• KQL beyond basics — ability to extend prepared hunting queries with new filters under L2 supervision.
• Familiarity with ServiceNow / Jira Service Management / Freshservice (or equivalent ITSM).
• Experience with Power BI service health dashboards and Microsoft 365 Usage Analytics.
• Exposure to Azure DevOps work item tracking and Microsoft Teams incident bridge management.
• Awareness of GDPR Article 33 personal data breach notification timelines and EEA data residency obligations.

Required Certifications

• Microsoft Certified: Security, Compliance, and Identity Fundamentals (SC-900) — mandatory.
• Microsoft 365 Certified: Fundamentals (MS-900) — mandatory.
• Microsoft Certified: Security Operations Analyst Associate (SC-200) — preferred (mandatory within 12 months of starting).
• ITIL 4 Foundation — preferred.
• CompTIA Security+ or equivalent — desirable.