Security Monitoring Analyst in Maidenhead

The role staffs the Network Operations Centre on a rotating shift pattern to deliver continuous service monitoring of availability, performance, capacity, and security signals across Active Directory, Entra ID, Microsoft 365, SharePoint, Power Platform, Microsoft Fabric, and Azure — for the services that require 24/7 coverage as defined in the technical scope.

The post-holder triages incoming alerts, performs first-pass diagnostics, executes documented runbooks for known incident patterns, escalates to the relevant L2/L3 specialist within agreed timelines, opens communication bridges for P1 events, and ensures customer stakeholders are kept informed during major incidents. The role is the heartbeat of the SLA: it determines whether the contractual P1 1-hour response is met.

Key Technical Responsibilities

• Operate the monitoring console stack — Microsoft Sentinel, Azure Monitor, Microsoft Defender for Cloud, Microsoft 365 Admin Center service health, Defender XDR alerts, Log Analytics workbooks, and the integrated ITSM ticketing platform — for the duration of every shift.
• Monitor availability and performance of Active Directory domain controllers, DNS / DHCP / time service, ADFS, AAD Connect sync health, Entra ID sign-in service health, Exchange Online, SharePoint Online, Teams, OneDrive, Power Platform environments, Microsoft Fabric capacity, Azure VMs, storage, networking, and PaaS services.
• Triage incoming alerts within 5 minutes of generation, applying the documented severity matrix; classify alerts as actionable, suppressible, or false-positive, and record the rationale in the ticketing platform.
• Correlate alerts across multiple sources (Sentinel, Defender, Azure Monitor, M365 service health) to identify the underlying incident rather than reacting to individual symptoms.
• Acknowledge alerts and update tickets at the agreed cadence (every 60 minutes during P1; every 4 hours during P2) until handover or closure.

Incident Response and Runbook Execution

• Execute Tier-1 incident response runbooks for known and documented patterns: Conditional Access misconfiguration rollback, AAD Connect sync failure restart, expired application secret rotation, Defender alert containment, mailbox / Teams reset operations, SharePoint sharing-link restoration, and Power Platform environment health checks.
• Initiate the major incident process for any P1 incident: page the duty L2/L3 specialist, open the Microsoft Teams incident bridge, notify the Service Delivery Manager and customer stakeholders per the agreed comms plan, and assume scribe duties on the bridge call.
• Maintain accurate incident timelines in the ticketing platform — every action, every status check, every communication — with timestamp and operator initials, suitable for post-incident review and audit.
• Execute documented automated containment playbooks (Sentinel Logic Apps) for high-confidence security events: disable risky users, force password reset, isolate device in Defender for Endpoint, block sender in Exchange Online.
• Hand over open incidents at shift change using the structured handover template (active incidents, watch-items, scheduled changes, planned maintenance, expected escalations).

Service Request Fulfilment During Out-of-Hours Windows

• Fulfil pre-approved standard service requests during out-of-hours windows where authorised — for example licence assignment for emergency onboarding, Teams meeting policy adjustments for live events, or pre-approved Conditional Access exclusions — strictly within the documented standing change envelope.

Monitoring Hygiene and Improvement

• Participate in alert tuning to reduce false-positive rate and alert fatigue: review noisy rules weekly, propose threshold or filter changes through change control, and validate post-change.
• Maintain monitoring runbook accuracy: every time a runbook is executed, capture deviations and feed back to the engineering team for runbook updates.
• Contribute weekly to the Service Delivery Manager's service review with a shift-summary report (alerts handled, incidents raised, false-positive trends, runbook gaps).

Communication and Stakeholder Management

• Provide clear, factual, non-speculative communication during incidents in line with the proposed SLA Communication Plan — initial notification within 15 minutes of P1 declaration, updates at 60-minute intervals, and a wrap-up notification within 1 hour of resolution.
• Maintain the operational status page / Teams channel for customer stakeholders during major incidents.
• Comply strictly with EEA-only data processing requirements: no customer data is to leave the EEA boundary at any point during incident handling, and no screenshots / logs are to be transmitted via non-approved channels.

Mandatory Technical Skills

• Hands-on experience operating Microsoft Sentinel and Azure Monitor in a production NOC / SOC: ingesting alerts, working incidents, executing playbooks, and authoring basic KQL queries.
• Working knowledge of the Microsoft 365 service health framework, Defender XDR alert lifecycle, and the Azure Service Health portal.
• Active Directory and Entra ID fundamentals — enough to triage authentication failures, replication issues, MFA / Conditional Access blocks, and PIM activations.
• Basic PowerShell and KQL — sufficient to run prepared queries, validate state, and capture evidence; not expected to author advanced detection content (that sits with the Security & Governance Specialist).
• ITIL v4 foundation — incident, problem, change and event management; understanding of priority matrix, SLA clocks, and major incident process.
• Strong written English for incident notes, comms, and handover; ability to write clearly and unambiguously under time pressure.

Desirable Technical Skills

• KQL beyond basics — ability to extend prepared hunting queries with new filters under L2 supervision.
• Familiarity with ServiceNow / Jira Service Management / Freshservice (or equivalent ITSM).
• Experience with Power BI service health dashboards and Microsoft 365 Usage Analytics.
• Exposure to Azure DevOps work item tracking and Microsoft Teams incident bridge management.
• Awareness of GDPR Article 33 personal data breach notification timelines and EEA data residency obligations.

Required Certifications

• Microsoft Certified: Security, Compliance, and Identity Fundamentals (SC-900) — mandatory.
• Microsoft Certified: Azure Fundamentals (AZ-900) — mandatory.
• Microsoft 365 Certified: Fundamentals (MS-900) — mandatory.
• Microsoft Certified: Security Operations Analyst Associate (SC-200) — preferred (mandatory within 12 months of starting).
• ITIL 4 Foundation — preferred.
• CompTIA Security+ or equivalent — desirable.