Website:
cherrylabs.com
Job details:
Role summary:
Lead the SOC team that monitors, detects, investigates, and responds to security threats using
Microsoft Sentinel and integrated telemetry (Defender XDR, Entra ID/Azure AD, M365, EDR, network,
and cloud sources).
Owns day-to-day operational readiness, detection tuning, playbook orchestration & automation,
incident handling quality, and people management for a 24×7 Sentinel SOC.
Location:
Kozhikode (Calicut) Kerala.
Core responsibilities:
• Lead incident response for major security events: coordinate containment, evidence
collection, root-cause analysis, remediation guidance, and post-incident reviews.
• Oversee Sentinel analytics, detection rule lifecycle, hunting content, notebooks, and KQL�based investigations to reduce false positives and improve mean time to detection.
• Manage and tune ingestion and parsers (data connectors, normalization, Fusion/analytics
rules) and ensure log completeness from critical sources (Entra ID, M365, Defender, EDR,
firewalls, proxies, cloud platforms).
• Develop, maintain, and improve incident response playbooks (SOAR/Logic Apps), runbooks,
and standard operating procedures for triage and escalation.
• Lead and drive Automation initiatives in SOC for improvement of response and reducing the
TAT for an incident.
• Mentor, coach, and technically lead L1–L3 analysts: run shift handovers, quality reviews,
training, and career development.
• Serve as the primary escalation point for complex investigations and as technical liaison with
engineering, threat intelligence, vulnerability management, and client/stakeholder teams
• Drive continuous improvement: run RCA and lessons-learned, reduce alert noise, optimize
use cases, and track detection effectiveness.
• Ensure SOC meets SLAs, reporting cadence, dashboards, and executive/status reporting for
operations and incidents.
• Maintain situational awareness of threat landscape and incorporate relevant threat
intelligence into Sentinel content and hunting programs.
• Familiarity with opensource threat intelligence platforms like MISP and integration with
other TI Feeds.
Required qualifications:
• 5+ years in security operations or incident response with at least 2 years leading SOC teams
or shifts.
• Hands-on experience with Microsoft Sentinel: KQL, analytics rules, workbooks, playbooks
(Logic Apps), data connectors, and threat hunting.
• Strong experience across Defender XDR, Entra ID/Azure AD signals, Microsoft 365 logging,
EDR tooling, and network/security device telemetry.
• Deep incident response skills: triage, containment, forensic evidence collection, root-cause
analysis, and remediation guidance.
• Solid scripting/querying skills (KQL mandatory; PowerShell, Python or similar desirable).
• Hands-on with SOAR/automation technologies and experience operationalizing playbooks.
• Excellent leadership, stakeholder communication, and client-facing skills; able to run post�incident briefings and executive summaries.
• Relevant certifications preferred: e.g., CISSP, CISM, Microsoft Security certifications (SC�200/SC-300), or GIAC incident response certs.
Preferred experience:
• Prior work in managed SOC or MSSP environment, delivering 24×7 services to clients.
• Experience with detection engineering, building Sigma rules or translating detections into
Sentinel analytics.
• Knowledge of compliance frameworks (NIST, ISO 27001, PCI-DSS) and experience mapping
SOC processes to controls.
Ownership, metrics, and KPIs:
• Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) for incidents; percentage
of incidents resolved within SLA.
• False positive rate, analyst closure rate, and detection coverage (critical use cases
implemented).
• Analyst QA score (quality of investigations), training hours per analyst, and shift coverage
adherence.
• Number of tuned/retired analytics, playbooks implemented, and successful
tabletop/incident response exercises.
Shift, escalation, and on-call expectations:
• Lead should support 24×7 SOC operations through shift leadership and a structured on-call
rotation; available for high-severity incidents and executive briefings.
• Act as technical escalation point for L2/L3 cases and coordinate with external IR or client
teams when needed.
Deliverables and artifacts:
• Sentinel analytics catalogue, playbook library, workbooks/dashboard suite, runbooks, and
post-incident reports.
• Monthly Quarterly performance reports for the client.
• Quarterly detection roadmap, SOC staffing plan, and incident trend reports for stakeholders
Click on Apply to know more.