Security tools were in place, but there was no real detection capability. I designed a Sentinel-led SOC and the workflows that let the internal team run it.
Context
The provider had tooling but no coherent operations capability. Signals were scattered, and a small internal team had no structured way to detect and respond.
Challenge
Alerts arrived from everywhere with no prioritization. No analytics strategy, no automation, and no playbooks the team could follow under pressure.
Scope
- Design a Microsoft Sentinel workspace and data strategy
- Build prioritized analytics and use cases
- Automate repetitive response
- Enable the internal team to operate it
Constraints
- Sensitive patient data and strict privacy obligations
- A lean internal security team
- Low tolerance for noisy, low-value alerts
Approach
- 01Connected the right Defender and identity signals into Sentinel
- 02Built tuned analytics rules mapped to real healthcare threats
- 03Automated triage with Logic Apps to cut manual toil
- 04Documented playbooks and ran the team through them
Technologies
Microsoft SentinelDefender XDRKQLLogic Apps
Microsoft Sentinel
Defender XDR
KQLOutcome
- Faster detection through centralized analytics and tuned use cases
- Lower alert noise, so the team could focus on real incidents
- A SOC capability the provider's own people can run
Lessons
A SOC is a capability, not a product. The tuning, playbooks, and enablement matter more than the tools you switch on.
What made it complex
Building meaningful detection for a sensitive environment while keeping noise low enough for a lean team to sustain.
Azure Landing Zones
Entra ID
Azure Policy
Conditional Access
Microsoft Purview