Step 4. Define Microsoft Defender XDR roles, responsibilities, and oversight
Applies to:
- Microsoft Defender XDR
Your organization must establish ownership and accountability of the Microsoft Defender XDR licenses, configurations, and administration as initial tasks before any operational roles can be defined. Typically, the ownership of the licenses, subscription costs, and administration of Microsoft 365 and Enterprise Security + Mobility (EMS) services (which may include Microsoft Defender XDR) fall outside the Security Operations Center (SOC) teams. SOC teams should work with those individuals to ensure proper oversight of Microsoft Defender XDR.
Many modern SOCs assign its team members to categories based on their skillsets and functions. For example:
- A threat intelligence team assigned to tasks related to lifecycle management of threat and analytics functions.
- A monitoring team comprised of SOC analysts responsible for maintaining logs, alerts, events, and monitoring functions.
- An engineering & operations team assigned to engineer and optimize security devices.
SOC team roles and responsibilities for Microsoft Defender XDR would naturally integrate into these teams.
The following table breaks out each SOC team's roles and responsibilities and how their roles integrate with Microsoft Defender XDR.
SOC team | Roles and responsibilities | Microsoft Defender XDR tasks |
---|---|---|
SOC Oversight |
|
|
Threat Intelligence & Analytics |
|
|
Monitoring |
|
Uses:
|
Engineering & SecOps |
|
|
Computer Security Incident Response Team (CSIRT) |
|
Collaborate and maintain Microsoft Defender XDR incident response playbooks |
Step 5. Develop and test use cases
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.