Solution Atlas
EverydayUser storyConsultative playbook

Our SIEM is producing noise, not signal — analysts are buried

A CISO's SOC is drowning in alerts from a legacy SIEM that lacks Microsoft-estate context. False positives are routine, mean-time-to-respond has crept up, and the team relies on out-of-the-box rules instead of disciplined detection engineering.

Trigger
SIEM renewal due; analyst attrition rising.
Good outcome
Sentinel + Defender XDR live, ingest discipline established, detection engineering as a continuous practice.
Diagnostic discovery

Signals this story fits

Observable cues that confirm the conversation belongs here.

  • ·Legacy SIEM (Splunk, QRadar, ArcSight) lacks deep Microsoft-estate context
  • ·Mean-time-to-respond drifting up; analyst attrition rising
  • ·Detection content relies heavily on out-of-the-box rules
  • ·Defender for Endpoint already in the estate but not joined up to the SIEM
  • ·Cyber-insurance renewal or board-level security review pending

Questions to ask

Open-ended, SPIN-style — each one has a reason it matters.

  1. 1.What is your current MTTR baseline by incident class?

    WhyWithout a baseline there is no proof of value.

    Listen for: “unknown” · “qualitative only” · “no baseline”

  2. 2.How does your SOC team feel about the current SIEM — what are their top three complaints?

    WhySurfaces ingest-cost pain, alert fatigue, and integration gaps. Listens for retention pain too.

  3. 3.Where does identity sit in your detection model today?

    WhyIdentity Protection is the highest-signal SOC input in any Microsoft estate; surfaces whether P2 + Identity Protection is in play.

  4. 4.Have you set ingest tier discipline (Basic vs Analytics) anywhere today?

    WhySentinel cost is dominated by ingest. Establishes whether tier discipline is a concept or a practice.

  5. 5.What detection engineering practice exists today — backlog, peer review, MITRE coverage tracking?

    WhyOften the biggest wedge — poor detection rigour drives MTTR drift.

  6. 6.What does cyber-insurance renewal want to see this year?

    WhySurfaces forced functions — PIM, MFA coverage, audit logging — that shape the urgency.

Baseline → target architecture

TOGAF-style gap framing — what we typically see today, and what the proposed end state looks like. The gap between them is the engagement.

Baseline architecture

Legacy SIEM with broad ingest, out-of-the-box rules dominant. Defender for Endpoint live but signals routed through the legacy SIEM. Identity Protection signals not in the SOC queue. No detection-engineering backlog. SOAR aspirations but no playbooks live.

Typical concerns

  • ·Ingest costs rising faster than estate growth
  • ·Alert fatigue; analysts disengaged
  • ·Detection content stale; no MITRE coverage tracking
  • ·Defender XDR signal partially landed; correlations missed
  • ·No documented MTTR trend by incident class

Capability gaps

  • ·Unified telemetry with ingest tier discipline
  • ·Detection engineering as a continuous practice
  • ·Identity threat detection integrated into SOC queue
  • ·SOAR automation against high-confidence detections
  • ·MITRE ATT&CK coverage measurement
Target architecture

Microsoft Sentinel as the SIEM anchor with Defender XDR connector live (the canonical pairing). Ingest tier discipline established at workspace level (Basic vs Analytics). Entra ID P2 + Identity Protection signals flowing into Sentinel. Detection engineering operates as a backlogged practice with peer review and MITRE coverage tracking. SOAR playbooks against the well-understood detections; humans on the ambiguity.

Key capabilities

  • Unified telemetry plane — Sentinel + Defender XDR
  • Ingest tier discipline (Basic vs Analytics) governed
  • Identity Protection signals in the SOC queue
  • Detection engineering backlog + MITRE coverage tracking
  • Selective SOAR automation

Enabling SKUs

Resolved in the ‘Recommended cards’ section below.

Architecture decisions

Each decision is offered as explicit options with trade-offs — Hohpe's “selling options” principle. A safe default is noted where one exists.

  1. Decision 1.SIEM stance — replace legacy with Sentinel vs federate Sentinel alongside legacy

    Replace legacy

    When it fitsLegacy renewal due; Microsoft estate dominates source surface.

    Trade-offsMigration risk; existing content needs translation to KQL.

    Federate alongside legacy

    When it fitsSignificant non-Microsoft source surface; legacy contract has multiple years.

    Trade-offsTwo SIEMs to operate; cost rarely lower.

    Default recommendationReplace if legacy renewal is within 12 months and Microsoft estate dominates. Federate only if legacy contract is locked.

  2. Decision 2.Licence floor — M365 E5 vs M365 E5 Security add-on on top of E3

    M365 E5

    When it fitsProductivity + security both being modernised.

    Trade-offsHigher per-seat; some E5 features unused initially.

    E3 + E5 Security add-on

    When it fitsProductivity stays on E3; security is the only modernisation.

    Trade-offsBuying components separately often loses to full E5 at scale.

    Default recommendationE5 if Copilot is also in scope; E5 Security add-on otherwise.

Low-risk trial — proof of value

45-day Sentinel SOC modernisation pilot

6 weeks

Sentinel workspace provisioned with ingest tier discipline. Defender XDR connector live. Three high-priority detection use cases authored and peer-reviewed. Identity Protection signal integrated. One SOAR playbook against a well-understood detection class. MTTR baseline + post-trial measurement.

Success criteria

  • MTTR baseline captured for at least three incident classes
  • Defender XDR + Sentinel correlation producing combined incidents
  • Three new detections authored with peer review and MITRE mapping
  • One SOAR playbook in production with measured time saved per incident

InvestmentSentinel consumption + advisory engagement. Legacy SIEM contract untouched during trial — decision deferred to month 3.

Proof metrics

  • ·MTTR reduction of 30%+ on the trial incident classes
  • ·Detection backlog established with at least three peer-reviewed rules
  • ·Identity Protection alerts producing actionable signal
  • ·SOC analyst feedback positive on the unified queue versus legacy console

Recommended cards

The SKUs and capabilities most likely to be part of the solution, with the editorial rationale for each in the context of this story. Add the ones that fit your situation.

Why for this story

The SIEM anchor. Cloud-native, consumption-priced, and the surface for detection engineering. Ingest tier discipline (Basic vs Analytics) is the single biggest cost lever and lands here.

Why for this story

The canonical pairing with Sentinel — cross-domain correlation across endpoint, identity, email, and SaaS. Buying components piecemeal almost always loses to the bundle.

Why for this story

Identity Protection signals are among the highest-value SOC inputs in any Microsoft estate. PIM eliminates the standing admin access that auditors and insurers increasingly insist on retiring.

Back to Modern SecOps