Security operations

The Microsoft Managed Desktop Security Operations Center (SOC) partners with your information security staff to keep your desktop environment secure. Our team receives and responds to all security alerts on managed devices with expert analysis. When needed, we drive security incident response activities. For more information about working with the SOC, review operational documentation in your Admin portal.

The SOC offers 24/7/365 coverage from Microsoft full-time employees with expertise in the current and emerging threat landscape, including common attack methods through software, network, or human adversaries.

The SOC provides these services:

Service Description
Quick and accurate response to detected events
  • Analyze data to identify the impact.
  • Assess the overall risk to a device or your environment.
Device management and isolation actions
  • Protect your environment from known or suspected compromises
  • Reduce the risk by preventing spread.
Drive the security incident response Ensure timely and accurate communication with your security team.
Analysis and recommendations Provide analysis and recommendations based on threat, and vulnerability data to identify and address risks before they're exploited.
Advanced hunting Across the managed devices to identify indicators and entities for both known and potential threats.


Process Description
Microsoft Managed Desktop Security Operations Microsoft Managed Desktop Security Operations is staffed by full-time Microsoft employees in partnership with Microsoft's Cyber Defense Operations Center.
SOC Our SOC uses collective signals from across our company, both internal and external, to protect your devices—even from things we haven't yet seen in Microsoft Managed Desktop.
Microsoft security solutions Microsoft security solutions align to many cybersecurity protection standards. SOC operations are based on the National Institute of Standards and Technology Computer Security Incident Response Handling Guide (NIST 800-61 r2).

The process allows for proper collection of information and evidence, for analysis and documentation and post-recovery insights into ways to better defend your environment through these phases:
  • Preparation, detection, and analysis
  • Containment
  • Eradication
  • Recovery
  • Post-incident activity
Microsoft Threats Experts service Microsoft Managed Desktop customers are eligible to enroll in the Microsoft Threat Experts service. The SOC liaises with this service to understand better the complex threats affecting your organization, including:
  • Alert inquiries
  • Potentially compromised devices
  • Root cause of a suspicious network connection
  • Other threat intelligence regarding ongoing advanced persistent threat campaigns.

For more information, see Microsoft Threat Experts.
SOC's Threat and Vulnerability Management SOC's Threat and Vulnerability Management process uses some of Microsoft's services to help inform recommendations for your organization to protect against threats.

The SOC consumes data from your Microsoft Defender for Endpoint Security Center and from relevant vulnerability data sources, within and outside of Microsoft, to discover vulnerabilities and misconfigurations to provide actionable reporting.