Step 6. Identify SOC maintenance tasks
Note
Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.
Applies to:
- Microsoft Defender XDR
Here are the periodic or as-needed tasks to maintain your SOC for Microsoft Defender XDR.
| Activity | Description | Cadence | Team assigned |
|---|---|---|---|
| Service administration collaboration with SOC Teams | Administration of peripheral services such as asset tracking (CMDB), application licensing (new SaaS licenses), device purchases (upgrades or renew device deployments), and other Microsoft 365 tenant-wide changes (Intune, Microsoft 365, and others) that may affect deployment of Microsoft Defender XDR products. | Weekly and as needed | Engineering & SecOps |
| Update anti-phishing and data loss prevention campaigns | Incorporate SOC use case and lessons learned with extended organization (HR, legal, training, and others). | Monthly and as needed | SOC Oversight |
| Deploy automation scripts and services where appropriate | Download and test automation scripts and configuration files from approved Microsoft sites to improve Microsoft Defender XDR operations. | Weekly and as needed | Engineering and SecOps |
| Portal or license management | Check announcements and the Microsoft Messaging Center for Microsoft Defender portal or licensing needs based on Microsoft updates and new features. | Weekly | SOC Oversight |
| Update SOC escalation tickets | All SOC teams update escalation tickets (such as Sentinel, ServiceNow tickets) assigned to them. | Daily | All SOC teams |
| Track Microsoft Defender Vulnerability Management (MDVM) remediation activity | Generate MDVM Secure Score remediation activity and report to asset owners through an intranet portal. | Daily | Monitoring |
| Generate Secure Score report | Monitoring team tracks and reports Secure Score improvements. | Weekly SOC | Monitoring |
| Run IR tabletop exercise | Test SOC team playbooks in tabletop exercise. | As needed | All SOC teams |
Integrate these tasks into your current SOC processes.
Next steps
You should review the guides referred to in this content and in the Microsoft Defender XDR library to determine how your own implementation of Microsoft Defender XDR should be structured and integrated.
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.
Feedback
Submit and view feedback for