Managed Security Operations Centre (SOC) and SIEM Service

The purpose of this RFP specification for Cairn Housing is to procure a Security Operations Centre (SOC) and SIEM service delivering fully managed 24x7x365 monitoring, detection, response, and continuous improvement, operating in a co-managed model with the association, for a Microsoft-only cloud environment.

The successful supplier will be responsible for designing, implementing, onboarding, operating, and continuously improving a Microsoft Sentinel-based SIEM and SOC service, leveraging the organisation’s existing Microsoft 365 E5 security and compliance licensing.

The Association has defined a budget of £30k/annum, for a £90k three year contract.

Managed Security Operations Centre (SOC) and SIEM Service: Specification

• SIEM Platform: Microsoft Sentinel deployed exclusively in the organisation’s Azure tenant, with full data ownership and sovereignty. Uses only Microsoft-native connectors, APIs, and services; no export of logs or alerts to third-party platforms. Supports FOISA-compliant record keeping.
• Microsoft Security Stack Integration: Full integration with Microsoft Sentinel and the Microsoft Defender suite (Defender for Endpoint, Office 365, Identity, Cloud Apps, Cloud) plus Microsoft Entra ID (sign-ins, audit logs, Conditional Access). Maximises existing Microsoft 365 E5 licensing and avoids redundant tooling.
• Service Model: 24x7x365 UK-based SOC operations. Co-managed model with full customer visibility of alerts, incidents, and response actions; clear delineation of responsibilities; defined escalation paths; supplier handles day-to-day operations.
• Incident Classification: Four-tier priority model
  – P1 (Critical): active compromise, ransomware, data exfiltration, identity takeover
  – P2 (High): confirmed malware, high-risk suspicious behaviour
  – P3 (Medium): low-risk or blocked malicious activity
  – P4 (Informational): benign alerts, tuning, or advisory events
• Incident Response: Full lifecycle management. For P1/P2: immediate automated containment and remediation via pre-approved SOAR playbooks on a “defend-first” basis (no customer approval required for pre-authorised actions). For P3/P4: triage, investigation, non-disruptive response, detection tuning, and advisory guidance.
• SOAR Playbooks: Documented, auditable playbooks with mandatory coverage for P1/P2 incidents (e.g., compromised accounts, endpoint isolation, token revocation, malicious email containment, ransomware containment). Aligned with MITRE ATT&CK framework.
• Threat Detection & Hunting: KQL-based detection engineering, MITRE ATT&CK mapping, regular proactive threat hunting (identity- and endpoint-focused), and continuous tuning to reduce noise.
• Log Ingestion & Cost Management: Active optimisation of Sentinel ingestion costs without compromising visibility. Includes reduction of noisy logs, use of Basic Logs/Archive tiers, retention policies aligned to public-sector/regulatory needs, and ingestion of security-relevant alerts only.
• Reporting & Governance: Monthly service reports (incident volumes, trends, SLA performance, threat insights); quarterly service reviews and roadmap planning. Centralised incident tracking with full evidence and audit trail.
• Onboarding & Deliverables: Discovery workshops, Sentinel deployment/configuration, connector enablement, SOAR implementation, testing (including simulated P1/P2), go-live support, documented runbooks, escalation matrices, proactive hunting, and knowledge transfer.
• Contract Term: Initial 3-year term (with optional 4th year).
• SLAs (Key examples):
  – P1: triage ≤10 min, initial response ≤30 min, notification ≤60 min
  – P2: triage ≤30 min, response ≤60 min, containment ≤60 min
  – SOC availability: 99.9%
  – Connector health: >98%
  – Detection engineering, threat hunting, cost optimisation, playbook reviews, and case updates with defined timeframes.

These elements collectively define the technical, operational, and performance specification of the managed SOC and SIEM service.