SOC Analyst, Level 2
Methods
full-time
Posted on:
Location Type: Hybrid
Location: London • United Kingdom
Visit company websiteExplore more
About the role
- Act as a escalation point for all security alerts raised by Level 1 analysts.
- Validate incidents and determine severity, scope, root cause, and business impact.
- Lead technical investigations using:
- o Microsoft Sentinel (KQL, analytics rules, workbooks, hunting)
- o Microsoft Defender XDR (Endpoint, Identity, Office 365, Cloud Apps)
- o Entra ID (Azure AD) sign-in and audit logs
- Correlate identity, endpoint, email, and cloud activity to reconstruct attack chains and timelines.
- Own incidents through:
- o Identification
- o Containment
- o Eradication coordination
- o Recovery validation
- o Post-incident review and documentation
- Execute or coordinate containment actions including:
- o Device isolation via Defender for Endpoint
- o Account disablement and credential resets
- o Revocation of tokens and sessions
- o Blocking malicious indicators
- o Email purge/quarantine via Defender for Office 365
- o Conditional Access policy enforcement
- Produce high-quality incident records including:
- o Evidence and KQL queries used
- o Actions taken
- o Root cause analysis
- o MITRE ATT&CK mapping
- o Lessons learned and improvement actions
- Serve as technical incident lead during major security events.
- Provide accurate, timely updates to IT, security leadership, and affected teams.
- Maintain clear case management, documentation, and shift handovers within Sentinel/ITSM tooling.
- Contribute to operational reporting:
- o Incident volumes
- o Time to detect / contain
- o Alert fidelity
- o Repeat incident drivers
- Participate in a business-hours operating model with an on-call rotation for out-of-hours incidents.
- Act as a trusted technical point of contact for SOC service discussions, supporting leadership in understanding risk, response options, and technical trade offs during live incidents.
- Tune Sentinel analytics rules to reduce false positives and missed threats.
- Improve correlation logic, entity mapping, and severity scoring.
- Develop and maintain:
- o Sentinel investigation playbooks
- o Incident response runbooks
- o Triage guides for Defender alerts
- Build and refine SOAR workflows using Logic Apps / Sentinel automation rules.
- Perform quality assurance on Level 1 investigations and provide structured coaching feedback.
- Introduce threat-informed detection improvements based on real incidents and Microsoft threat intelligence.
- Take ownership of defined components of the SOC, MDR, or XDR service, ensuring they are operationally effective, well documented, and aligned to current threat and platform capabilities.
- Identify gaps in detection coverage, tooling, or process maturity and propose practical, Microsoft aligned improvements.
- Support service innovation by evaluating and piloting new Microsoft security features, detection approaches, and automation capabilities, assessing their operational value before wider adoption.
- Translate incident learnings into service improvements, updated playbooks, enhanced automation, and refined escalation models.
Requirements
- 2+ years’ experience in a SOC or security operations role with ownership of complex investigations.
- Strong hands-on experience with:
- o Microsoft Sentinel (KQL querying, investigations, analytics rules)
- o Microsoft Defender for Endpoint
- o Defender for Office 365
- o Defender for Identity
- o Defender for Cloud Apps
- o Entra ID (Azure AD) logs and Conditional Access
- Solid understanding of:
- o Windows internals and endpoint telemetry
- o Identity-based attacks and token abuse
- o Email threat techniques
- o Common attacker TTPs and kill chains
- Confident writing technical incident reports and stakeholder updates.
- Demonstrated ability to influence service quality and operational maturity without formal line management responsibility
- Certifications (desirable)
- Microsoft SC-200 (Security Operations Analyst)
- Microsoft SC-100 / SC-300
- CompTIA CySA+ / Security+
- GIAC certifications (GCIH, GCIA, GMON)
- Security Blue Team Level 2
Benefits
- Autonomy to develop and grow your skills and experience
- Be part of exciting project work that is making a difference in society
- Strong, inspiring and thought-provoking leadership
- A supportive and collaborative environment
- Development – access to LinkedIn Learning, a management development programme, and training
- Wellness – 24/7 confidential employee assistance programme
- Flexible Working – including home working and part time
- Social – office parties, breakfast Tuesdays, monthly pizza Thursdays, Thirsty Thursdays, and commitment to charitable causes
- Time Off – 25 days of annual leave a year, plus bank holidays, with the option to buy 5 extra days each year
- Volunteering – 2 paid days per year to volunteer in our local communities or within a charity organisation
- Pension – Salary Exchange Scheme with 4% employer contribution and 5% employee contribution
- Life Assurance – of 4 times base salary
- Private Medical Insurance – which is non-contributory (spouse and dependants included)
- Worldwide Travel Insurance – which is non-contributory (spouse and dependants included)
- Enhanced Maternity and Paternity Pay
- Travel – season ticket loan, cycle to work scheme
Applicant Tracking System Keywords
Tip: use these terms in your resume and cover letter to boost ATS matches.
Hard Skills & Tools
KQLMicrosoft SentinelMicrosoft Defender for EndpointDefender for Office 365Defender for IdentityDefender for Cloud AppsWindows internalsendpoint telemetryincident responsethreat detection
Soft Skills
technical writingstakeholder communicationinfluencecoachingincident managementproblem-solvingteam collaborationleadershipanalytical thinkingadaptability
Certifications
Microsoft SC-200Microsoft SC-100Microsoft SC-300CompTIA CySA+CompTIA Security+GIAC GCIHGIAC GCIAGIAC GMONSecurity Blue Team Level 2