Bilecik merkezli, 6 fabrika ve 480 çalışanı olan bir endüstriyel grup, “biz hâlâ event’leri server log’undan tek tek bakıyoruz” gerçeğiyle yüzleşince Microsoft Sentinel + Defender XDR + 24/7 dış kaynaklı SOC ile bir SecOps programı kurdu. 8 ay sonunda MTTD (mean-time-to-detect) 14 gün → 18 dk, MTTR 3 gün → 4 saat. Bu yazı sahadaki notlar.
SecOps Nedir?
SecOps = Security + Operations. Sürekli izleme, tespit, müdahale, iyileştirme döngüsü. SIEM (event toplama + analiz) + SOAR (otomasyon) + EDR (endpoint detection) + SOC (insan ekip) bileşenleri.
| Bileşen | Microsoft araç |
|---|---|
| SIEM | Sentinel |
| SOAR | Sentinel Playbook (Logic Apps) |
| EDR | Defender for Endpoint |
| Email security | Defender for Office 365 |
| Identity | Defender for Identity + Entra ID Protection |
| Cloud workload | Defender for Cloud (CSPM + CWP) |
| SaaS | Defender for Cloud Apps |
| UEBA | Sentinel UEBA |
Faz 1: Sentinel + Log Onboarding (1-2. Ay)
Connector’lar
| Connector | Veri kaynağı |
|---|---|
| Entra ID | Sign-in + Audit log |
| M365 Defender | Tüm XDR alert + raw event |
| Office 365 | Exchange + SharePoint + Teams audit |
| Defender for Cloud | Azure resource alert |
| Azure Activity | Subscription-level audit |
| NSG flow logs | Network traffic |
| Windows Security Events (AMA) | On-prem AD DC, file server |
| Linux Syslog | SAP B1 sunucu, web |
| Palo Alto Firewall (CEF) | Perimeter |
| Microsoft 365 Apps audit | Office app etkinlik |
Toplam ~~~~140 GB/gün event volume. Tier: Analytics (90 gün hot) + Auxiliary tier ($0.05/GB) bazı yüksek-volume düşük-değerli (NSG) loglar için.
Faz 2: Detection Rules (3-4. Ay)
Built-in (Microsoft templates)
~~280 built-in template aktif edildi (Defender, Entra, M365 connector başına onlarca):
- Impossible travel detected
- Anonymous IP sign-in
- Credential stuffing pattern
- Suspicious mailbox forward rule
- Mass file deletion (insider threat)
- Defender XDR incident’lar otomatik Sentinel’a
Custom KQL (örnek)
// Brute force RDP attempt (on-prem AD)
SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == 4625 // failed logon
| where LogonType == 10 // RDP
| summarize FailedAttempts = count(),
UniqueAccounts = dcount(TargetUserName)
by IpAddress, bin(TimeGenerated, 5m)
| where FailedAttempts > 20 and UniqueAccounts > 5
| extend Severity = "High",
AlertName = "RDP brute force from " + IpAddress
| project TimeGenerated, IpAddress, FailedAttempts, UniqueAccounts, AlertName, Severity// Powershell encoded command (LOLBins)
DeviceProcessEvents
| where ProcessCommandLine contains "powershell"
| where ProcessCommandLine has_any ("-enc ", "-EncodedCommand", "-e ")
| where ProcessCommandLine matches regex @"[A-Za-z0-9+/=]{50,}"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine// Anomalous data exfiltration (büyük outbound)
NetworkSession
| where TimeGenerated > ago(1h)
| where DirectionStr == "Outbound"
| summarize TotalBytes = sum(BytesOut) by SrcIp, DstIp
| where TotalBytes > 5000000000 // 5 GB
| extend AlertName = strcat("Large data exfil from ", SrcIp, " to ", DstIp)Faz 3: SOAR Playbook (5. Ay)
Playbook 1: Compromised Account Auto-Disable
Trigger: Sentinel incident "Impossible travel" + risk score "high"
Steps:
1. Get user from incident
2. Check if user is admin (PIM check)
3. If admin → require human approval (Teams adaptive card to SOC)
If non-admin → auto-disable user
4. Disable user in Entra ID (Graph API)
5. Revoke all refresh tokens
6. Add user to "compromised" group
7. Notify user manager + IT (Teams)
8. Open ticket in ServiceNow
9. Comment incident with actions takenPlaybook 2: Phishing Email Auto-Quarantine
Trigger: Defender for O365 alert "high confidence phishing"
Steps:
1. Get email recipients
2. Check if any user clicked URL (URLClickEvents)
3. If clicked → user'a high-risk tag, MFA reset force
4. Soft delete email from all recipient mailboxes (Graph API)
5. Block sender at perimeter (Defender + firewall)
6. Notify SOC for reviewFaz 4: MITRE ATT&CK Mapping (6. Ay)
Detection rule’lar MITRE tactic + technique ile etiketlendi. Coverage haritası:
| MITRE Tactic | Coverage |
|---|---|
| Initial Access | %85 (phishing, exploit, valid account) |
| Execution | %72 (PowerShell, scheduled task) |
| Persistence | %68 (registry, service, scheduled task) |
| Privilege Escalation | %62 (UAC bypass, token manipulation) |
| Defense Evasion | %58 (process injection, file deletion) |
| Credential Access | %75 (LSASS, brute force, kerberoasting) |
| Lateral Movement | %70 (PsExec, WMI, SMB) |
| Exfiltration | %80 (large outbound, DNS tunneling) |
Düşük coverage olan tactic’lere yeni rule’lar yazıldı.
Faz 5: 24/7 SOC (7-8. Ay)
İç ekip 5 kişilik (mesai 08-18). Mesai dışı + hafta sonu için outsourced SOC partneri. Tier yapısı:
| Tier | Görev |
|---|---|
| L1 Analist (24/7 dış kaynak) | Incident triage, false positive filter, runbook’a göre eskalasyon |
| L2 Analist (iç ekip mesai) | Investigation, KQL hunt, playbook çalıştırma |
| L3 Threat Hunter | Proaktif tehdit avı, advanced TTP analiz |
| SOC Manager | Strateji, raporlama, vendor |
Sonuçlar
| Metrik | Önce | Sonra |
|---|---|---|
| MTTD (mean time to detect) | ~~14 gün | ~~18 dk |
| MTTR (mean time to respond) | ~~3 gün | ~~4 saat |
| Aylık incident sayısı | — | ~~85 (çoğu auto-resolved) |
| False positive oranı | — | %~~25 (tuning ile düşüyor) |
| Critical incident (insan) | — | ~~12/ay |
| Auto-resolved (playbook) | — | ~~38/ay (~~%45) |
| Defender Secure Score | 42 | 78 |
Maliyet
| Kalem | Aylık (USD) |
|---|---|
| Sentinel ingest (~~140 GB/gün × $4/GB Analytics tier kısmen + Auxiliary) | ~~$11.000 |
| Defender for Endpoint P2 (480 device × $5.20) | ~~$2.500 |
| Defender for Identity (380 user × $5) | ~~$1.900 |
| Defender for Cloud Apps | ~~$1.200 |
| Outsourced SOC (24/7 L1) | ~~$8.000 |
| İç ekip (5 kişi) | ~~$28.000 (maaş, allocate) |
| Toplam | ~~$52.600 |
Yıllık ~$631K. 1 başarılı ransomware hibe önlendiğinde ROI sağlanır (sektör ortalama TR ransomware tazminatı $400K-$2M).
Sahada Düşülen Üç Tuzak
- Tüm log’ları Analytics tier’a göndermek: NSG flow log gibi yüksek hacim + düşük değer log’lar Auxiliary tier’a → fatura yarıya iner.
- Detection rule tuning yapmamak: İlk ay false positive %~~50, kullanıcılar alert fatigue’e girer. Aylık tuning + threshold ayar şart.
- SOC olmadan SIEM kurmak: Sentinel kuruldu, alert var, ama kimse bakmıyor → işlem etmiyor. SOC (iç veya dış) olmadan SIEM “log archiver”dır.
CloudSpark olarak Microsoft Sentinel SIEM mimarisi, Defender XDR entegrasyonu, custom KQL detection geliştirme, SOAR playbook tasarımı, MITRE ATT&CK haritalama ve 24/7 SOC partner seçimi için danışmanlık veriyoruz.
