Security Operation Center Services

The Vendor is required to provide to engage a qualified Managed Security Service Provider (MSSP) to deliver after-hours security monitoring and incident response services for our Microsoft 365 environment.
- This includes leveraging Microsoft sentinel and Microsoft defender solutions to detect, triage, and respond to security alerts during non-business hours.
- The provider should maintain a documented process for alert triage, including incident prioritization and contextualization, false positive identification, and impact thresholds that dictate escalation. 
- The Proponent is also expected to support forensic analysis, as appropriate based on incident severity, and provide recommendations to improve detection accuracy and reduce alert fatigue, if applicable.
- Environment Overview
•    Microsoft 365 E5, with Defender for Office 365, Endpoint, Identity, Cloud Apps, and Cloud
•    Microsoft Sentinel connected to Microsoft 365 and other sources
•    Approximate environment size: 800 users, 800 endpoints
•    Typical Security Operation Center alert volume: up to 20 alerts or incidents per week, the majority of which are low severity
- Monitoring and Alerting
•    Monitor alerts generated by Microsoft Sentinel and Microsoft Defender
•    Triage and prioritize alerts based on severity and context
•    Correlate alerts across platforms to identify complex or multi-stage threats
•    Provide recommendations to maintain and tune analytics rules and alert thresholds as needed to ensure high-fidelity alerting
•    Identify opportunities to integrate new data connectors and logs as our environment evolves 
•    Maintain situational awareness and visibility into Defender for Endpoint, Office 365, Identity, and Cloud Apps
- Incident Response and Remediation
•    Act on alerts per predefined severity levels and response playbooks
•    Perform pre-approved response actions and containment measures (e.g., account disablement, device isolation, email purge)
•    Document incident actions and outcomes
•    Maintain secure audit logs, document incident actions performed and resulting outcomes
•    Support incident classification using MITRE ATT&CK framework where applicable
- Threat Intelligence and Recommendations
•    Enrich alerts with threat Intel and contextual research
•    Recommend security posture improvements based on emerging trends and observed activity
- Reporting and Communication
•    Provide daily, weekly, and monthly reports on alerts, triage actions, and outcomes
•    Follow established communication protocols for timely incident escalation
•    Deliver executive summary reports on a monthly basis with key KPIs and incident narratives
•    Provide ad hoc reports upon request, including root cause analysis and impact assessments
- Collaboration and Escalation
•    Collaborate with internal IT/security teams
•    Escalate incidents per SLA
•    Participate in reviews and post-incident analysis
•    Participate in scheduled threat review and incident review meetings (monthly or as needed)
•    Maintain a shared communication channel (e.g., Microsoft Teams or secure ticketing platform)
•    Provide documented handover notes at the end of each 24x7 Security Operation Center period, summarizing active or unresolved incidents, response actions taken, and items requiring follow-up
- Service Level Agreements (SLAs)
•    High severity triage: within 15 minutes
•    Response initiation: within 30 minutes (high severity)
•    Escalation notification: within 1 hour
•    Monthly availability: ≥ 99.9%

- Contract Period/Term: 2 years
- Intent to Bid Submission Date: September 05, 2025
- Questions/Inquires Deadline: September 04, 2025