Security Automation / SOAR Deployment Project Manager Simulation — Microsoft

The scenario

Microsoft's Cloud Security Operations Center (SOC) in Redmond monitors security events across Azure's global infrastructure — millions of alerts per day across thousands of customer tenants. The Tier 1 SOC team (24 analysts working in 3 shifts) handles initial triage: reviewing alerts, classifying incidents, and escalating to Tier 2/3 for investigation. Currently, this process is almost entirely manual. Analysts review each alert in Microsoft Sentinel, cross-reference threat intelligence, classify the incident type, and decide whether to escalate or close. The SOC Modernization Initiative aims to automate the repetitive, well-understood parts of Tier 1 triage — freeing analysts to focus on complex, novel threats. Phase 1 (this project) deploys automated playbooks for the 10 most common incident types: phishing attempts, brute force authentication, suspicious login locations, data exfiltration indicators, malware detection, privilege escalation, API abuse, denial of service patterns, insider threat indicators, and unauthorized resource provisioning. Each playbook automates detection enrichment (gathering context from multiple sources), initial triage (classifying severity and type), and recommended response actions (with human approval required before any destructive action). The project was started 8 weeks ago by Kenji Nakamura, a PM who's well-respected across the security org. Kenji was promoted to a senior role in Azure Security leadership — a clean departure with proper handover documentation. He selected the vendor (Palo Alto XSOAR), drafted the initial playbooks with the SOC team, and got the Sentinel integration to approximately 60% completion. You're inheriting a project in decent shape, with a team that trusted the previous PM and is cautiously watching to see if you'll maintain that standard.

What you'll do as the project manager

• →Deploy automated playbooks for 10 incident types with a mean triage time reduction from 18 minutes to under 5 minutes per incident
• →Achieve 90%+ accuracy on automated triage classification (matching Tier 1 analyst classification decisions)
• →Complete the Sentinel-XSOAR integration with bi-directional data flow — alerts into XSOAR, actions back to Sentinel
• →Pilot all 10 playbooks with the Tier 1 SOC team for 2 weeks with zero false-positive automated actions
• →Deliver operational handover documentation and SOC analyst training for sustained BAU operations

Project management skills you'll build

The challenges you'll navigate

• •Knowledge gap — you're inheriting a project mid-flight without the institutional knowledge the previous PM built over 8 weeks with the team
• •Team trust — the SOC team and security engineer were loyal to Kenji. They'll be cautious with a new PM until you've earned credibility
• •Integration assumption — the 60% complete Sentinel-XSOAR integration hasn't been independently validated. Kenji's assessment of '60%' may be optimistic or based on different completion criteria
• •Small team fragility — with only 4 people (including you), any resource absence or conflict has outsized impact on the timeline
• •Security domain complexity — incident response automation has zero tolerance for false positives. An automated action on a false positive could disrupt a legitimate user or mask an actual attack

Technology & stakeholders

You'll manage 5 stakeholders, including Victor Reyes (Director, Security Operations — Cloud + AI), Grace Liu (Program Manager, Cloud Security PMO), Alex Petrov (Senior Security Engineer, SOC Platform Team), and more.

What you'll walk away with

A verified, shareable record of a completed enterprise project — plus the PMO deliverables you produced along the way (charter, project plan, SteerCo deck, closure document). It's real, demonstrable project management experience you can put on your resume and speak to in interviews.

Frequently asked questions

Related simulations