VE3 is a technology and business consultancy focused on delivering end-to-end technology solutions and products. We have successfully serviced enterprises across multiple markets, including the public and private sectors. Our services span all aspects of business, providing a holistic approach to managing an organization. We are committed to providing technical innovations and tools that empower organizations with critical information to facilitate decision-making that results in business transformation through cost savings and increased operational efficiency. Our commitment to quality is adopted throughout the organization and sets the foundation for delivering our full suite of capabilities.

Requirements

• Operate the monitoring console stack — Microsoft Sentinel, Azure Monitor, Microsoft Defender for Cloud, Microsoft 365 Admin Center service health, Defender XDR alerts, Log Analytics workbooks, and the integrated ITSM ticketing platform — for the duration of every shift.
  
  
• Monitor availability and performance of Active Directory domain controllers, DNS / DHCP / time service, ADFS, AAD Connect sync health, Entra ID sign-in service health, Exchange Online, SharePoint Online, Teams, OneDrive, Power Platform environments, Microsoft Fabric capacity, Azure VMs, storage, networking, and PaaS services.
  
  
• Triage incoming alerts within 5 minutes of generation, applying the documented severity matrix; classify alerts as actionable, suppressible, or false-positive, and record the rationale in the ticketing platform.
  
  
• Correlate alerts across multiple sources (Sentinel, Defender, Azure Monitor, M365 service health) to identify the underlying incident rather than reacting to individual symptoms.
  
  
• Acknowledge alerts and update tickets at the agreed cadence (every 60 minutes during P1; every 4 hours during P2) until handover or closure.

• Execute Tier-1 incident response runbooks for known and documented patterns: Conditional Access misconfiguration rollback, AAD Connect sync failure restart, expired application secret rotation, Defender alert containment, mailbox / Teams reset operations, SharePoint sharing-link restoration, and Power Platform environment health checks.
  
  
• Initiate the major incident process for any P1 incident: page the duty L2/L3 specialist, open the Microsoft Teams incident bridge, notify the Service Delivery Manager and customer stakeholders per the agreed comms plan, and assume scribe duties on the bridge call.
  
  
• Maintain accurate incident timelines in the ticketing platform — every action, every status check, every communication — with timestamp and operator initials, suitable for post-incident review and audit.
  
  
• Execute documented automated containment playbooks (Sentinel Logic Apps) for high-confidence security events: disable risky users, force password reset, isolate device in Defender for Endpoint, block sender in Exchange Online.
  
  
• Hand over open incidents at shift change using the structured handover template (active incidents, watch-items, scheduled changes, planned maintenance, expected escalations).

• Fulfil pre-approved standard service requests during out-of-hours windows where authorised — for example licence assignment for emergency onboarding, Teams meeting policy adjustments for live events, or pre-approved Conditional Access exclusions — strictly within the documented standing change envelope.

• Participate in alert tuning to reduce false-positive rate and alert fatigue: review noisy rules weekly, propose threshold or filter changes through change control, and validate post-change.
  
  
• Maintain monitoring runbook accuracy: every time a runbook is executed, capture deviations and feed back to the engineering team for runbook updates.
  
  
• Contribute weekly to the Service Delivery Manager's service review with a shift-summary report (alerts handled, incidents raised, false-positive trends, runbook gaps).

• Provide clear, factual, non-speculative communication during incidents in line with the proposed SLA Communication Plan — initial notification within 15 minutes of P1 declaration, updates at 60-minute intervals, and a wrap-up notification within 1 hour of resolution.
  
  
• Maintain the operational status page / Teams channel for customer stakeholders during major incidents.
  
  
• Comply strictly with EEA-only data processing requirements: no customer data is to leave the EEA boundary at any point during incident handling, and no screenshots / logs are to be transmitted via non-approved channels.

• Hands-on experience operating Microsoft Sentinel and Azure Monitor in a production NOC / SOC: ingesting alerts, working incidents, executing playbooks, and authoring basic KQL queries.
  
  
• Working knowledge of the Microsoft 365 service health framework, Defender XDR alert lifecycle, and the Azure Service Health portal.
  
  
• Active Directory and Entra ID fundamentals — enough to triage authentication failures, replication issues, MFA / Conditional Access blocks, and PIM activations.
  
  
• Basic PowerShell and KQL — sufficient to run prepared queries, validate state, and capture evidence; not expected to author advanced detection content (that sits with the Security & Governance Specialist).
  
  
• ITIL v4 foundation — incident, problem, change and event management; understanding of priority matrix, SLA clocks, and major incident process.
  
  
• Strong written English for incident notes, comms, and handover; ability to write clearly and unambiguously under time pressure.

• KQL beyond basics — ability to extend prepared hunting queries with new filters under L2 supervision.
  
  
• Familiarity with ServiceNow / Jira Service Management / Freshservice (or equivalent ITSM).
  
  
• Experience with Power BI service health dashboards and Microsoft 365 Usage Analytics.
  
  
• Exposure to Azure DevOps work item tracking and Microsoft Teams incident bridge management.
  
  
• Awareness of GDPR Article 33 personal data breach notification timelines and EEA data residency obligations.

• Microsoft Certified: Security, Compliance, and Identity Fundamentals (SC-900) — mandatory.
  
  
• Microsoft Certified: Azure Fundamentals (AZ-900) — mandatory.
  
  
• Microsoft 365 Certified: Fundamentals (MS-900) — mandatory.
  
  
• Microsoft Certified: Security Operations Analyst Associate (SC-200) — preferred (mandatory within 12 months of starting).
  
  
• ITIL 4 Foundation — preferred.
  
  
• CompTIA Security+ or equivalent — desirable.