Security Operations Managed Service
1. Introduction & Purpose
This page outlines the scope of services provided by the Galtec Security Operations Center (SOC) team. The SOC team serves as the centralised incident monitoring and response function for Galtec customers who have licensed supported security solutions through Galtec. This service description defines the services offered, service boundaries, Customer responsibilities and operational processes for incident detection, investigation, escalation and resolution. It also describes how the SOC team coordinates with other Galtec services and external stakeholders to ensure timely and effective security operations.
2. Galtec SOC Overview & Mission
Mission: At Galtec, the Security Operations Center (SOC) team is dedicated to safeguarding our Partners through proactive threat detection, rapid incident response and continuous monitoring. Our mission is to deliver reliable, expert-driven security operations that enhance cyber resilience and reduce risk exposure across diverse environments.
Role: The SOC team serves as the centralised security monitoring and incident response function for Galtec Partners. Acting as the primary operational interface, the SOC team provides 24x7 coverage for supported security products and services. Our analysts are responsible for triaging alerts, investigating potential threats, escalating confirmed incidents and supporting remediation efforts. The SOC team ensures consistent application of security protocols and collaborates with other Galtec services and external stakeholders to maintain a secure operational posture.
3. Scope of Services (Included)
The Galtec Security Operations Center (SOC) provides 24x7 monitoring, detection, investigation and escalation for supported security products and environments. The following services are included under this service:
3.1 Common SOC Actions
These actions are performed across all supported environments and products:
Security Event Monitoring & Alert Triage:
Continuous monitoring of telemetry from supported tools to identify suspicious activity. SOC analysts triage alerts to assess severity and relevance.Incident Investigation & Classification:
Analysts investigate validated alerts to determine if they constitute a security incident, including threat scoping, impact assessment and documentation.Incident Escalation & Recommendations:
Confirmed incidents are escalated to the Galtec Service Desk team with detailed context and remediation recommendations, following predefined escalation paths and Service Level Objectives (SLOs). Additional information from the SOC or engagement directly with end users is then triggered based on the escalation type.Automated Alert Handling:
The SOC may automate, in whole or in part, the handling of specific in-scope alerts and investigation steps to enhance service efficiency and effectiveness.Threat Containment (Where Supported):
The SOC may isolate or contain compromised hosts to prevent lateral movement and further damage. Where the SOC team should or should not remediate without approval is defined during service onboarding.Alert Tuning:
When benign activity triggers recurring false positive alerts, the SOC team may recommend or implement tuning to reduce unnecessary notifications.Other Tuning:
The SOC may recommend complex exclusions or policy overrides. These are typically escalated to Customers but may be performed by the SOC when appropriate.File Sample Analysis:
Suspicious files may be submitted for deeper analysis using internal and third-party tools to improve detection and response. More detail on this follows later on this page.Testing Support:
Clients may conduct simulated attack scenarios to validate SOC monitoring and response capabilities, with advance notice required.Scheduled & Emergency Maintenance Coordination:
The SOC notifies Clients of scheduled maintenance and responds to emergency maintenance needs that may affect service delivery.Partner Communication & Documentation:
The SOC maintains clear documentation of all incidents, actions taken, and communications. Clients receive timely updates and access to incident records via Galtec's Service Desk tool.
3.2 Security Information Event Management (SIEM) Integration Details
The SIEM service is built on the Elastic platform. Details on compatible integrations can be found at the following links, with more being added each month:
Response actions by the SOC in the event a threat is established from logged events in SIEM depends on configured policies, licensed features and deployed tools in each Customer environment.
Platform: Endpoint Agents
Kill Process: Terminates a malicious process on the endpoint to halt active threats.
Quarantine Files: Moves malicious files to a secure, encrypted location, preventing execution or access.
Run Scan: Initiates a malware scan on the host to detect threats.
Network Isolate: Disconnects the endpoint from the network while maintaining management console connectivity for remote investigation and remediation.
Add to Blocklist: Adds a malicious file hash to the blocklist, preventing execution across the environment.
Manage Exclusions: Configures or updates exclusion lists for files, folders, processes or network paths.
Get/Upload File: Downloads suspicious or quarantined files for analysis or uploads files to support investigation and response.
Execute/Run Script: Executes commands or scripts for advanced investigation and remediation.
Platform: Office 365
Lock/Disable User: Disables Microsoft 365 user accounts involved in a triggered case to prevent further access.
Revoke Active Sessions: Terminates all active sessions and enforces re-authentication for affected Microsoft 365 users.
Reset User Password: Resets passwords for Microsoft 365 users associated with escalated threats, in coordination with the partner.
Platform: SentinelOne EDR Endpoint
Automated actions are governed by configured protection policies. The SOC provides monitoring, alerting and remediation exclusively for endpoint alerts generated by the SentinelOne EDR solution.
Kill Process: Terminates malicious processes on endpoints.
Quarantine Files: Secures malicious files in an encrypted location.
Run Scan / Fetch Logs: Initiates a full disk scan or retrieves agent logs for investigation.
Network Isolate: Disconnects the endpoint from the network, maintaining management console access.
Add to Blacklist: Blocks malicious file hashes across the environment.
Manage Exclusions: Updates exclusion lists for files, folders, processes, or network paths.
Fetch File: Downloads suspicious or quarantined files for sandbox or analyst review.
Remediate Threat: Removes threats and associated artifacts (e.g. registry keys, scheduled tasks).
Rollback Threat: Reverts system changes made by malware using Windows Volume Shadow Copy Service (if enabled).
Platform: Bitdefender GravityZone
The SOC provides monitoring, alerting and remediation. Automated actions depend on configured endpoint policy.
Isolate Device: Disconnects the endpoint from all networks except GravityZone for safe investigation.
Stop Process: Terminates specified malicious or suspicious processes.
Quarantine Files: Moves malicious files to a secure quarantine location.
Run Task (Scan): Remotely initiates a full scan to detect dormant or related malware.
Delete File: Permanently deletes confirmed malicious files.
Remediate: Automatically reverses changes made during an incident, including file and registry cleanup.
Manage Exclusions: Configures or updates exclusion lists for files, folders, processes, or network paths.
Platform: Microsoft Defender XDR Dashboard
The SOC provides monitoring, alerting, and remediation via the Microsoft Defender XDR portal and Microsoft Graph security API across the supported Defender workloads below. Alerts or telemetry outside these sources (e.g., third‑party tools, non‑Defender controls) are out of scope for Microsoft Defender Products.
Microsoft Defender for Business / Defender for Endpoint P2 (including servers):
Isolate Device: Disconnects device from the network.
Run Antivirus Scan: Initiates an on-demand Defender Antivirus scan.
Stop and Quarantine File: Terminates processes and isolates files.
Collect Investigation Package: Gathers forensic data for offline analysis.
Microsoft Defender for Identity:
Confirm User Compromised: Flags users as compromised (requires Entra Identity Protection policies).
Disable User: Disables user accounts (requires delegated permissions in Active Directory).
Force Password Reset: Resets passwords for on-premises or cloud users (requires Password Writeback for synced users).
Microsoft Defender for Office P2:
Soft/Hard Delete Email Messages: Removes malicious emails, often automated via Zero-hour Auto Purge (ZAP).
Block URL / Block File (by Hash): Adds indicators to the Tenant Allow/Block List (effectiveness depends on policy coverage).
Trigger Automated Investigation: Launches automated investigation and response (requires AIR enabled).
Microsoft Defender for Cloud Apps:
Suspend User: Suspends users managed by a connected Identity Provider.
Revoke App Consent: Revokes consent for discovered OAuth applications.
Microsoft Entra Alerts (Defender XDR Portal):
Dismiss User Risk: Closes false positive alerts.
Revoke User Sessions: Invalidates active sign-in tokens.
Confirm User Compromised: Flags users as compromised (requires Identity Protection risk policies).
Force Password Reset: Resets passwords for synced users (requires Password Writeback).
Block User / Block Sign-in: Blocks users or sign-ins (requires Conditional Access Policy for automated blocking).
Note: The availability and execution of these actions depend on product licensing, configuration, and the policies set by the End Client. Not all actions are available in every environment.
3.3 EDR Detect Only Policy
Any alerts triggered by devices in Detect Only mode will be automatically reviewed by the Service Desk team. The SOC will not conduct initial analysis on these alerts but may perform analysis upon Service Desk request. Galtec strongly recommend applying a protection policy to all hosts.
4. Scope Exclusions (Not Included)
The following services are outside the scope of Galtec SOC Services:
Development of customer Incident response plans or policies. This work is available as separately charged consultancy.
The SOC Service does not modify network configurations, including firewalls, nor does it provide support for troubleshooting network performance or function. A Galtec IT Managed Service would be required for Galtec intervention in these areas. Where a Galtec Managed Service is taken alongside SOC services, the Galtec Service Desk would manage network performance troubleshooting.
Remote access to endpoints (unless a Galtec IT Managed Service is in place covering those devices).
Fix database corruption issues.
SOC Service will not perform any virtualisations on a backup solution.
End Client Training.
Under no circumstance will the Galtec SOC Service engage in financial transactions on the Customer's behalf.
Hardware-related issues (i.e. hard disk, memory, power supply). All hardware and/or equipment issues will be escalated to the Customer for remediation (unless covered by a Galtec IT Managed Service).
Issues detected with any systems outside of service scope.
Internet service providers (ISP) outages.
Large scale environment rebuild following a successful breach. This work is available as separately charged consultancy.
Anything not specifically identified as in scope.
5. Scheduled and Emergency Maintenance
Scheduled maintenance means any maintenance that is performed during a scheduled maintenance window or in which Customer is notified at least one day in advance. Notice of scheduled maintenance will be provided to the Customer Manager defined in your Statement of Services.
Emergency maintenance means any non-scheduled, non-standard maintenance required by SOC. No statement in the section of any Services entitled "Service Level Objectives" shall prevent SOC from conducting emergency maintenance if it is critically necessary for the integrity and security of the Services. During such emergency maintenance, the nominated Customer Manager in a Statement of Services will receive notification of initialisation of the emergency maintenance and of the completion of the emergency maintenance.
The SOC will be relieved of its obligations under the applicable SLOs during scheduled and emergency maintenance.
6. File Sample Submissions
The SOC Service may detect suspicious or malicious executable files on endpoints. Sometimes it is necessary to perform additional investigations to understand an attack. In these cases, Galtec may retrieve file samples of suspicious or malicious files from an endpoint to perform additional analysis.
By allowing sample submissions, our analysts are enabled to provide more in-depth analysis and context to their investigations of potential incidents, as well as enhancing the detection and prevention of future incidents that may involve the same file(s). Part of this process may require our analysts to request samples of files, scripts or other source detected in Customer environments to perform further analysis. In addition to our in-house analysis, Galtec may use outside services. Unless Customer opts out of File Analysis Submissions, the SOC will request samples from an endpoint and upload potentially malicious files for analysis as needed.
By allowing permission for the SOC to upload unknown binaries, SOC Analysts will either manually or automatically upload unknown binaries to outside analysis services:
• Sample binary or its hash representation will be submitted to the appropriate analysis service.
• Terms of Service and Privacy Policy for each service will apply.
• The SOC shall not be responsible for this submission or for any act or omission by any online service.
You are hereby advised some/most analysis services make the file metadata publicly available, along with scan results from numerous anti-virus products. Service providers may also make the file samples available for download to partners.
7. Host Isolation Terms
The Galtec SOC has the ability to isolate machines on a Customer network that have an agent installed (i.e. SentinelOne, Bitdefender, Microsoft®). The SOC uses host isolation to prevent the spread of malicious code by preventing a compromised machine from communicating to other network devices on the Internet or the Customer network.
The isolated machine will maintain connectivity to SOC and allow our analysts to continue the investigation without risking other network devices to malicious code or active attacks. The SOC also has the ability with some services to block connectivity from devices without an agent installed (Microsoft). The SOC uses containment to keep potentially compromised unmanaged machines from talking to managed machines. The contained machine will be unable to communicate with any device with an agent installed.
Unless Customer opts-out, Galtec will isolate and/or contain potentially compromised machines. Galtec will manually isolate/contain the machine using the installed Endpoint Agent and notify Customer of the isolation via an incident for escalation. The machines will remain in isolation until the threat has been remediated or the client has specifically said they accept the risk and requests the SOC to remove the isolation.
• The client commits to identifying production impacting servers and assets that are NOT to be isolated unless the client has given written authorisation. Client recognises they assume all risk for non-isolated machines and the spread of any attack profile due to this.
• The SOC commits to isolating/containing machines that are NOT on the unauthorised list only to prevent the spread of malicious code and lateral movement by suspected attackers.
• The SOC will escalate all incidents that require isolation/containment to Customer for their visibility and active feedback on the incident.
Clients are hereby advised that the SOC has the functionality to isolate/contain machines on Customer network with installed offerings, that the SOC has the ability to use this function to protect the network and that the isolated machines will lose all connectivity to all other devices on the network and the contained machines will lose all connectivity to all other SOC managed devices on the network.
8. Testing SOC Capabilities
You may test SOC monitoring and response capabilities by staging simulated or actual reconnaissance activity, system or network attacks and/or system compromises. Such activities may be initiated directly by you or by a contracted third party. You shall notify the Service Desk at least 14 days in advance of testing with the expectation that analyst activities will not be notified of testing. Testing performed on newly added (within 60 days) assets or data feeds should be communicated to the SOC via advance electronic or written notice to ensure SOC personnel have properly onboarded new information and that all monitoring and response capabilities are working properly. SLOs will not apply during the period of staged or testing activities.
9. Overage Charges
The Statement of Services defines the per user costs and how billing is managed via licensed Office 365 users in the Customer tenant.
Each licensed O365 user grants 100MB of log storage allocation per day. The total data limit of SIEM log storage is calculated by multiplying the number of users by the daily data limit. For example, the total daily limit is calculated as 150 Users x 100MB/day.
The following scenarios demonstrate how overage charges would apply:
Scenario 1 - Per User:
Example:
Each O365 user is assigned a 100MB/day daily data allowance based on their license.
The company has 100 Microsoft 365 (O365) users.
The company has a 300,000MB monthly quota.
100 users × 100MB/day × 30 days = 300,000MB monthly quota.
The total monthly data quota is calculated by multiplying the number of licensed users by their daily allowance and the number of days in the month.
Billed for 100 users with no overage.
The company has a log data quota of 150,000MB/month and uses 120,000MB/month.
Example:
Scenario 2 - Per User Overage:
Each O365 user is assigned a 100MB/day daily data allowance based on their license.
The company has 100 Microsoft 365 (O365) users.
The company has a 300,000MB monthly quota.
100 users × 100MB/day × 30 days = 300,000MB monthly quota
The total monthly data quota is calculated.
Total implied users are calculated as 400,000MB ÷ (100MB × 30 days) = 133.33 → rounded up to 134 users.
The company uses 400,000MB of log data. The company's total log data usage for the month exceeds the quota, and the implied users are calculated.
Billed for 100 allowed users and 34 overage users. The breakdown is available on request.
The company's log ingestion is much higher than the user count would allow, and is billed for overage users.
Example:
Scenario 3 - No Users:
The system calculates the number of users required to meet the data usage. This calculation is based on the daily quota for the license, 100MB/day per user.
The company has no O365 users detected, but sends log data from endpoint agents or other integrations.
60,000MB ÷ (100MB × 30 days) = 20 users
The company's log data total is 60,000MB in a 30-day period. Implied users are calculated.
The company is billed for 20 users based on the data usage and daily user quota.
Billed for the equivalent number of implied users.
10. Best Practice
Galtec will assess the O365 licensed user count and ensure this reflects live active users with no erroneous licence allocations (e.g. a leaver user with Microsoft Fabric assigned) during the onboarding process to control SIEM/SOC monthly costs.
Galtec recommend Customer monitors their O365 licensed user list to control SOC monthly billing charges.
Galtec carefully monitor log ingress rates as each new system is added and pauses before adding in additional systems which may impact log capacity pricing. Platforms will be integrated in the following order of priority by default - please alert Galtec if you have an alternate priority order:
Entra ID
SentinelONE
Azure
Windows and MacOS Devices
Spam Filter
On Premise Syslog Items
All other items
