XDR

Phase 2 — Plan

TASK / ACTIVITYPHASEOWNERSTATUSTARGET DATE
Review all official Microsoft planning documentationPlanArchitectNot Started
Watch official onboarding and management videosPlanArchitectNot Started
Define migration scope, goals, and component inventoryPlanArchitectNot Started
Document all decisions and obtain approvalsPlanArchitectNot Started
Complete data privacy policy comparison and DPO sign-offPlanArchitect / DPONot Started
Complete risk register and mitigation planningPlanArchitectNot Started
Plan Data Connector deduplication approachPlanArchitect / EngineerNot Started
Plan Analytics Rules changes (alert-only, schema, Fusion)PlanArchitect / EngineerNot Started
Plan Automation Rules breaking change remediationPlanArchitect / EngineerNot Started
Plan Playbook updatesPlanArchitect / EngineerNot Started
Plan Workbook updatesPlanArchitect / EngineerNot Started
Plan API integration migration approachPlanArchitect / Dev LeadNot Started

Phase 3 — Pre-Requisites

TASK / ACTIVITYPHASEOWNERSTATUSTARGET DATE
Validate identity and permissions prerequisitesPre-ReqArchitectNot Started
Confirm licensing and document licence statePre-ReqArchitectNot Started
Obtain DPO/compliance sign-off on data governance changesPre-ReqArchitect / DPONot Started
Obtain CISO written acceptance for CMK scope change (if applicable)Pre-ReqCISONot Started
Export and version-control full configuration baselinePre-ReqEngineerNot Started
Designate primary workspace (multi-workspace environments)Pre-ReqArchitectNot Started
Configure Workspace Manager replacement (CI/CD or Multitenant Portal)Pre-ReqEngineerNot Started
Confirm all connectors, rules, playbooks in known-good statePre-ReqEngineerNot Started
Run and document pre-migration Advanced Hunting baseline queriesPre-ReqEngineer / AnalystNot Started

Phase 4 — Design

TASK / ACTIVITYPHASEOWNERSTATUSTARGET DATE
Design target Unified RBAC modelDesignArchitect / IAM LeadNot Started
Design IdentityInfo RBAC compensating controlDesignArchitect / IAM LeadNot Started
Design Defender XDR connector configurationDesignEngineerNot Started
Design Defender for Cloud deduplication configurationDesignEngineerNot Started
Design KQL schema updates for all affected queries/rulesDesignEngineerNot Started
Design alert-only rule decisions (per rule)DesignEngineerNot Started
Design Automation Rules — incident provider condition replacementDesignEngineerNot Started
Design Automation Rules — description field replacementDesignEngineerNot Started
Design Automation Rules — title condition replacementDesignEngineerNot Started
Design Playbook updates — description field compositionDesignEngineerNot Started
Design Playbook updates — remove add/remove alert stepsDesignEngineerNot Started
Design Workbook updates — IdentityInfo field name correctionsDesignEngineer / AnalystNot Started
Design API migration to Graph REST APIDesignEngineer / Dev LeadNot Started

Phase 5 — Implementation

TASK / ACTIVITYPHASEOWNERSTATUSTARGET DATE
Implement Defender for Cloud connector deduplicationImplementationEngineerNot Started
Enable and configure Microsoft Defender XDR connectorImplementationEngineerNot Started
Implement analytics rule updates (schema, alert-only, per design)ImplementationEngineerNot Started
Implement automation rule updates — incident provider conditionImplementationEngineerNot Started
Implement automation rule updates — description field removalImplementationEngineerNot Started
Implement automation rule updates — title/Updated by conditionsImplementationEngineerNot Started
Implement playbook updates — description compositionImplementationEngineerNot Started
Implement playbook updates — remove add/remove alert stepsImplementationEngineerNot Started
Execute workspace onboarding (maintenance window)ImplementationArchitectNot Started
Implement Unified RBACImplementationArchitect / IAM LeadNot Started
Implement Workspace Manager replacement (CI/CD / Multitenant)ImplementationEngineerNot Started
Update API integrations (Graph API, providerIncidentUrl, alertProductNames)ImplementationDev Lead / EngineerNot Started

Phase 6 — Testing

TASK / ACTIVITYPHASEOWNERSTATUSTARGET DATE
Data Connector Tests DC-01 to DC-05TestingEngineerNot Started
Analytics Rules Tests AR-01 to AR-06TestingEngineerNot Started
Automation Rules Tests AUT-01 to AUT-06TestingEngineerNot Started
Playbook Tests PB-01 to PB-06TestingEngineerNot Started
Workbook Tests WB-01 to WB-04TestingEngineer / AnalystNot Started
Advanced Hunting & UEBA Tests AH-01 to AH-06TestingAnalystNot Started
Incident Queue & Correlation Tests IQ-01 to IQ-06TestingAnalystNot Started
Threat Intelligence Tests TI-01 to TI-04TestingAnalystNot Started

Phase 7 — Validation

TASK / ACTIVITYPHASEOWNERSTATUSTARGET DATE
SOC Analyst Tier 1 operational walkthrough completeValidationSOC LeadNot Started
SOC Analyst Tier 2 investigation walkthrough completeValidationSOC LeadNot Started
SOC Analyst Tier 3 response walkthrough completeValidationSOC LeadNot Started
Threat intelligence workflow validatedValidationSOC Lead / AnalystNot Started
Advanced Hunting workflow validatedValidationAnalystNot Started
ServiceNow / ITSM end-to-end validation completeValidationEngineer / ITSM AdminNot Started
API integration validation completeValidationDev LeadNot Started
Data completeness validation completeValidationEngineerNot Started
Parallel operation sign-off (if applicable)ValidationSOC LeadNot Started
Known limitations accepted and documented in runbooksValidationSOC LeadNot Started

Phase 8 — Success Criteria & Completion Gate

TASK / ACTIVITYPHASEOWNERSTATUSTARGET DATE
All Data Connector success criteria marked PassSuccess CriteriaEngineerNot Started
All Analytics Rules success criteria marked PassSuccess CriteriaEngineerNot Started
All Automation Rules success criteria marked PassSuccess CriteriaEngineerNot Started
All Playbook success criteria marked PassSuccess CriteriaEngineerNot Started
All Workbook success criteria marked PassSuccess CriteriaEngineer / AnalystNot Started
All Advanced Hunting / UEBA success criteria marked PassSuccess CriteriaAnalystNot Started
All SOC Operations success criteria marked PassSuccess CriteriaSOC LeadNot Started
Overall completion gate signed off by Security ArchitectCompletion GateArchitectNot Started
Completion gate signed off by CISO / Security DirectorCompletion GateCISONot Started
Post-migration 30-day review meeting scheduledCompletion GateProject LeadNot Started

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *