SOC That Protects Every Field
At a glance
CLIENT
A European agro-industrial group
SERVICE
- Managed Detection & Response, Digital Risk Management, Cloud & Data Security
INDUSTRY
- Energy & Resources / Industrial
The client runs an integrated “field-to-fork” model: more than 30 production sites in three countries, over 30,000 hectares of farmland, a dozen biogas plants and central offices supporting around 1,800 employees. Most operations depend on IT and OT systems: ERP, MES, SCADA, remote connectivity for farms and cloud collaboration tools. Before the project, security logs came from dozens of tools with no central view; incident triage relied on ad-hoc scripts and the best efforts of a small internal team.
LeanCoded designed and implemented a managed SOC based on Microsoft Sentinel, acting as a cyber security service provider for the group. In less than four months, we onboarded over 90% of critical systems, enabled 24/7 monitoring across on-prem and cloud, automated handling of recurring alerts and established a structured incident-response process. Within the first six months, the SOC was detecting and resolving roughly 400–500 security incidents per month, while infrastructure and security operations costs for log handling and tooling were reduced by about 25%. From day one, the service combined managed cyber security operations, cloud security assessments and data analyti
From Siloed Alerts to a Unified SOC
Fragmented monitoring across farms, plants and offices
The agro-industrial group had grown through expansion and acquisitions. Each farm, plant and regional office brought its own mix of security tools: different firewalls, endpoint protection agents, email gateways and cloud tenants. Logs were stored in separate systems with different retention policies; only a fraction reached the central IT team. There was no single place to answer basic questions like “Which sites are under active attack?” or “Which identities are being targeted across countries?” On average, it took several hours to correlate alerts across systems after a suspected incident.
The client decided to move to a centralised SOC model using Microsoft Sentinel as a cloud SIEM/SOAR platform. They needed a partner that could not only deploy the technology but also run it as a managed cybersecurity service provider with clear SLAs, while the internal team focused on policy and risk. LeanCoded was selected to design the operating model, implement Sentinel and provide ongoing managed IT security services providers-style operations for detection and response.
Building a cloud-based SOC around Microsoft Sentinel
LeanCoded started with a structured cloud security assessments phase. Over eight weeks, we mapped the hybrid environment: Azure and other cloud services, on-prem data centres, OT networks at plants, regional offices and remote farms. Based on this map, we prioritised log sources for onboarding: identity (Azure AD and on-prem AD), critical workloads (ERP, MES, databases), perimeter controls (firewalls, VPNs, web gateways) and endpoint protection platforms.
We then deployed Microsoft Sentinel and built standardised onboarding patterns for each log source type, including normalisation, enrichment and cost controls. In parallel, we defined use cases for the first wave of monitoring: account compromise, suspicious admin activity, malware outbreaks, unusual VPN behaviour, data exfiltration and policy violations. Custom analytics rules and playbooks were created to turn raw alerts into actionable incidents, with clear runbooks for the SOC team.
Designing a SOC for a Hybrid Agro-Industrial Landscape
Unlike a pure office environment, the client’s footprint included farms with limited connectivity, plants with legacy OT systems and cloud-hosted business applications. LeanCoded tailored the SOC architecture to this reality. For sites with unstable links, we deployed lightweight log forwarders with local buffering, so security data would be queued and sent when connectivity returned. For OT networks, we focused on firewall and jump-host logs, keeping monitoring non-intrusive while still tracking access and configuration changes.
The operating model was built around shared responsibility. LeanCoded handled 24/7 monitoring, triage and first-line containment, while the client’s internal team owned risk decisions and long-term remediation. Joint weekly reviews were used to tune rules, close false positives and prioritise new use cases. Over time, we applied data analytics consulting services techniques to incident data itself — analysing which alerts produced value and where automation or automation testing services could safely replace manual steps in the response flow.
Centralised, cloud-based SOC on Microsoft Sentinel
End-to-end log collection and normalisation
Use-case-driven detection content
Automated incident handling for recurring issues
SOC processes, SLAs and reporting
What Changed for the Security Team
Previously, the security team worked reactively and locally; now they have a global view of threats and a partner running a 24/7 operation. The SOC correlates events across all sites, reducing the chance that a small signal in one country turns into a major incident elsewhere before anyone notices. As confidence in automation grows, analysts spend more time on complex investigations and less on routine alert closing.
- 24/7 coverage from day one
Continuous monitoring across all core sites and cloud estates, delivered as a managed cyber security service, with clear on-call rotations and escalation to internal stakeholders.
- 400–500 incidents handled per month
Sentinel analytics and SOAR playbooks enable the SOC to detect and process roughly 400–500 security incidents monthly, with automated handling for a large share of low-severity events.
- Up to 25% cost reduction in security operations
By consolidating tooling, optimising log volumes and centralising operations, the client reduced combined spend on SIEM licences, log storage and fragmented monitoring tools by about a quarter. - Faster response and fewer blind spots
Time to detect and triage priority incidents dropped from hours to minutes, and visibility now covers more than 95% of critical systems, compared to less than 70% before Sentinel.
How LeanCoded Delivers Managed SOC for Industrial Clients
LeanCoded combines cloud-native security engineering, devops services и опыт managed cybersecurity service provider, чтобы строить SOC-возможности, которые индустриальные клиенты могут реально поддерживать. For this agro-industrial group, we acted as both implementer and operator: from initial cloud security assessments and roadmap definition to onboarding, rule development and day-to-day monitoring.
Our teams use repeatable patterns for log onboarding, rule creation and SOAR automation, but tune them to each client’s risk profile and industry. We treat the SOC as an evolving product: incident metrics feed back into detection engineering, and playbooks are continuously refined and validated using controlled exercises, including automated test flows that resemble automation testing services for security operations. For clients that already outsource parts of IT, we integrate with existing software development outsourcing and infrastructure teams instead of replacing them, ensuring that the SOC becomes a hub for collaboration, not another silo.