Hi, my name is

Sarvesh Deshpande.

I secure the cloud — and the SOC that watches it.

I'm a cyber security platform engineer in Mumbai. I run the platforms security teams depend on — Microsoft Sentinel, WIZ and the Defender XDR estate — after six years across SOC monitoring, threat hunting and detection engineering. This site is my portfolio, ops log and notebook.

cyber security platform engineer · 2026

view experience ↓ get in touch →
linkedin email résumé

about me

I started on the SOC floor — real-time ArcSight monitoring, incident tickets, shift work — and grew into running the platforms analysts depend on every day. Along the way I've worn the hats of L1 analyst, L2 investigator, shift lead, threat hunter and now platform engineer.

What I keep noticing: security tooling is only as good as its plumbing — and its bill. Unhealthy connectors, noisy rules, silent log sources and runaway ingestion costs break more SOCs than clever attackers do. So that's where I work — cloud posture with WIZ, log onboarding, tiering and cost optimization in Microsoft Sentinel, and the XDR estate around them — and I write about what I learn here.

currently: securing cloud at enterprise scale · writing about SIEM and detection here

siem & detection

Microsoft SentinelSentinel Data LakeArcSightDetection Rules

cloud & posture

WIZAzureAzure ArcAzure LighthouseOCI

endpoint & xdr

Microsoft Defender for EndpointCrowdStrike EDRO365 ATPNetskope

pipelines & automation

Custom DCRsCriblPythonServiceNow

highlights

Two pieces of work I'd show first.

Microsoft Sentinel · Data Lake · cost optimization

Sentinel Data Lake & log tiering

Led the Sentinel Data Lake onboarding and tiered logs by value — premium analytics where detections need it, the lake for everything else — bringing ingestion costs down without losing coverage. Ran awareness sessions so cyber defense teams could make the most of it.

WIZ · runtime security

WIZ runtime sensor rollout

Deployed the WIZ runtime sensor across the estate — taking cloud security beyond agentless snapshots to live runtime visibility — alongside enabling WIZ CLI, WIZ Code and SCIM provisioning for the platform.

experience in cyber

Six years, three roles, one thread: keep the defenders' tools sharp.

Jan 2024 — present

Cyber Security Platform Engineer

Willis Towers Watson · Mumbai

I run the security platforms a global enterprise depends on — Microsoft Sentinel at the core, WIZ for cloud posture, and the XDR estate around them. The thread through all of it: complete log coverage, at a cost the business can live with.

microsoft sentinel

  • Leading the Sentinel Data Lake onboarding with log tiering to optimize and reduce ingestion costs — including Data Lake awareness sessions for cyber defense teams.
  • Deploy new Sentinel instances and plan and execute log-source onboarding across multiple cloud tenants and cloud service providers.
  • Onboarded custom microservices, Check Point firewalls, Cortex Data Lake, Auth0, SQL DB, Trellix ePO DB, agentic-AI conversation logs and emergency-communication audit logs via custom DCRs — writing parsers for the onboarded sources.
  • Devised a cross-tenant log-forwarding solution for Windows and Linux machines using Azure Lighthouse, and deployed Azure Arc to onboard multiple on-prem tenants.
  • Set up Syslog collectors in OCI and used AI-assisted Python scripting to backfill historical data from OCI storage into Sentinel.
  • Integrated third-party threat-intelligence platforms — including AttackIQ and Google TI feeds — to enrich Sentinel alerts.
  • Tune and deploy detection rules for SOC monitoring; maintain workbooks for ingestion delays and cost spikes, proposing cost-reduction measures to management.
  • Currently driving Sentinel rule migration and a Cribl deployment, integrating apps for observability.

wiz

  • Deployed the WIZ runtime sensor across the estate, and integrated multiple cloud providers into WIZ.
  • Enabled WIZ CLI, WIZ Code and SCIM provisioning; developed custom rules, platform enhancements and workflow integrations.
  • Integrated WIZ with Sentinel for central management of issues and findings, with automated routing into ServiceNow, Teams and Outlook.
  • Currently working on enabling AI Defense on WIZ.

xdr & identity

  • Onboarded machines to Microsoft Defender for Endpoint.
  • Implemented SSO for Google Threat Intelligence and integrated its threat feeds into Sentinel.
  • Delivered the SSO implementation and upgrade for Anomali ThreatStream during its initial rollout at WTW.

technologies: Microsoft Sentinel · Sentinel Data Lake · WIZ · Azure Arc & Lighthouse · OCI · Cribl · Defender for Endpoint · Python

May 2021 — Dec 2023

SIEM Analyst L2 · Shift Lead

Wipro Technologies

Second line of the SOC: deeper investigations, detection engineering, and keeping the monitoring estate honest — while leading my shift and handling escalations.

  • Created new ArcSight correlation rules and fine-tuned existing ones to reduce false positives.
  • Integrated Windows, Linux, network, IPS and firewall log sources with ArcSight connectors, and performed connector upgrades.
  • Ran L2 analysis and advanced hunting across ArcSight, Microsoft Defender for Endpoint, O365 ATP, CrowdStrike and Netskope.
  • Automated reports on the ArcSight console; presented weekly and monthly reports to clients.
  • Prepared knowledge-transfer and transition documents for client onboarding.

technologies: ArcSight · MDE · CrowdStrike · O365 ATP · Netskope

Jan 2020 — Apr 2021

SIEM Analyst L1

Wipro Technologies

Where I learned the craft: real-time monitoring and first-response investigation.

  • Monitored ArcSight alerts in real time; raised and tracked incidents in ServiceNow and Service Desk Plus.
  • Investigated phishing mails, hunted IOCs, and analysed logs across Windows, Linux, firewall and IPS sources.
  • Built daily, weekly and monthly reports covering incidents, health checks and device reporting.

technologies: ArcSight · ServiceNow · Service Desk Plus · CrowdStrike · MDE

education

2019

Bachelor of Engineering — Electronics & Telecommunication

Mumbai, India

ops log

Real challenges, written up like a diff: what was broken, what I fixed.

log/2026 wtw · cyber security platform engineer

The SIEM bill that kept climbing

Every new log source made detection better and the invoice worse. Sentinel ingestion costs needed a structural answer, not another one-off cleanup.

-ingestion costs climbed with every onboarding wave; not every source needed premium analytics
-cost spikes and ingestion delays surfaced only after the damage was done
+onboarded Sentinel Data Lake and tiered logs by value — analytics tier for detections, lake for the rest
+built workbooks tracking ingestion delays and cost anomalies, and ran Data Lake awareness sessions for defense teams

stack: Microsoft Sentinel · Sentinel Data Lake · Workbooks

log/2024 wtw · cyber security platform engineer

Giving cloud scanning its eyes back

WIZ is only as good as its connectors. Ours covered WTW plus partner infrastructure across Azure tenants — and unhealthy connectors meant silent blind spots in cloud scanning.

-connector health issues left parts of the cloud estate unscanned
-every fix needed coordination across teams in different tenants
+migrated the Azure connectors and worked cross-tenant to restore full, efficient scanning coverage
+built automated rules routing WIZ findings into ServiceNow, Teams and Outlook

stack: WIZ CSPM · Azure · ServiceNow · Teams

log/2022 wipro · siem analyst l2 / shift lead

Tuning out the false-positive flood

A noisy SIEM trains analysts to ignore it. Too many ArcSight alerts were firing on activity that was never going to become an incident — and real signals were drowning in them.

-false positives were burying genuine alerts and burning analyst hours every shift
+created new correlation rules and fine-tuned existing ones to cut the noise
+automated ArcSight reporting so monitoring health was visible at a glance

stack: ArcSight · ServiceNow · Service Desk Plus

log/2021 wipro · siem analyst

When log sources go quiet

A device that stops reporting doesn't raise an alarm — it just disappears. Across Windows, Linux, network, IPS and firewall sources, silence was the most dangerous signal of all.

-non-reporting devices created blind spots no alert would ever catch
+troubleshot connectors and devices end to end, keeping every source up and reporting
+built daily and weekly health-check reports so gaps surfaced before anyone could exploit them

stack: ArcSight connectors · Windows · Linux · Firewall / IPS

writing

Notes from the SOC and beyond — tap a post to read it here.

Early in my SOC career I thought the job was learning to triage alerts faster. Then I worked a shift where most of what fired was noise — the same rules, the same benign activity, ticket after ticket. No amount of analyst speed fixes that. The fix lives upstream, in the rules themselves.

Fine-tuning correlation rules taught me a simple test: every alert should drive a decision. If nobody would ever act on it, it shouldn't page a human. Cutting false positives isn't about seeing less — it's about finally being able to see what matters. The quietest SOCs I've worked in were the ones that took detection engineering seriously.

SIEMdetection

A CSPM dashboard can look perfectly green while quietly scanning only part of your estate. I learned this managing WIZ connectors across multiple Azure tenants: when a connector degrades, nothing dramatic happens. Findings just stop appearing — which feels like good news until you realise why.

Now I treat connectors like production services. They get health monitoring, clear ownership, and an escalation path that crosses tenant boundaries, because the hardest part of the fix is usually coordination, not configuration. Visibility isn't a feature you enable once; it's a thing you operate every day.

cloud securityWIZ CSPM

L1 taught me to read logs and respect the queue — real-time monitoring, raising incidents, chasing closures. L2 taught me to ask why an alert exists at all, and to say so when it shouldn't. Shift-lead taught me that escalation is a skill: knowing what's stuck, who can unstick it, and how to ask.

Platform engineering changed the question again. The tools themselves became my product — WIZ, Anomali ThreatStream, Sentinel connectors — and the analysts became my users. If you're an analyst wanting to grow: own one tool end to end, document what confuses you, and automate the report you hate preparing. That's the whole path, honestly.

careerSOC life

get in touch

Have a question — or a problem — worth investigating?

If something here sparked a thought — a detection idea, a cloud security question, or feedback on a post — I'd like to hear it. Email is fastest; I usually reply within a day.

email me → download résumé
linkedin Sde123@zohomail.in