M-SOC onboarding readiness.
NSE + BSE's Market SOC offers 24×7 ecosystem-level monitoring. SEBI's May 2026 advisory says all eligible REs not yet onboarded "shall expedite" it. This guide is what you need to do before kickoff — eligibility check, log-source mapping, SIEM/SOAR prerequisites, and a 4-week sequence.
Why this matters
"Shall expedite" is the operative language.
Annexure-A item 6c reads: "In the view of enhanced risks posed by AI-driven attacks, all eligible REs (not on boarded with any M-SOC) shall expedite the onboarding."
For M-SOC-eligible entities, this is binding. The challenge is the gap between intent and operational readiness — most entities can sign the eligibility letter on day one but cannot pass log-source validation for weeks. This guide compresses that gap.
Log-source readiness
12 categories. P0 first.
M-SOC operates on the telemetry you send. P0 categories are typically non-negotiable; P1 expand visibility; P2 are advanced detection enrichment. This list is illustrative — actual log-source requirements come from NSE/BSE during onboarding and vary by entity type.
| Priority | Category | Sources |
|---|---|---|
| P0 | Identity + Access | AD/LDAP authentication, MFA, PAM, SSO/IDP federation, privileged-account vaults |
| P0 | Endpoint | EDR/XDR, AV alerts, Windows Security event log, sysmon (where deployed), MDM/UEM compliance |
| P0 | Network Perimeter | Firewall, IDS/IPS, WAF, DNS resolver logs, proxy/SWG, NAC |
| P0 | Cloud Control Plane | AWS CloudTrail / Azure Activity / GCP Audit, IAM events, KMS, S3/Blob access logs |
| P1 | Application + API | Web server access + error, API gateway, application audit log, business-event log |
| P1 | Database | Database audit log (DAM), privileged DDL/DML, failed query telemetry |
| P1 | Email Security | Mail-flow gateway, anti-phish telemetry, DLP triggers, attachment scan results |
| P1 | Container + Workload | Kubernetes audit, container runtime, service mesh, image-scan results |
| P2 | Threat Intel + Vuln Mgmt | TIP feed integration, VMS scan results, EASM (e.g. ShadowMap) findings |
| P0 | Trading + Market-Specific | OMS/EMS audit, FIX gateway, settlement engines, exchange-connectivity (SFTP, leased line) |
| P2 | Insider + Behavioural | UEBA, DLP, file-server access (CIFS/NFS), removable-media events |
| P2 | Physical + Operational | Badge access, CCTV alerts (where IP-connected), HVAC/UPS health for trading floor |
4-Week Pre-Onboarding Sequence
From eligibility letter to M-SOC kickoff.
This is an illustrative pattern, not a baseline timeline. Pace will vary with your existing SOC maturity, log-source readiness, and procurement cycle. Use as a sequencing reference — the order matters more than the calendar.
Eligibility + inventory
- Confirm M-SOC eligibility via NSE/BSE relationship manager (formal email)
- Inventory existing log sources against the 12 categories opposite — score each P0 source as Connected / Partial / Missing
- Identify SIEM platform of record + retention policy alignment (CSCRF mandates 5+ years)
- Map your incident-response playbook handoff points to the M-SOC interface
P0 log-source gaps
- Close P0 log-source gaps — prioritise identity, endpoint, perimeter, cloud control plane, trading systems
- Validate log-source quality: timestamp format, hostname canonicalisation, no PII over-collection
- Define SIEM correlation rules for the SEBI Annexure-A threat model (AI-augmented attacker scenarios)
- Engage your incident-comms team on SEBI 6-hour reporting + CERT-In overlap
SOAR + detection
- SOAR playbooks designed + tested for top 5 use cases: credential-stuffing, BEC/phishing, malware on endpoint, anomalous trading activity, perimeter brute force
- Validate detection coverage against MITRE ATT&CK + a SEBI-specific threat-model overlay
- Run a dry-run incident with a controlled test alert end-to-end through SIEM → SOAR → human triage
- Document SLAs: detection time, triage time, M-SOC handoff time, IR escalation criteria
M-SOC kickoff
- M-SOC onboarding kickoff with NSE/BSE — SIEM connector validation + log-source attestation
- Run two parallel days: M-SOC monitoring + your in-house SOC, reconcile gaps
- Sign the data-sharing + retention MOU with M-SOC (review with legal first — IP/data-residency clauses)
- Submit IT-committee briefing: M-SOC onboarding complete + steady-state operating model documented
FAQs
What SOC leads keep asking.
Are we M-SOC eligible?
Eligibility is determined by NSE/BSE based on your RE category, AUM, transaction volumes, and exchange membership status. Not every RE is in scope — KRAs, IAs, and very small DPs may be out of scope or in a future phase. Get the determination in writing from your exchange/depository relationship manager before investing in onboarding work.
Do we still need our own SOC if we onboard to M-SOC?
Yes. M-SOC provides centralised threat detection across the securities ecosystem, but you retain primary responsibility for monitoring + incident response on your stack. Think of M-SOC as a parallel layer that catches ecosystem-level patterns + rapid information sharing — not a replacement for in-house or managed SOC.
What logs does M-SOC need access to?
P0 categories at minimum (identity, endpoint, perimeter, cloud control plane, trading systems). The advisory does not enumerate exact log types — operational guidance comes from NSE/BSE during onboarding. Plan to send security-relevant events with timestamps, hostnames, source/dest IPs, user IDs, and severity. PII minimisation matters; do not over-share.
How long does M-SOC onboarding take end-to-end?
The 4-week sequence in this guide gets you to the kickoff in ready state. Actual onboarding (SIEM connector, log-source validation, parallel-running, signoff) typically runs another 4–6 weeks depending on log-source complexity and SOC maturity. Plan for ~8–10 weeks total from "we want to start" to "M-SOC fully integrated."
What if our SOC is outsourced to a managed-security provider?
Most M-SOC integrations work the same way — your MSSP becomes the conduit between your stack and M-SOC. Confirm your MSSP contract permits this telemetry sharing (some contracts require amendment). Some MSSPs already have M-SOC integrations built; ask early in week 1.
How does this relate to CERT-In incident reporting?
M-SOC reporting does not replace your CERT-In 6-hour incident reporting obligation. The two are parallel. M-SOC focuses on ecosystem-level threat sharing + monitoring; CERT-In is the statutory incident-disclosure path. Your incident-response playbook must cover both.
Need a SOC + M-SOC readiness assessment?
Two-week scoped engagement. Log-source gap analysis, SOAR playbook design, parallel-running plan, IT-committee briefing. Pricing on request.