Job Description Summary:
To serve as the technical architect for the detection ecosystem, ensuring that the Microsoft Sentinel and Defender XDR platforms are integrated, performant, and optimized for hybrid security monitoring and automated incident response.
Responsibilities:
- Detection and Normalization Engineering: Design and maintain KQL Functions and Parsers aligned with the Advanced SIEM Information Model (ASIM) to ensure unified telemetry across disparate log sources.
- Cross-Domain Correlation: Engineer high-fidelity analytics rules that bridge signals between Defender for Endpoint, Identity, Office 365, and Sentinel.
- Hybrid Ingestion Management: Provide technical ownership of the data supply chain, including the management of Linux-based log collectors (rsyslog/syslog-ng) and Azure Arc-managed agents.
- SOC Tuning and Gap Analysis: Partner with SOC analysts to tune out false positives via KQL optimization and map visibility gaps against the MITRE ATT&CK framework.
- Security Automation (SOAR): Develop Python scripts for API-based integrations and Logic Apps to automate complex incident triage and enrichment workflows.
- Technical Documentation and Knowledge Architecture: Create and maintain comprehensive documentation of the Sentinel environment, including detailed data flow diagrams, complex entity relationship maps, and custom ASIM schema extensions to ensure long-term platform maintainability.
Qualifications & Required Work Experience:
- Bachelor's degree in Computer Science, Cyber Security, or a related technical field (or equivalent professional experience)
- 7+ years of overall IT experience
- SIEM Mastery: 4+ years in Security Engineering, with at least 2 years of deep Microsoft Sentinel administration, specifically writing complex KQL (joins, lookups, and summaries).
- Microsoft Security Stack: Practical experience managing core Defender pillars (Endpoint, Identity, Office) and their integration with a SIEM.
- Hybrid OS Administration: Strong fundamental knowledge of Windows Server (Registry, Event Logs, Services) and Linux (File Systems, Permissions, Package Management) to support security agent health and troubleshooting.
- Infrastructure and Scripting: Proficient in Linux CLI for log transport management and production-grade scripting in Python and Bash.
- Advanced Documentation: Proven ability to translate complex KQL logic and multi-stage data ingestion pipelines into clear architectural diagrams and technical runbooks.
Special requirements:
- Certifications: SC-200 (Microsoft Security Operations Analyst) is required.
- Expertise: Deep understanding of the MITRE ATT&CK framework and ASIM data normalization schemas.
- Communication: Ability to document as-built architectures and translate complex technical logic for SOC analyst consumption.
