Job Description

Key Responsibilities

• Lead threat-informed detection engineering by translating Red Team and adversary simulation insights into actionable detection improvements and enhancements
• Design, develop, and maintain SIEM detection use cases, including defining telemetry requirements, mapping detections to the MITRE ATT&CK framework, validating log sources, and implementing enrichments aligned with ASIM standards where applicable
• Conduct post-engagement detection gap analysis, prioritize improvements, and manage a structured detection backlog to continuously enhance detection coverage and effectiveness
• Ensure each detection improvement includes refined detection logic (KQL), entity mapping, suppression tuning, updated triage guidance, analyst documentation, and re-validation with Red Team exercises
• Manage the full lifecycle of detection use cases, including design, development, testing, deployment, optimization, and retirement, ensuring alignment with security objectives and operational efficiency
• Develop and optimize KQL-based detection logic, incorporating contextual enrichment such as watchlists, UEBA signals, and other relevant telemetry to improve detection accuracy
• Implement testing and validation processes, including lab testing, adversarial simulations, and quality checks to maintain acceptable true positive and false positive rates and ensure optimal query performance
• Manage deployment and release processes, including CI/CD pipelines, approval workflows, release documentation, and rollback planning for SIEM detection content
• Collaborate closely with Red Team, SOC analysts, and engineering teams to ensure detection improvements are validated, measurable, and continuously refined based on operational feedback
• Maintain a structured pipeline for Red Team findings, converting them into detection engineering tasks and ensuring measurable improvements in coverage, detection efficacy, and remediation timelines
• Lead enhancements of security automation and orchestration playbooks using Microsoft Logic Apps, improving enrichment workflows, notifications, ticketing integrations, and automated containment actions
• Ensure automation playbooks include robust error handling, retry logic, timeout controls, monitoring, and secure credential management using managed identities and key vault practices
• Oversee platform ownership and operational management of Microsoft Sentinel, including connectors, DCR/AMA configurations, ASIM parsers, watchlists, workbooks, and content hub solutions
• Manage SIEM platform governance, including RBAC policies, API permissions, service principals, CI/CD promotion controls, and adherence to least-privilege principles
• Monitor and improve data quality and telemetry health, identifying missing log sources, parsing failures, schema drift, time synchronization issues, and abnormal data volume patterns
• Optimize data ingestion, storage, retention policies, and cost controls within the SIEM platform through query tuning, workspace optimization, and appropriate data tiering strategies
• Maintain governance and auditability standards, including documented change records, approval trails, testing evidence, and version control for detection and automation content
• Produce security coverage and performance reports, including metrics mapped to ATT&CK techniques, asset classes, and control families, as well as measurable improvements resulting from Red Team collaboration

Person Specifications

• 06 – 10 years in SIEM engineering/detection engineering (Sentinel preferred)
• Deep hands-on with Microsoft Sentinel, KQL, ASIM, Logic Apps, Content Hub, Watchlists, Workbooks
• Proven experience partnering with Red Team/Pentesters and running Purple Team validations
• Ability to translate attacker TTPs into telemetry + high-fidelity detections
• Skilled with CI/CD for SIEM (Git, Azure DevOps), Detection-as-Code, and environment promotion
• Strong grasp of cloud identity & auth (Entra ID/OAuth/SAML/Kerberos), network protocols, and Windows/Linux telemetry
• Scripting for automation (PowerShell/Python), API integrations, and data normalization

Nice To Have

• Experience with M365 Defender and its bi-directional integrations with Sentinel
• Familiarity with Fusion/UEBA, ML anomalies, and custom parsers (KQL functions)
• Cost engineering for Sentinel (table strategy, Basic vs Analytics, archive/search)