Job Description

• Pipeline Management: Architect and maintain the ingestion of telemetry from multi-cloud (GCP, AWS, Azure) and on-premises environments using Bind Plane Forwarders, Cloud-to-Cloud (C2C) connectors, and Webhooks.
• Parser Development: Design, build, and troubleshoot custom parsers (CBN) to ensure non-standard log sources are correctly normalized into the Unified Data Model (UDM).
• Data Health Monitoring: Build dashboards to monitor ingestion rates, latency, and data drops to ensure the SIEM is always receiving high-quality, actionable data.

• Playbook Development: Design and code automated incident response playbooks in Google SOAR using Python and visual builders.
• Connector Engineering: Build and maintain API integrations between Google SOAR and third-party tools (Firewalls, EDR, IAM, Ticketing systems).
• Workflow Optimization: Automate repetitive manual tasks such as artifact enrichment, evidence gathering, and initial containment actions.
• Case Management Configuration: Tailoring the SOAR environment to fit the SOC’s operational needs, including custom fields, stages, and SLA tracking.

• System Health Monitoring: Monitoring the ingestion health to ensure no data is dropped and that latency stays within acceptable limits.
• Access Control: Managing Role-Based Access Control (RBAC) to ensure analysts have the correct level of access to sensitive data.
• Threat Intel Ingestion: Managing the integration of Mandiant, Virus Total, and other third-party threat intelligence feeds to ensure detections are always up to date with the latest global threats.

• Feedback Loops: Collaborating with Tier 1 and Tier 2 analysts to tune YARA-L rules based on real-world alert performance and "noise" levels.
• Requirements Gathering: Interviewing incident responders to understand their manual workflows, then translating those into Google SOAR playbooks.
• Training & Enablement: Conducting knowledge transfer sessions on how to use UDM Search and the Google SecOps interface to speed up investigations.

• Data Ingestion Strategy: Working with GCP/AWS/Azure Architects to ensure that Cloud Logging and Pub/Sub are configured correctly for seamless export to Google SecOps platform.
• Agent Deployment: Coordinating with IT Infrastructure teams to deploy and maintain Bind Plane Forwarders on on-premises servers and virtual machines.
• Troubleshooting: Collaborating with Network Engineers to resolve connectivity issues or firewall blocks that prevent telemetry from reaching the Google SecOps platform.

• Bachelor’s degree in computer science, IT, Cybersecurity, or equivalent.
• SIEM Certification (e.g., Google SecOps, Splunk, Azure Sentinel).

• Security certifications such as Security+, CySA+, CEH, CISSP, GCIH

• 3–5 years of hands-on experience in Security Engineering, SOC Automation, DevOps Engineer, Security Operations, or Infrastructure Security.

• SIEM/SOAR Mastery: Proven experience architecting and managing enterprise-grade platforms (e.g., Splunk, Azure Sentinel, or QRadar), with at least 1–2 years specifically focused on Google SecOps (Chronicle).

• Key Requirement: Required skills: Google SecOps.

• Coding & Scripting: Professional experience using Python to automate security workflows or build custom API connectors.
• Cloud Infrastructure: Hands-on experience managing security within Google Cloud Platform (GCP), including VPC service controls, IAM, and Cloud Logging.
• Languages: Python (Advanced), SQL (BigQuery), YARA/YARA-L, and Bash.
• Frameworks: MITRE ATT&CK, NIST Cybersecurity Framework.
• Tools: Git (Version Control), Terraform (Infrastructure as Code), Docker/Kubernetes (Containerization).
• Data Standards: Deep knowledge of JSON, Protobuf, and Regex for log parsing and normalization.

• Strong analytical thinking and problem-solving capability.
• Excellent communication skills, able to explain technical findings to non-technical stakeholders.
• Ability to work independently, manage multiple priorities, and meet deadlines.
• Attention to detail and a structured, documentation-driven mindset.