Job Description
Microsoft Sentinel SIEM Analyst
We are seeking a skilled and motivated Microsoft Sentinel SIEM Engineer to join our dynamic cybersecurity team.
In this role, you will be responsible for the end-to-end management, optimization, and advanced configuration of our Microsoft Sentinel SIEM and Microsoft 365 Defender platform. You will play a critical role in protecting our digital assets by designing and implementing detection rules, automating response actions, and hunting for advanced threats. The ideal candidate is a proactive problem-solver with deep technical expertise in the Microsoft security ecosystem and a passion for building resilient security operations.
Experience: 5+ years of hands-on experience in a security engineering or analyst role, with at least 2 years focused on Microsoft Sentinel.
Key Areas: Monitoring and Maintenance Threat Detection and Analysis Automation and Orchestration Threat Hunting Incident Response Support Collaboration and Communication Continuous Improvement
Key Roles and Responsibilities Day-to-day activities of a Sentinel SIEM Expert are a mix of proactive engineering, reactive response, and strategic improvement. While an analyst might watch the queue, an expert builds and tunes the system
1. Platform Management & Administration
Deployment & Configuration: Architect, deploy, and configure Microsoft Sentinel workspaces, including data connector setup, log ingestion, and workspace optimization.
Data Onboarding: Manage the ingestion of log data from various sources (e.g., Microsoft 365 Defender, Azure AD, Azure Activity Logs, on-premises servers, firewalls, endpoints via Azure Arc and AMA).
Health Monitoring: Proactively monitor the health, performance, and cost of the Sentinel environment. Troubleshoot and resolve issues related to data ingestion, agent health, and analytics rule execution.
Lifecycle Management: Manage the lifecycle of analytics rules, watchlists, hunting queries, and workbooks.
2. Threat Detection & Content Development
Analytics Rule Creation: Design, develop, test, and tune custom analytics rules using Kusto Query Language (KQL) to detect malicious activity, threats, and anomalies.
SOC Use Case Implementation: Translate business requirements and threat intelligence into eAective, actionable detection logic within Sentinel.
Leverage Built-in Templates: Utilize and customize built-in analytics rule templates from Microsoft and the community to accelerate detection coverage.
Threat Intelligence Integration: Integrate threat intelligence platforms (TIP) and indicators of compromise (IOCs) into Sentinel to enhance detection capabilities.
3. Automation & Response (SOAR)
Playbook Development: Design, build, and maintain Azure Logic Apps playbooks to automate incident response and orchestrate security workflows (e.g., auto-quarantine emails, disable user accounts, trigger investigations).
Automation Rule Management: Create and manage Automation Rules to standardize incident triage, assignment, and lifecycle (e.g., auto-close false positives, set severity levels).
efficiency Improvement: Continuously seek opportunities to automate manual SOC tasks, reducing Mean Time to Respond (MTTR) and Mean Time to Acknowledge (MTTA).
4. Threat Hunting & Proactive Defense
Proactive Hunting: Conduct proactive threat hunting campaigns using advanced KQL queries to uncover hidden threats that may evade traditional detection methods.
Hunting Notebooks: Develop and utilize Jupiter notebooks within Sentinel for deep-dive, interactive investigations.
Research & Development: Stay current with the latest adversary TTPs (Tactics, Techniques, and Procedures) and develop new hunting hypotheses.
5. Investigation & Incident Support
Incident Analysis: Serve as an escalation point for Tier 2/3 SOC analysts, providing expertise during complex incident investigations.
Forensic Data Enrichment: Use Sentinel's investigation graph and entity pages to enrich incident data and understand the full scope of an attack.
Documentation: Create and maintain detailed documentation for runbooks, playbooks, hunting guides, and standard operating procedures (SOPs).
6. Collaboration & Reporting
Stakeholder Reporting: Develop and maintain dashboards and workbooks to provide visibility into the security posture, key metrics (KPIs), and threat landscape for management and other stakeholders.
Cross-Functional Collaboration: Work closely with the IT infrastructure, cloud, and application development teams to ensure proper logging and security best practices are followed.
Mentorship: Mentor and provide technical guidance to junior SOC analysts and engineers.
Act as an escalation point for Tier 2/3 SOC analysts struggling with a complex investigation.
Provide a "second opinion" on the scope and impact of a potential security incident. Mentor junior engineers and analysts on KQL, Azure, and security concepts.
