Remote L3 SOC Analyst - Microsoft XDR​/Defender​/Sentinel

My reputable global client is seeking an experienced L3 SOC Analyst with expertise across Microsoft Security stack, including Microsoft XDR, Microsoft Defender, Sentinel, and the wider M365 security ecosystem. You'll be handling IR, threat detection, threat hunting, lead complex investigations and develop advanced detection content.

What you'll do:

• Lead and manage high-severity security incidents from identification through containment, eradication, recovery, and post-incident reporting
• Perform advanced threat hunting using Microsoft Defender XDR, Sentinel, KQL, and other telemetry sources to identify emerging threats, anomalous behaviour, and undetected malicious activity
• Develop, tune, and maintain Sentinel analytics rules, workbooks, playbooks (Logic Apps), and custom detection use cases to improve SOC detection capability
• Act as a subject matter expert for the Microsoft security ecosystem, including Defender for Endpoint, Office 365, Identity, Cloud Apps, Defender for Cloud, and Azure security controls
• Create and maintain Kusto Query Language (KQL) queries, automation workflows, and enrichment logic to enhance detections and investigation efficiency
• Support purple-team activities, threat modelling, and attack-simulation scenarios aligned to MITRE ATT&CK
• Provide technical escalation support and mentorship to L1/L2 SOC analysts
• Perform root-cause analysis, identify systemic issues, and drive continuous improvement across SOC processes.
• Collaborate with engineering, cloud, and cybersecurity teams to enhance log ingestion, telemetry quality, and SIEM/SOAR architecture
• Produce clear, structured incident reports, threat briefs, and stakeholder updates

What you'll bring:

• Extensive hands-on experience with Microsoft Sentinel (SIEM) and Microsoft Defender XDR (formerly M365 Defender)
• Strong proficiency in KQL, analytic rule creation, hunting queries, custom detection engineering, and automation
• Deep understanding of Windows, Azure AD / Entra , M365, network security, and cloud workloads
• Advanced knowledge of attacker TTPs, threat intelligence sources, and MITRE ATT&CK mapping
• Proven experience leading major incidents in an enterprise SOC environment
• Strong understanding of SOAR automation and experience building Logic Apps-based playbooks
• Ability to interpret log data from diverse sources and build correlation logic that reduces false positives
• Experience with Power Shell, Python, or tooling integration for enrichment and automation (are strong advantages)
• Familiarity with EDR tuning, threat intelligence platforms, and cloud workload security (Azure/AWS/GCP
• Excellent analytical, documentation, and communication skills

Robert Walters Operations Limited is an employment business and employment agency and welcomes applications from all candidates