Microsoft Sentinel SIEM Analyst

Microsoft Sentinel SIEM Analyst

We are seeking a skilled and motivated Microsoft Sentinel SIEM Engineer to join our dynamic cybersecurity team.

In this role, you will be responsible for the end-to-end management, optimization, and advanced configuration of our Microsoft Sentinel SIEM and Microsoft 365 Defender platform. You will play a critical role in protecting our digital assets by designing and implementing detection rules, automating response actions, and hunting for advanced threats. The ideal candidate is a proactive problem-solver with deep technical expertise in the Microsoft security ecosystem and a passion for building resilient security operations.

Experience:

5+ years of hands-on experience in a security engineering or analyst role, with at least 2 years focused on Microsoft Sentinel.

Key Areas:
Monitoring and Maintenance Threat Detection and Analysis Automation and Orchestration Threat Hunting Incident Response Support Collaboration and Communication Continuous Improvement

Key

Roles and Responsibilities Day-to-day activities of a Sentinel SIEM Expert are a mix of proactive engineering, reactive response, and strategic improvement. While an analyst might watch the queue, an expert builds and tunes the system

1. Platform Management & Administration

Deployment & Configuration:
Architect, deploy, and configure Microsoft Sentinel work spaces, including data connector setup, log ingestion, and workspace optimization.
Data Onboarding:
Manage the ingestion of log data from various sources (e.g., Microsoft 365 Defender, Azure AD, Azure Activity Logs, on-premises servers, firewalls, endpoints via Azure Arc and AMA).
Health Monitoring:
Proactively monitor the health, performance, and cost of the Sentinel environment. Troubleshoot and resolve issues related to data ingestion, agent health, and analytics rule execution.
Lifecycle Management:
Manage the lifecycle of analytics rules, watchlists, hunting queries, and workbooks.

2. Threat Detection & Content Development
Analytics Rule Creation:
Design, develop, test, and tune custom analytics rules using Kusto Query Language (KQL) to detect malicious activity, threats, and anomalies.
SOC Use Case Implementation:
Translate business requirements and threat intelligence into eAective, actionable detection logic within Sentinel.
Leverage Built-in Templates:
Utilize and customize built-in analytics rule templates from Microsoft and the community to accelerate detection coverage.
Threat Intelligence Integration:
Integrate threat intelligence platforms (TIP) and indicators of compromise (IOCs) into Sentinel to enhance detection capabilities.

3. Automation & Response (SOAR)
Playbook Development:
Design, build, and maintain Azure Logic Apps playbooks to automate incident response and orchestrate security workflows (e.g., auto-quarantine emails, disable user accounts, trigger investigations).
Automation Rule Management:
Create and manage Automation Rules to standardize incident triage, assignment, and lifecycle (e.g., auto-close false positives, set severity levels).
efficiency Improvement:
Continuously seek opportunities to automate manual SOC tasks, reducing Mean Time to Respond (MTTR) and Mean Time to Acknowledge (MTTA).

4. Threat Hunting & Proactive Defense
Proactive Hunting:
Conduct proactive threat hunting campaigns using advanced KQL queries to uncover hidden threats that may evade traditional detection methods.
Hunting Notebooks:
Develop and utilize Jupiter notebooks within Sentinel for deep-dive, interactive investigations.
Research & Development:
Stay current with the latest adversary TTPs (Tactics, Techniques, and Procedures) and develop new hunting hypotheses.

5. Investigation & Incident Support
Incident Analysis:
Serve as an escalation point for Tier 2/3 SOC analysts, providing expertise during complex incident investigations.
Forensic Data Enrichment:
Use Sentinel's investigation graph and entity pages to enrich incident data and understand the full scope of an attack.
Documentation:
Create and maintain detailed documentation for runbooks, playbooks, hunting guides, and standard operating procedures (SOPs).

6. Collaboration & Reporting
Stakeholder Reporting:
Develop and maintain dashboards and workbooks to provide visibility into the security posture, key metrics (KPIs), and threat landscape for management and other stakeholders.

Cross-Functional Collaboration:

Work closely with the IT infrastructure, cloud, and application development teams to ensure proper logging and security best practices are followed.
Mentorship:
Mentor and provide technical guidance to junior SOC analysts and engineers.
Act as an escalation point for Tier 2/3 SOC analysts struggling with a complex investigation.
Provide a  second opinion  on the scope and impact of a potential security incident.  Mentor junior engineers and analysts on KQL, Azure, and security concepts.