Security Automation Engineer

Join us to co-create solutions for a better future! Job Details

Cyber Security Engineer / Security Automation Engineer, Raritan, NJ.

Posted: 1/30/2026. Job .

Job Category:
Cyber Security Engineer.

Position Type:
Full Time.

Duration: 6 Months+.

Shift: 1.

Remaining Positions: 1.

Details:
Stefanini Group is looking for a Security Automation Engineer for a globally recognized company. For interested applicants, click the apply button or you may reach out Micah Andres at 386-7399/ for faster processing. Thank you!

A Security Automation Engineer to build and operationalize the automation that correlates Crowd Strike Falcon Device Control telemetry with Active Directory/Azure Entra  changes in Microsoft Sentinel, and then programmatically updates Crowd Strike device control policy group membership via API. The engineer will own the scripting, testing, and configuration working - with our client - required to implement the end‑to‑end flow defined in our design.

• Stand up and harden the FDR to S3 delivery for Falcon Device Control events (e.g., Dc Removable Storage Device Connected , Dc Usb Device Policy Violation , Dc Usb Device Whitelisted , etc.), ensuring schema normalization and lifecycle management in S3.
• Configure Microsoft Sentinel ingestion for FDR data and AD/Entra /group events; develop KQL parsers, tables, and data normalizations to support correlation.

• Author KQL analytics/rules that join Windows Event IDs 4728/4729/6416/4663 with Crowd Strike Device Control events to identify when a user's group status should change host USB policy posture.
• Implement suppression/thresholding to reduce flapping and false positives (e.g., batch group changes, burst‑aware dedupe).

• Build idempotent automation (Power Shell, Python, Logic Apps, Functions, or similar) that calls Crowd Strike APIs to move hosts into/out of the Device Control allow group based on Sentinel signals. Include robust error handling, retries, and audit logging.
• Package automation as CI/CD artifacts (IaC where appropriate), with secure secrets handling (Key Vault/Secrets Manager).

• Develop unit tests for parsers and functions, integration tests for end‑to‑end flows (synthetic Windows events + synthetic FDR samples), and UAT runbooks for security operations.
• Create simulation data (sanitized/synthetic) to validate rules for Event IDs 4728, 4729, 6416, 4663 and representative FDR Device Control events prior to production cutover.

• Build dashboards in Sentinel that show pipeline health, rule efficacy, and host policy transitions.
• Document the full runbook: deployment, rollback, break‑glass steps, and change control.
• Train L2/L3 SOC and Help Desk on troubleshooting and manual override procedures.

• 5+ years in security engineering/automation with SIEM (Microsoft Sentinel) and endpoint security integrations.
• Proficiency in KQL, Python and/or Power Shell, and REST/OAuth2 API integration.
• Hands‑on experience with Crowd Strike Falcon (preferably Device Control), FDR pipelines, and API‑driven policy management.
• Solid understanding of Windows Security Event Log semantics—especially 4728/4729 (group membership changes), 6416 (new device recognized), 4663 (file access)—and how to correlate with endpoint telemetry.
• Cloud data engineering basics: AWS S3 object, schema evolution, and secured ingestion;
  Azure identity fundamentals.

• Experience building SOAR playbooks (e.g., Sentinel Automation Rules/Logic Apps) and CI/CD pipelines for security automations.
• Prior implementation of device control/DLP workflows and handling USB policy exceptions at scale.
• Exposure to regulated environments (e.g., healthcare/life sciences) and change‑controlled releases.
• Familiarity with Entra  (formerly Azure AD) group modeling and hybrid AD sync nuances.

Pay Range: $70.00 - $75.00