This role is to lead the development, optimization, and governance of detection content across Microsoft Sentinel and Defender XDR platforms. To ensure high-fidelity alerting, minimizing false positives, and aligning detection logic with threat intelligence and MITRE ATT&CK frameworks. The incumbent needs to have deep experience in KQL, Sigma rule development, and SOC telemetry analysis within MSSP environments.
Key Responsibilities:
Detection Content Development
- Design and implement custom detection rules using KQL, Sigma, and behavioral analytics.
- Map detection logic to MITRE ATT&CK techniques and threat actor profiles.
- Develop UEBA baselines and anomaly detection use cases.
Alert Tuning & Optimization
- Analyze alert performance and lead biweekly tuning cycles to reduce false positives.
- Collaborate with L2/L3 analysts to refine detection thresholds and suppression logic.
- Maintain a detection content repository with version control and change logs.
Telemetry & Visibility Engineering
- Conduct log source visibility reviews and telemetry gap analysis.
- Recommend log onboarding priorities based on threat coverage and customer environments.
- Validate parsing, normalization, and enrichment of ingested data.
Threat Intelligence Integration
- Operationalize threat intelligence into detection content and hunt scenarios.
- Integrate IOCs, TTPs, and threat actor indicators into rule logic and enrichment workflows.
Governance & Documentation
- Maintain detection playbooks, rule documentation, and tuning reports.
- Ensure detection content aligns with MSSP governance frameworks and audit requirements.
- Support change control processes for rule deployment and rollback.
Collaboration & Enablement
- Work closely with SOC analysts, onboarding consultants, and automation engineers.
- Provide training and guidance on detection logic, rule writing, and tuning best practices.
- Participate in incident post-mortems to identify detection gaps and improvement areas.
Requirements:
- Bachelor's degree in Cybersecurity, Computer Science, or related field.
- 5+ years in SOC or cybersecurity operations, with at least 2 years in detection engineering or SIEM content development.
- Prior experience in MSSP environments or multi-tenant SOC platforms is highly preferred.
- Required: Microsoft Certified: Security Operations Analyst Associate.
- Preferred: MITRE ATT&CK Defender (MAD), GIAC (GCIA, GMON), CompTIA CySA+.
- Expert-level proficiency in KQL, Microsoft Sentinel, and Defender XDR.
- Experience with Sigma rule development, UEBA, and SIEM tuning.
- Strong understanding of log source telemetry, data normalization, and alert lifecycle.
- Familiarity with threat intelligence platforms and MITRE ATT&CK mapping.
- Analytical mindset with strong attention to detail.
- Excellent documentation and presentation skills.
- Ability to collaborate across technical and operational teams.
- Fluent English communication skills (spoken and written).
