Security Analyst - Houston, TX

About The Position

Requirements

• Experience with Microsoft Sentinel or another SIEM platform.
• Experience with log collection, alert collection, SIEM monitoring, and security event analysis.
• Working knowledge of Windows and Linux operating systems.
• Experience reviewing and troubleshooting Windows Event Logs, Linux system logs, syslog, authentication logs, and security audit logs.
• Familiarity with Microsoft Azure, Microsoft 365, Exchange, Entra ID, Microsoft Defender, and Microsoft Purview logging.
• Familiarity with vulnerability management tools such as Tenable, Nessus, Qualys, Rapid7, or similar.
• Ability to troubleshoot data connectors, logging agents, syslog forwarding, API integrations, audit policies, and alert routing.
• Basic understanding of firewalls, switches, routers, modems, wireless networks, servers, endpoints, cloud systems, cameras, and IoT devices.
• Ability to create, review, validate, and tune SIEM alert rules.
• Strong analytical, documentation, and problem-solving skills.

Responsibilities

• Operate and maintain Microsoft Sentinel as the organization’s primary SIEM platform.
• Ensure all required security logs are being collected by Microsoft Sentinel.
• Ensure all required security alerts are being collected, routed, and visible in Sentinel and other approved monitoring platforms.
• Monitor Sentinel data connectors, agents, ingestion pipelines, parsers, workbooks, analytic rules, and incident creation.
• Validate that logs and alerts are collected from all approved sources, including endpoints, servers, cloud platforms, network devices, IoT devices, cameras, and security tools.
• Troubleshoot and resolve log ingestion failures, connector issues, parser errors, agent failures, missing data, delayed logs, and alert routing issues.
• Ensure logs are continuously collected, retained, searchable, and usable for investigation.
• Identify systems, devices, applications, or security tools that are not logging properly.
• Track logging and alerting gaps through remediation.
• Maintain an inventory of log sources, alert sources, collection methods, data connectors, and monitoring coverage.
• Configure, validate, and maintain Microsoft Sentinel data connectors.
• Create, tune, and maintain Sentinel analytics rules, alert rules, incidents, workbooks, dashboards, watchlists, and automation rules.
• Use KQL to validate log ingestion, review alert data, investigate anomalies, and support threat hunting.
• Ensure Sentinel alert rules are accurate, actionable, and aligned with organizational risk.
• Validate that alert rules generate incidents correctly and route to the proper monitoring or response process.
• Review Sentinel health, usage, ingestion volume, and data source coverage.
• Tune noisy or low-value alert rules while preserving required detection coverage.
• Document Sentinel configurations, alert logic, ingestion sources, and operational procedures.
• Ensure Windows and Linux systems are properly configured to send logs to Microsoft Sentinel and related monitoring platforms.
• Validate Windows Event Logs, Security logs, System logs, Application logs, PowerShell logs, Sysmon logs, authentication events, process execution events, administrative activity, and audit policy events.
• Validate Linux authentication logs, sudo activity, SSH activity, auditd logs, syslog, cron activity, daemon logs, privilege escalation events, and system activity.
• Troubleshoot Windows and Linux logging agents, connectors, forwarding rules, and audit configurations.
• Work with IT teams to adjust Windows and Linux audit policies so the correct events are captured.
• Ensure server and endpoint logging remains active after system updates, rebuilds, configuration changes, or new deployments.
• Ensure Azure, Microsoft 365, Entra ID, Exchange, Defender, and Purview logs are properly collected and monitored.
• Validate collection of Azure activity logs, sign-in logs, audit logs, identity events, privileged activity, resource changes, and security alerts.
• Validate Microsoft 365 and Exchange logs, including mailbox access, mail flow, phishing activity, suspicious inbox rules, transport rule changes, administrative changes, and abnormal user activity.
• Validate Microsoft Purview audit, compliance, data protection, DLP, sensitivity label, retention, and insider risk events where applicable.
• Ensure Microsoft cloud logs are routed to Sentinel, Arctic Wolf, or other approved monitoring destinations as required.
• Identify and remediate gaps in Microsoft cloud logging and alert collection.
• Ensure Tenable Vulnerability Management scan results, findings, alerts, asset data, and risk information are available to the appropriate security monitoring and reporting processes.
• Validate that Tenable scans are running and producing usable vulnerability data.
• Ensure critical Tenable findings and vulnerability alerts are routed to the correct dashboards, reports, tickets, or monitoring workflows.
• Identify assets that are missing from Tenable scans or not reporting vulnerability data.
• Coordinate with IT teams to resolve Tenable data collection, scan coverage, credential, or agent issues.
• Support vulnerability reporting by validating that Tenable data is complete, current, and usable.
• Ensure required logs, feeds, and alerts are properly forwarding to Arctic Wolf.
• Validate that Arctic Wolf is receiving the correct security data from Sentinel, Microsoft cloud services, endpoints, servers, network devices, and security tools.
• Coordinate with Arctic Wolf to resolve feed failures, missing logs, alert routing issues, and monitoring coverage gaps.
• Confirm Arctic Wolf is monitoring the correct alert sources and escalation paths.
• Review Arctic Wolf notifications and findings to validate data quality and monitoring effectiveness.
• Ensure alignment between Sentinel alert collection and Arctic Wolf monitoring coverage.
• Ensure logs and alerts are collected from infrastructure and connected devices, including: Firewalls, Switches, Routers, Modems, Wireless access points, VPN appliances, Cameras and video surveillance systems, IoT devices, Printers and peripheral devices, Windows servers and endpoints, Linux servers and endpoints, Cloud and SaaS platforms.
• Validate syslog, SNMP, API-based logging, agent-based logging, and connector-based log collection.
• Work with IT teams to correct device logging configurations and forwarding rules.
• Identify infrastructure devices that are not logging, not forwarding alerts, or not visible in the SIEM.
• Ensure newly deployed systems and devices are added to the log collection and alert monitoring inventory.
• Configure and maintain SOAR playbooks related to alert handling, enrichment, routing, notification, ticket creation, and escalation.
• Support automated response workflows for approved use cases.
• Validate that automated actions trigger from the correct Sentinel alerts and incidents.
• Test SOAR workflows to ensure they are accurate, safe, and documented.
• Document automation logic, escalation paths, approval requirements, and exception handling.
• Use Sentinel, KQL, Arctic Wolf findings, Microsoft Defender alerts, Tenable findings, and collected logs to identify suspicious activity.
• Perform routine checks to confirm alerts are firing correctly and logs are available for investigation.
• Hunt for suspicious authentication, malware, lateral movement, privilege escalation, persistence, command-and-control, data exfiltration, and abnormal system behavior.
• Validate that detections are supported by complete and reliable log data.
• Escalate confirmed threats, critical alerts, and unresolved logging gaps to the Head of Cybersecurity.
• Maintain documentation for log sources, alert sources, data connectors, collection methods, SIEM rules, SOAR playbooks, and monitoring coverage.
• Maintain a log and alert coverage matrix showing which systems are logging, what alerts are collected, and where data is monitored.
• Produce recurring reports on: Sentinel ingestion health, Log source availability, Alert source availability, Missing or delayed logs, Connector and agent health, Alert rule status, Tenable data collection status, Arctic Wolf feed status, Microsoft cloud logging status, Network and IoT device logging status, Unresolved monitoring gaps.
• Support audits, compliance reviews, cyber insurance requests, and internal risk reviews by providing evidence of log collection and alert monitoring.