SIEM Detection Engineer

About The Position

Requirements

• Five (5+) years of experience in an information security role. Progressive relevant training and/or certification may be substituted for one (1) year of the experience requirement.
• Experience working in a SOC, Threat Hunting, or DFIR is preferred.
• Two (2+) years of experience with system tuning and/or engineering (SIEM, EDR, logging pipelines, or analytics platforms).
• Strong experience writing SIEM detections and queries (e.g., Elasticsearch/Kibana or similar).
• Familiarity with common network security and firewall logs and the ability to interpret and detect threats from them (e.g., FortiGate, SonicWall, and other vendor integrations).
• Familiarity with schemas such as OCSF.
• Working knowledge of Windows threat indicators and common attacker behaviors (process execution, persistence, lateral movement, credential access, C2 patterns).
• Knowledge of attacker tools, including legitimate software abused for malicious purposes.
• Familiarity with parent/child process relationships, command-line arguments, and how they are used to identify suspicious activity.
• Ability to troubleshoot and debug data ingestion issues, including parsing problems, missing fields, and normalization gaps.
• Excellent communication skills to summarize findings and present detection rationale, coverage, and trends.
• Ability to work independently with strong problem-solving skills.

Nice To Haves

• Experience with log onboarding and integrations (syslog, agents, API-based collection) across common MSP stacks.
• Basic scripting/automation experience (Python and/or PowerShell) to support enrichment, detection testing, or workflow improvements.
• Experience creating Sigma and/or YARA rules and validating against adversary TTPs.
• Proficiency using Power BI or building Kibana dashboards for detection and trend visualization.
• Network/System Administration experience.
• CRTO, eCPTX, or other relevant certifications.
• Deep forensic knowledge of Windows, macOS and/or Linux.
• Malware analysis experience (behavioral and/or static analysis)

Responsibilities

• Create, test, and maintain detection logic and rules for new and emerging threats using SIEM telemetry.
• Tune alerts to reduce false positives and ensure detection rules have minimal gaps, maximizing the efficiency and accuracy of our 24x7 SOC.
• Build and refine detections using diverse log sources and integrations, including firewall and network security telemetry (e.g., FortiGate, SonicWall, and similar platforms), plus endpoint, identity, cloud, and DNS data where available.
• Collaborate with SOC analysts to identify common patterns and trends across customer environments and translate them into durable detection content.
• Assist in designing dashboards/visualizations to track threat trends, detection performance, and customer-specific patterns.
• Partner with ingestion/platform teams to troubleshoot parsing, normalization, indexing, and data availability issues impacting detection quality.
• Build or maintain test environments and validation workflows to safely verify detections against real-world attacker TTPs.
• Support incident response efforts by reviewing activity mitigated by the SOC and writing detections based on observed tradecraft.
• Contribute to enrichment and automation improvements (light scripting, workflow enhancements, alert context) to reduce investigation time and improve analyst decision-making.

Benefits

• For eligible employees in the US, Blackpoint offers competitive Health, Vision, Dental, and Life Insurance plans, a robust 401k plan, Discretionary Time Off, and other minor perks.