SOC Detection & Automation Engineer III

About The Position

Requirements

• Proficiency in scripting and programming languages (Python, PowerShell, Bash) for SOC automation, including automated log parsing, IOC enrichment, threat intelligence lookups, and integration with security APIs (e.g., Microsoft Graph Security API, GTI (VirusTotal), Shodan, etc.).
• Knowledge of infrastructure and cloud technologies, including networking, virtualization, and containerization, to facilitate automated solutions deployment.
• Strong understanding of cybersecurity principles, threat landscapes, and SOC operations to identify areas for automation improvement.
• Project management skills to oversee automation initiatives, prioritize tasks, and manage timelines effectively.
• A strong knowledge of applicable laws, statutes (HIPAA, Privacy Act, PCI/DSS, GDPR, etc.), executive guidelines/standards (DISA STIG, CIS controls, etc.).
• Strong knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).
• Knowledge of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools and applications, both network and host based.
• Strong knowledge of cyber threats, vulnerabilities, and adversarial tactics, techniques, and procedures (TTPs).
• Bachelor's degree and 8 years of related experience, a Master's degree and 6 years of related experience, or 11 years of related experience and no degree.
• Strong interpersonal, oral communication, and proven analytical and problem-solving skills.
• Ability to communicate clearly and present security findings with technical staff as well as non-technical colleagues.
• Excellent communication skills to effectively annotate findings in both written and oral form.
• Able to prioritize and execute tasks in a high-pressure environment.
• Strong customer service, independence and experience working in a team-oriented, collaborative environment.
• Requires on-call duty 24-hrs/day as a part of a rotation schedule for emergency response to critical technical situations requiring immediate attention.

Nice To Haves

• Preferred experience in cybersecurity incident response
• Firm understanding of threat hunting.
• Preferred experience with integration of Microsoft SharePoint.
• Preferred experience with integration of ServiceNow.
• Preferred: Hands-on experience with Microsoft Sentinel as a primary SIEM, including configuring data connectors, writing analytics rules, and managing the Sentinel workspace.
• Preferred: Proficiency in Kusto Query Language (KQL) for writing, optimizing, and validating detection queries and threat hunting searches within Microsoft Sentinel and Microsoft Defender.
• Familiarity with the Microsoft Defender suite (Defender for Endpoint, Defender for Identity, Defender for Cloud Apps, etc.) and how Defender signals integrate with Microsoft Sentinel for unified detection and investigation.
• Working knowledge of the MITRE ATT&CK framework as applied to detection engineering, including mapping detection rules to tactics, techniques, and sub-techniques.
• Understanding of log source onboarding, normalization, and data quality concepts as they relate to SIEM effectiveness and detection reliability.
• Experience developing or refining detection-as-code practices, including version-controlled rule management and peer review processes for detection logic changes.
• Hands-on experience designing and building SOAR playbooks for automated incident response, alert triage, and threat containment workflows, with proficiency in at least one enterprise SOAR platform (e.g., Microsoft Sentinel SOAR/Logic Apps, Swimlane Turbine, Palo Alto XSOAR, etc.).
• Experience developing and maintaining Microsoft Sentinel automation rules and Azure Logic Apps playbooks for automated alert enrichment, ticket creation, and response actions integrated with downstream tools (e.g., ServiceNow, Microsoft Defender, email notification systems).
• Familiarity with RESTful API integration concepts and the ability to connect disparate security tools via APIs to enable bidirectional data sharing and coordinated automated response across the SOC toolchain.
• Experience working in a large healthcare organization.
• Knowledge of regulatory compliance and risk management frameworks PCI-DSS, HIPAA, NIST SP 800-30, 53, 37, 115

Responsibilities

• Automation Solutions Development Design, develop, and deploy automated scripts, tools, correlation policies, and workflows to streamline SOC operations, integrating disparate security technologies via APIs to enable seamless data sharing across the SOC toolchain. Evaluate, customize, and optimize security tools and platforms (SOAR, SIEM, etc.) to maximize automation capabilities within the SOC environment. Analyze existing SOC processes and workflows to identify bottlenecks or inefficiencies and propose automation strategies to improve operational efficiency.
• Monitoring and Detection Conduct analysis of security events to determine their nature, scope, and potential impact on the organization's systems and data.
• Incident Response Conduct analysis of security incidents escalated from junior-level analysts, determining root cause, scope of impact, and affected systems or data to support timely triage and escalation decisions during on-call rotations. Execute initial containment and mitigation strategies for confirmed security incidents, coordinating with relevant stakeholders and operational teams as needed, and escalating to senior IR resources when scope or complexity warrants. Prepare incident reports documenting the analysis, findings, actions taken, and recommendations for improvement to support handoff and post-incident review by the broader security team.
• SIEM Detection Engineering Design, develop, and maintain detection logic within Microsoft Sentinel, including KQL-based analytics rules, scheduled query rules, and near-real-time (NRT) detection rules aligned to the MITRE ATT&CK framework. Continuously tune existing detection rules to reduce false positive rates, improve signal fidelity, and adapt to evolving threat behaviors and changes in the customer environment. Manage Microsoft Sentinel data connectors, log ingestion pipelines, workspace settings, workbooks, watchlists, and threat intelligence feeds to ensure comprehensive data collection and enrich detection and analyst investigations. Perform detection coverage gap analysis using the MITRE ATT&CK framework, mapping current detection posture against relevant tactics and techniques and driving remediation of coverage gaps. Manage the full detection lifecycle, from research and development through deployment, validation, and retirement, following a detection-as-code approach with version control, and maintain documentation of rule rationale, tuning history, and false positive mitigation notes within the team knowledge base. Translate threat intelligence, exercise findings, and post-incident reviews into actionable new or updated detection rules to improve proactive defense posture.
• Support and Collaboration Collaborate with cross-functional teams to identify automation opportunities and implement solutions for security tool integration and orchestration. Assist in the development and implementation of long-term cybersecurity strategies and roadmaps aligned with industry best practices.