Key skills
CloudPythonBashPowerShellAnalytics
About this role
Role Overview
- Tune EDR, SIEM, and XDR detections to reduce false positives and improve alert quality.
- Build and maintain detection rules, correlation searches, dashboards, watchlists, and response workflows.
- Translate Red Team, Purple Team, incident, and Threat Intelligence findings into repeatable defensive checks.
- Validate that EDR policies, prevention rules, logging, sensor health, and response actions work as expected.
- Review noisy alerts and tune thresholds, exclusions, lookups, entity context, and suppression logic.
- Support SOC analysts with clear alert descriptions, triage steps, severity logic, and escalation guidance.
- Improve log coverage, parsing, field normalization, enrichment, and data quality.
- Map detections to MITRE ATT&CK where useful. ATT&CK is widely used to describe adversary tactics and techniques based on real-world observations.
- Write portable detection content using formats such as Sigma, which is designed as a generic signature format for SIEM detections.
- Track detection gaps, false positive trends, alert health, and platform performance
Requirements
- Experience tuning EDR, SIEM, XDR, or SOC monitoring platforms.
- Strong understanding of endpoint, identity, cloud, network, and web attack behaviors.
- Practical experience writing detection logic in KQL, SPL, EQL, Lucene, Sigma, YARA, or similar.
- Familiarity with MITRE ATT&CK mapping and detection coverage analysis.
- Ability to turn Red Team, Purple Team, and incident findings into clear detection logic.
- Experience reducing false positives through rule tuning, exceptions, automation, and better entity context. Microsoft Sentinel supports this through automation rules and analytics rule changes.
- Strong scripting ability in Python, PowerShell, Bash, or similar.
- Good understanding of SOC workflows, incident triage, escalation, and response playbooks.
- Strong documentation skills.
Tech Stack
- Cloud
- Python
Benefits
- A competitive salary + individual performance based bonuses every quarter
- 28 days paid annual leave
- Our core working hours are 10am-3pm in your local time zone with flexibility outside of this
- Referral bonuses & flash bonuses
- Top of the line equipment
- Annual company retreats to provide great internal networking opportunities