SIEM Detection Engineer(NCS/Job/ 1842)

• Design, build, and maintain detection rules, correlation searches, dashboards, and reports in one or more of the specialized SIEM platform.

• Continuously validate and tune detection logic through simulations, red-team findings, SOC false positives and live incident feedback.

• Analyze log and telemetry data to uncover suspicious behaviors, patterns, and indicators of compromise; develop new signatures accordingly.

• Integrate external threat-intelligence feeds (IoCs and TTPs) to enrich alerts and broaden detection coverage.

• Leverage MITRE ATT&CK and other frameworks to guide prioritization and detection development methodology.

• Perform periodic rule health checks, adjusting thresholds to maximize fidelity and minimize false positives.

• Collaborate with SOAR engineers to automate enrichment, triage, and response actions that stem from SIEM alerts.

• Conduct hypothesis & threat intelligence driven threat hunts to identify advanced attacker techniques not yet covered by automated detections.

• Generate clear, actionable metrics and trend reports for SOC leadership, highlighting alert volumes, rule efficacy, and tuning outcomes. Maintain detection KPIs to measure alert accuracy.

• Document all detection logic, tuning rationales, and operational procedures to support audit, compliance, and knowledge transfer.

• Provide technical consultation during incident investigations and post-incident retrospectives, identifying detection gaps and recommending improvements.

Qualifications & Skills

• Minimum 3 years overall experience in cybersecurity operations or engineering.

• At least 1–2 years hands-on experience building detections in one of the following SIEMs: Microsoft Sentinel (KQL) or Google SecOps (YARA-L).

• Strong understanding of MITRE ATT&CK and its practical application to detection

• Strong understanding of MITRE ATT&CK and its practical application to detection engineering.

• Familiarity with cloud infrastructures (Azure, GCP, AWS) and the security logs they generate.

• Proficiency in scripting for automation (Python or PowerShell preferred).

• Working knowledge of common security controls and telemetry sources—firewalls, IDS/IPS, EDR, endpoint protection, cloud logs, etc.

• Relevant certifications (any of): Admin · SC-200 (Microsoft Sentinel) · Google SecOps Certified · CompTIA Security+ · GCP / Azure / AWS Foundational.

• Excellent written documentation skills and the ability to convey complex detection concepts to both technical and non-technical stakeholders.