Security Engineer — SIEM & Threat Detection

• 8–10 years total experience in cybersecurity or cloud infrastructure security
• Minimum 3 years of hands-on experience with the Microsoft security stack in production enterprise environments
• Demonstrated experience across both deployment (greenfield/brownfield) and steady‑state operations
• Experience managing environments with 500+ endpoints
• Exposure to regulated industries (healthcare, financial services, or equivalent) preferred

SIEM — Microsoft Sentinel

• 3+ years of Microsoft Sentinel deployment and operations experience
• Proficient in designing and deploying Log Analytics Workspaces and integrating data connectors (M365, Defender, Azure Activity, custom sources)
• Ability to configure and tune analytics rules, custom alert thresholds, and suppression logic
• Experience building and maintaining Sentinel workbooks for compliance and operational reporting
• Hands‑on experience with cross‑workspace queries and multi‑tenant Sentinel architectures (preferred)

KQL — Kusto Query Language

• Advanced KQL proficiency (joins, let statements, time‑series analysis, summarise, render)
• Ability to independently author complex threat‑hunting queries without templates
• Experience creating parameterized workbooks and custom dashboards using KQL
• Performance optimization of high‑cardinality queries across large data volumes

SOAR — Playbook & Automation Engineering

• Experience designing and building production‑grade SOAR playbooks using Azure Logic Apps
• Ability to author, test, and document end‑to‑end automated incident response workflows
• Experience integrating Sentinel playbooks with external systems (ticketing, notification, identity) via Logic App connectors
• Familiarity with Azure Automation Runbooks and PowerShell‑based remediation scripts
• Ability to conduct and document playbook testing, including failure‑mode analysis

Defender XDR Suite

• Defender for Endpoint P2: Large‑scale deployment (500+ devices), onboarding via Intune, Group Policy, or MDE scripts; policy management
• Defender Vulnerability Management (MDVM): Dashboard configuration, CVE prioritization, remediation workflow ownership
• Defender for Office 365 Plan 2: Safe Attachments, Safe Links, anti‑phishing policy configuration, attack simulation training administration
• Microsoft Defender for Cloud Apps (MCAS): Cloud Discovery configuration, app risk scoring, anomaly‑detection policy setup
• Familiarity with the Defender XDR unified portal, including incident queue management, alert correlation, and advanced hunting

Cloud Security Posture — Defender for Cloud

• Deployment and management of Defender for Cloud (CSPM) across Azure subscriptions
• Configuration of regulatory compliance dashboards (HIPAA, HITRUST, SOC 2)
• Ability to interpret Secure Score recommendations and drive remediation initiatives

 Incident Response

• Hands‑on experience authoring or contributing to Incident Response (IR) plans
• Documented participation in incident response tabletop exercises
• Familiarity with SLA‑based IR frameworks, including detection, containment, and notification timelines
• Experience with breach documentation, post‑incident reviews, and response playbook iteration
• Awareness of HIPAA breach notification requirements (§164.410, 60‑day rule) preferred

Purview Insider Risk Management

• Experience configuring Purview Insider Risk Management (IRM) policies for data exfiltration, policy violations, and departing employee scenarios
• Ability to review and interpret IRM alerts and produce compliance or leadership‑level reports
• Understanding of IRM prerequisites, including DLP labeling and Microsoft Defender for Endpoint (MDE) integration

Compliance Framework Awareness

• Working knowledge of SOC 2 Trust Services Criteria, especially CC7.x (system monitoring, anomaly detection, incident response)
• Familiarity with HIPAA Security Rule §164.312(b) — Audit Controls
• Awareness of the HITRUST r2 framework and its alignment with HIPAA requirements
• Understanding of what constitutes valid audit evidence for control testing