Job Specifications
Summary
The Microsoft Sentinel SOAR & UEBA Engineer is responsible for designing, developing, and maintaining advanced security automation, analytics, and behavioral detection capabilities within Microsoft Sentinel. This role focuses on SOAR playbook development, UEBA analytics engineering, SIEM content creation, and system integrations to improve threat detection, response efficiency, and overall security posture. The engineer works closely with cybersecurity leadership, SOC analysts, and cross-functional IT teams to deliver scalable, automated, and intelligence-driven security operations.
Essential Job Functions (EJFs)
1. Microsoft Sentinel SOAR Development (40%)
Design, develop, test, and deploy Sentinel SOAR automation playbooks using Azure Logic Apps, Azure Functions, ARM templates, and REST APIs.
Create automated workflows for alert enrichment, triage, response actions, notifications, and case management.
Integrate Microsoft Sentinel with third-party security and enterprise systems (EDR, IAM, ticketing systems, email gateways, firewalls, etc.) to automate security operations.
2. UEBA & Analytics Engineering (30%)
Develop custom UEBA detection rules, anomaly models, ML-based behavior patterns, and advanced hunting queries using KQL.
Build and maintain analytics rules, data parsers, normalization rules, and entity behavior profiles.
Evaluate behavioral anomalies and collaborate with cybersecurity teams to fine-tune detection logic and reduce false positives.
3. SIEM Content Development & Platform Engineering (15%)
Design and implement custom data connectors, ingestion pipelines, and data transformation logic.
Create and maintain dashboards, workbooks, hunting queries, and detection-as-code assets.
Perform platform tuning to improve performance, signal-to-noise ratio, and alignment with MITRE ATT&CK and Zero Trust principles.
4. Application Development & Integration (10%)
Develop supporting scripts, microservices, helper APIs, and automation modules using Python, PowerShell, .NET, or similar languages.
Work with CI/CD pipelines, DevOps practices, version control systems, and infrastructure-as-code where applicable.
5. Documentation, Collaboration & Support (5%)
Create and maintain technical design documents, SOPs, architecture diagrams, and automation runbooks.
Collaborate with DSHS, HHSC CISO Office, and cross-functional stakeholders on requirements, testing, and deployment.
Provide Tier III engineering support for Sentinel-related issues and participate in after-action reviews as needed.
Knowledge, Skills, and Abilities (KSAs)
Knowledge of:
Microsoft Sentinel architecture, SOAR automation, and UEBA capabilities.
Azure cloud services including Logic Apps, Azure Functions, Event Hubs, Key Vault, and Azure AD.
Security operations processes such as triage, threat detection, incident response, and threat modeling.
MITRE ATT&CK, NIST CSF, and Zero Trust Architecture concepts.
Programming and scripting languages such as Python, PowerShell, KQL, C#, JavaScript, or equivalent.
CI/CD pipelines, DevOps methodologies, and Git-based version control.
API integrations and JSON/YAML data structures.
Skills in:
Building Logic App workflows and custom Sentinel automation playbooks.
Writing complex KQL queries for analytics, hunting, and behavioral detections.
Developing custom data connectors, parsers, and data mappings.
Designing, tuning, and optimizing UEBA detection models.
Debugging SOAR workflows and resolving integration and automation issues.
Communicating complex technical concepts to technical and non-technical stakeholders.