This role is a remote role, however, the customer may require the engineer to come in to the San Antonio office if deemed necessary.

The detection engineer blends technical skills, threat research experience, and knowledge of adversary techniques to work with new and existing data sources to create high fidelity, actionable alerts the SOC can use to quickly and effectively identify, analyze, and eradicate cybersecurity threats. This individual will be familiar with adversary Tactics, Techniques, and Procedures (TTPs), and will identify opportunities to improve the effectiveness of existing detection efforts. They will be responsible for developing methodologies to maintain and maximize the integrity and effectiveness of existing alerting through the creation, periodic review, testing, and validation of custom detection content. Additionally, they will leverage cybersecurity threat intelligence and collaborate with the SOC’s incident response teams to meet operational needs and defend against real-world threats.

The minimum qualifications are as follows:

1. A minimum of three years of experience working in detection engineering, threat hunting, security operations, or incident response using Splunk Enterprise Security or Microsoft Sentinel.

2. Experience with the processes to add/update/delete detection rules in Splunk Enterprise Security and Microsoft Sentinel.

3. Proficient in detection engineering methodologies including SNORT and YARA rules.

4. Proficient in Python programming, Bash, and PowerShell.

5. Proficient in Splunk’s Search Processing Language, React, Kusto Query Language, and the Common Information Model (CIM)

6. Knowledgeable and experienced in leveraging cybersecurity threat intelligence, indicators of compromise, STIX/TAXII data feeds, MITRE ATT&CK, and SIEM integrations.

7. Strong experience in networking principles, operating systems (Linux / Windows), and security tools such as IDS/IPS, firewalls, proxy servers and Endpoint Detection and Response (EDR).

8. Knowledge of Windows Sysinternal Suite (including Sysmon) Unix auditd, and how to tune configuration files for identification of malicious activity.

9. At least one of the following certifications: Splunk Enterprise Security Certified Admin credential or have passed the AZ-500 Microsoft Azure Security Technologies exam.