Lead - Platform Engineer

Key Responsibilities

Threat-Informed Detection Engineering

• Convert Red Team and adversary simulation insights into formal detection enhancements
• Map detections to MITRE ATT&CK, define telemetry requirements, and validate log sources & enrichments (ASIM-aligned where applicable)
• Perform post-engagement gap analysis, prioritize fixes in a transparent detection backlog
• Ensure each finding results in:
  o Improved/validated use case (KQL logic + entity mapping + suppression)
  o Updated triage guidance and analyst notes
  o Logic Apps playbook enhancement (if applicable)
  o Re-testing with Red Team

Full Use Case Development & Improvement Lifecycle

• Design: data requirements, ASIM mapping, entity model, severity, rationale, ATT&CK coverage
• Build: KQL logic, enrichment (watchlists/UEBA/context), suppression thresholds, incident settings
• Test: lab data, adversarial replay, quality gates (TP/FP rates, performance)
• Deploy: CI/CD with approvals, release notes, rollback plan
• Operate: health checks, noise reduction, performance optimization
  (query/runtime)
• Retire: deprecate & archive with justification
• Structured improvement cycles: SOC feedback - Engineering validation - Red Team re-test - Content update.

Red Team – Engineering Collaboration

• Log all Red Team findings as use case candidates in a tracked backlog
• Partner with identity, network, cloud, and platform teams to enable telemetry and close platform gaps
• Maintain measurable outcomes: coverage uplift, detection efficacy, time-to-fix

SOAR / Logic Apps Playbook Enhancement

• Lead improvements to Logic Apps playbooks and automation patterns
  (enrichment, notifications, ticketing, containment orchestration)
• Apply attacker-driven learnings to harden playbooks (anti-bypass steps, validation & guardrails)
• Ensure robust error handling, retry policies, timeout controls, connection health monitoring, and Managed Identities/Key Vault hygiene
• Instrument playbooks with telemetry (success/failure, latency, step metrics)

Platform Ownership (Microsoft Sentinel)

• Own connectors, DCR/AMA, ASIM parsers, cost controls (table selection,
  Basic/Analytics tiers, data caps), Watchlists, Workbooks, Content Hub solutions
• Govern RBAC, CI/CD promotion gates, API permissions & service principals
• Drive data quality & health: missing sources, parsing failures, schema drift, time skew, volume anomalies
• Optimize storage/retention/archival, tune query performance and workspace costs

Governance, Reporting & Compliance

• Maintain full auditability: change records, approvals, test evidence, version history
• Produce coverage reports (by ATT&CK, asset class, control family) and Red Team uplift metrics
• Enforce segregation of duties and least privilege for SIEM operations

Person Specifications

• 06 – 10 years in SIEM engineering/detection engineering (Sentinel preferred)
• Deep hands-on with Microsoft Sentinel, KQL, ASIM, Logic Apps, Content Hub, Watchlists, Workbooks
• Proven experience partnering with Red Team/Pentesters and running Purple Team validations
• Ability to translate attacker TTPs into telemetry + high-fidelity detections
• Skilled with CI/CD for SIEM (Git, Azure DevOps), Detection-as-Code, and environment promotion
• Strong grasp of cloud identity & auth (Entra ID/OAuth/SAML/Kerberos), network protocols, and Windows/Linux telemetry
• Scripting for automation (PowerShell/Python), API integrations, and data normalization

Nice To Have

• Experience with M365 Defender and its bi-directional integrations with Sentinel
• Familiarity with Fusion/UEBA, ML anomalies, and custom parsers (KQL functions)
• Cost engineering for Sentinel (table strategy, Basic vs Analytics, archive/search)