Lead - Platform Engineer

Key Responsibilities Threat-Informed Detection Engineering Convert Red Team and adversary simulation insights into formal detection enhancements Map detections to MITRE ATT&CK, define telemetry requirements, and validate log sources & enrichments (ASIM-aligned where applicable) Perform post-engagement gap analysis, prioritize fixes in a transparent detection backlog Ensure each finding results in: o Improved/validated use case (KQL logic + entity mapping + suppression) o Updated triage guidance and analyst notes o Logic Apps playbook enhancement (if applicable) o Re-testing with Red Team Full Use Case Development & Improvement Lifecycle Design: data requirements, ASIM mapping, entity model, severity, rationale, ATT&CK coverage Build: KQL logic, enrichment (watchlists/UEBA/context), suppression thresholds, incident settings Test: lab data, adversarial replay, quality gates (TP/FP rates, performance) Deploy: CI/CD with approvals, release notes, rollback plan Operate: health checks, noise reduction, performance optimization (query/runtime) Retire: deprecate & archive with justification Structured improvement cycles: SOC feedback - Engineering validation - Red Team re-test - Content update. Red Team – Engineering Collaboration Log all Red Team findings as use case candidates in a tracked backlog Partner with identity, network, cloud, and platform teams to enable telemetry and close platform gaps Maintain measurable outcomes: coverage uplift, detection efficacy, time-to-fix SOAR / Logic Apps Playbook Enhancement Lead improvements to Logic Apps playbooks and automation patterns (enrichment, notifications, ticketing, containment orchestration) Apply attacker-driven learnings to harden playbooks (anti-bypass steps, validation & guardrails) Ensure robust error handling, retry policies, timeout controls, connection health monitoring, and Managed Identities/Key Vault hygiene Instrument playbooks with telemetry (success/failure, latency, step metrics) Platform Ownership (Microsoft Sentinel) Own connectors, DCR/AMA, ASIM parsers, cost controls (table selection, Basic/Analytics tiers, data caps), Watchlists, Workbooks, Content Hub solutions Govern RBAC, CI/CD promotion gates, API permissions & service principals Drive data quality & health: missing sources, parsing failures, schema drift, time skew, volume anomalies Optimize storage/retention/archival, tune query performance and workspace costs Governance, Reporting & Compliance Maintain full auditability: change records, approvals, test evidence, version history Produce coverage reports (by ATT&CK, asset class, control family) and Red Team uplift metrics Enforce segregation of duties and least privilege for SIEM operations Person Specifications 06 – 10 years in SIEM engineering/detection engineering (Sentinel preferred) Deep hands-on with Microsoft Sentinel, KQL, ASIM, Logic Apps, Content Hub, Watchlists, Workbooks Proven experience partnering with Red Team/Pentesters and running Purple Team validations Ability to translate attacker TTPs into telemetry + high-fidelity detections Skilled with CI/CD for SIEM (Git, Azure DevOps), Detection-as-Code, and environment promotion Strong grasp of cloud identity & auth (Entra ID/OAuth/SAML/Kerberos), network protocols, and Windows/Linux telemetry Scripting for automation (PowerShell/Python), API integrations, and data normalization Nice To Have Experience with M365 Defender and its bi-directional integrations with Sentinel Familiarity with Fusion/UEBA, ML anomalies, and custom parsers (KQL functions) Cost engineering for Sentinel (table strategy, Basic vs Analytics, archive/search)