Security Automation Engineer

About The Position

Requirements

• 5+ years in security engineering/automation with SIEM (Microsoft Sentinel) and endpoint security integrations.
• Proficiency in KQL, Python and/or PowerShell, and REST/OAuth2 API integration.
• Hands‑on experience with CrowdStrike Falcon (preferably Device Control), FDR pipelines, and API‑driven policy management.
• Solid understanding of Windows Security Event Log semantics-especially 4728/4729 (group membership changes), 6416 (new device recognized), 4663 (file access)-and how to correlate with endpoint telemetry.
• Cloud data engineering basics: AWS S3 object lifecycle, schema evolution, and secured ingestion; Azure identity fundamentals.

Nice To Haves

• Experience building SOAR playbooks (e.g., Sentinel Automation Rules/Logic Apps) and CI/CD pipelines for security automations.
• Prior implementation of device control/DLP workflows and handling USB policy exceptions at scale.
• Exposure to regulated environments (e.g., healthcare/life sciences) and change‑controlled releases.
• Familiarity with Entra ID (formerly Azure AD) group modeling and hybrid AD sync nuances.

Responsibilities

• Build the event pipeline & data model
• Stand up and harden the FDR to S3 delivery for Falcon Device Control events (e.g., DcRemovableStorageDeviceConnected, DcUsbDevicePolicyViolation, DcUsbDeviceWhitelisted, etc.), ensuring schema normalization and lifecycle management in S3.
• Configure Microsoft Sentinel ingestion for FDR data and AD/Entra ID user/group events; develop KQL parsers, tables, and data normalizations to support correlation.
• Correlation & detection logic
• Author KQL analytics/rules that join Windows Event IDs 4728/4729/6416/4663 with CrowdStrike Device Control events to identify when a user's group status should change host USB policy posture.
• Implement suppression/thresholding to reduce flapping and false positives (e.g., batch group changes, burst‑aware dedupe).
• Automation & integration
• Build idempotent automation (PowerShell, Python, Logic Apps, Functions, or similar) that calls CrowdStrike APIs to move hosts into/out of the Device Control allow group based on Sentinel signals.
• Include robust error handling, retries, and audit logging.
• Package automation as CI/CD artifacts (IaC where appropriate), with secure secrets handling (Key Vault/Secrets Manager).
• Testing & validation
• Develop unit tests for parsers and functions, integration tests for end‑to-end flows (synthetic Windows events + synthetic FDR samples), and UAT runbooks for security operations.
• Create simulation data (sanitized/synthetic) to validate rules for Event IDs 4728, 4729, 6416, 4663 and representative FDR Device Control events prior to production cutover.
• Operations & documentation
• Build dashboards in Sentinel that show pipeline health, rule efficacy, and host policy transitions.
• Document the full runbook: deployment, rollback, break‑glass steps, and change control.
• Train L2/L3 SOC and Help Desk on troubleshooting and manual override procedures.