1. Serve as the primary Tier 2 escalation for security incidents originating from Microsoft Sentinel and Defender XDR.

2. Perform advanced investigation and correlation of incidents across Microsoft Defender for Endpoint, Defender for Identity, Defender for Office 365, Defender for Cloud, and Entra ID.

3. Lead containment, eradication, and recovery actions, including endpoint isolation, identity controls, mailbox actions, and cloud resource remediation.

4. Conduct root cause analysis using Microsoft XDR timelines, advanced hunting queries (KQL), and incident data.

5. Own and manage high severity incidents end-to-end, ensuring accurate documentation, timely communications, and actionable post-incident reporting.

6. Develop, refine, and optimize Sentinel analytics rules, workbooks, and automation playbooks using Logic Apps and SOAR capabilities.

7. Perform proactive threat hunting using KQL and Microsoft XDR advanced hunting features to identify suspicious or emerging attacker behavior.

8. Review Tier 1 investigations for quality and accuracy, providing technical mentorship and coaching.

9. Identify recurring alert patterns, false positives, and detection gaps, recommending improvements to signal fidelity and response efficiency.

10. Support vulnerability and exposure management efforts by correlating Defender findings with active threats and business risk.

11. Assist in the development and maintenance of security policies, incident response procedures, and SOC runbooks.

12. Collaborate with engineering and cloud teams on secure configuration, remediation guidance, and architectural improvements.

13. Contribute to continuous SOC improvement initiatives focused on automation, metrics, and proactive security operations.

Required Knowledge and Skills:

• Security+ certification required or strongly preferred; Microsoft security certifications (e.g., SC-200, AZ-500) are highly desirable.

• 4+ years of Cyber Security Operations experience, including hands-on incident response and investigation.

• 3+ years of experience in a Managed Security Services or enterprise SOC environment.
• Strong, demonstrated expertise with Microsoft Sentinel and Microsoft Defender XDR.
• Proficiency in KQL for alert analysis, hunting, and detection engineering.
• Solid understanding of identity-centric security, cloud security, endpoint protection, and email threat protection within Microsoft environments.

• Familiarity with MITRE ATT&CK, NIST, CIS, and their application within Microsoft security tooling.
• Ability to independently assess risk, make decisions, and lead response efforts during highpressure incidents.

• Strong analytical, troubleshooting, and problem-solving skills.
• Excellent written and verbal communication skills, with the ability to translate technical findings into clear, actionable guidance.

• Proven ability to mentor junior analysts and contribute to team capability growth.

‍

Non-Technical Requirements:

• Strong cross-team communication skills
• Clear, concise incident documentation
• Ownership mentality (treating incidents as end-to-end responsibilities, not just tasks to pass along)
• Professional presence during incident calls
• Ability to translate technical findings into business impact

Additional Consideration Given For:

•  Knowledge of Operational Technology (OT) networks and systems