Senior SIEM Detection Engineer

Roles and Responsibilities

• Lead and perform detection content development within the SIEM platform (Elastic, Palo XSIAM, Crowdstrike), including:
• Creation, tuning, and lifecycle management of detection rules, correlation rules, and analytic stories/use cases
• Definition and maintenance of data models, normalization, and enrichment required to support high‑quality detections
• Mapping detections to frameworks such as MITRE ATT&CK where applicable
• Identify gaps in detection coverage based on incident trends, threat intelligence, and hunt activities
• Reduce false positives and improve alert signal‑to‑noise ratio through iterative tuning
• Translate playbooks and incident response workflows into robust, testable detection. 
• Monitor and manage the health and performance of SIEM detection content, including:
• Tracking detection firing patterns, volumes, and performance impact. 
• Conducting post-incident reviews to refine detections and create new coverage.
• Ensuring detections remain aligned with client use cases, risk profiles, and contracted scope.
• New and existing detections are prioritized based on risk, impact, and available data
• Partner with AHEAD Managed Security and client resources in the design and implementation of new data visualizations and detection rules, including:
• Building dashboards, visualizations, and investigative views that support triage and hunting
• Collaborate with AHEAD Managed Security SOAR (Swimlane) engineering resources to:
• Integrate SIEM detections with SOAR workflows for enrichment, triage, and response
• Continuously improve incident investigation workflows and automation quality based on detection output
• Engage with client security and IT infrastructure teams for new data source onboarding activities, including:
• Defining logging, parsing, normalization, and enrichment requirements to support current and planned detections
• Validating that ingested data is complete, normalized, and usable for detection engineering
• Tune rules, filters, and policies across SIEM and related security technologies (IDS, EDR, firewalls, etc.) to:
• Improve accuracy, visibility, and coverage while minimizing noise
• Ensure consistent correlation and context across multiple technologies
• Perform data mining and exploratory analysis of log sources to:
• Uncover and investigate anomalous activity and potential undetected attack patterns
• Identify new detection opportunities and support proactive threat hunting
• Assist with the development and improvement of processes and procedures for:
• Detection lifecycle management (design, testing, deployment, monitoring, retirement)
• Improving incident response times, incident quality, and overall Managed Security functions
• Participate in client-facing security meetings to:
• Explain detection strategy, coverage, and improvements

Position Requirements

• Experience with Elastic Security and its core components (Elasticsearch, Logstash, Kibana, Filebeat, Elastic Agent), with a focus on detection engineering, rule creation, and data modeling
• Strong SIEM administration and configuration experience, particularly around detection use cases, correlation logic, and alert workflows
• Experience writing tools or scripts to automate detection-related tasks, data quality checks, and integrations in Python or similar languages
• Demonstrated ability to think creatively and build elegant detection solutions to complex security problems
• Excellent verbal and written communication skills, including the ability to communicate detection logic and findings to both technical and non‑technical stakeholders
• Incident handling/response experience, with a focus on using detections to support and improve IR workflows
• Desire to work both independently and collaboratively with a larger managed services and client team
• A strong appetite for learning, experimentation, and continuous improvement in detection engineering
• 2–4 years of experience in Security Detection Engineering, Security Automation, or related disciplines
• Hands-on experience with common security technologies: IDS, Firewall, SIEM, SOAR, EDR, endpoint and network security tools
• Knowledge of common security analysis tools & techniques, including log analysis, correlation, and anomaly detection
• Understanding of common security threats, attack vectors, vulnerabilities, and exploits, and how they manifest in telemetry
• Strong regular expression skills and familiarity with query languages used in SIEM platforms
• Customer service focused and portrays energy, professionalism, and welcoming characteristics
• Strong ability to work in a highly sensitive and confidential environment
• Ability to meet deadlines and perform effectively under pressure
• Ability to identify issues and help develop strategic and tactical plans for Managed Security and detection-related initiatives
• Ability to use good judgment and decision-making skills in ambiguous or complex detection and incident scenarios

Education and Certifications

• Bachelor’s Degree in Computer Science, Information Security, or related/equivalent educational or work experience
• One or more of the following certifications is preferred: CISSP, GCIA, GCIH, GPYC, GMON, GCDA, Elastic Certified Engineer