Detection Engineer

Detection Engineer – Microsoft Sentinel & SOAR

Location:

Washington, DC

Work Arrangement:

Hybrid – 2 days per week onsite in Washington, DC

Employment Type:

Full-Time

Clearance:

Public Trust (or ability to obtain)

Position OverviewWe are seeking a Detection Engineer – Microsoft Sentinel & SOAR to support security engineering operations for federal government clients.

This is a hands-on role focused on developing and maintaining high-quality detections, threat hunting queries, and automated response workflows within Microsoft Sentinel, Microsoft Defender, and Azure Logic Apps.

This role requires strong technical execution, particularly expert-level KQL for detection engineering.

Key Responsibilities

Develop, tune, and maintain Microsoft Sentinel analytics rules and detection logic

Write and optimize advanced KQL queries for detections, threat hunting, and investigations

Perform threat hunting across Sentinel and Defender data sources

Support SOAR automation by building and maintaining Azure Logic Apps playbooks

Integrate Sentinel detections with Microsoft Defender platforms, including Defender for Endpoint and Defender XDR

Assist with onboarding, parsing, and normalization of log sources, including Syslog and CEF

Support Linux-based Syslog collectors and assist with Azure Monitor Agent (AMA) deployments

Collaborate with SOC analysts to refine alert quality and reduce false positives

Map detections to MITRE ATT&CK techniques and maintain detection coverage documentation

Support incident response workflows through automation and enrichment

Develop and maintain Sentinel workbooks, dashboards, and operational metrics

Document detection logic, playbooks, and standard operating procedures

Support compliance alignment with FISMA, NIST RMF/CSF, and agency SOC requirements

Required Qualifications

3–5 years of cybersecurity experience in SOC, SIEM, or detection-focused roles

2–3 years of hands-on experience with Microsoft Sentinel in a production environment

Strong to expert proficiency in Kusto Query Language (KQL)

Demonstrated experience writing detections, hunting queries, and analytic rules

Hands-on experience with Microsoft Defender data sources (Endpoint, Identity, XDR)

Experience building or maintaining Azure Logic Apps for SOAR use cases

Familiarity with Syslog/CEF data and network security telemetry

Basic experience with Linux-based log collectors or willingness to learn

Exposure to Azure Monitor Agent (AMA) and Data Collection Rules (DCRs)

Understanding of SOC workflows and incident response lifecycle

Familiarity with NIST RMF, NIST CSF, and FISMA concepts

Ability to commute to Washington, DC two days per week

Preferred Qualifications

Experience integrating Sentinel automation with ServiceNow or ITSM tools

Familiarity with CDM tooling

Microsoft certifications such as:

Microsoft Certified:

Security Operations Analyst Associate (SC-200)

Microsoft Certified:

Azure Security Engineer Associate (AZ-500)