SIEM Engineer | IT Recruitment

  • Full Time
  • Midrand

Level:

  • Senior

 

Location:

  • Gauteng South Africa, London UK, or Dallas Texas, although good resources outside of these areas will be considered.
  • The company allows extensive remote working.
  • The successful candidate may be expected to visit client sites occasionally.

 

Job Mission and core purpose:

  • Onboard client log sources into SIEM, and improve / optimize log coverage across client environments (SIEM Platform Engineer)
  • Develop content to accurately detect cybersecurity incidents and intrusions (SIEM Content Engineer)
  • Use automation to improve operations at both a technical / infrastructure level as well as at a SOC / human layer (Automation Engineer)

 

Qualifications and certificates:

Required certifications:

  • Bachelor’s degree or diploma in Computer Science / Information Technology, or equivalent combination of education and work experience.

 

Desirable certifications:

  • Linux and Windows system administration
  • Security certifications, e.g., CompTIA Security+, Certified Ethical Hacker, etc.
  • Programming courses

 

Core functions and responsivities:

Core functions and responsibilities are grouped into three areas. The successful candidate is expected to fulfil two or more of these areas.

SIEM Platform Engineer

  • Assist in scoping clients’ SIEM requirements.
  • Deploy and maintain QRadar SIEM client-side components to collect logs from clients’ on-premises systems and cloud platforms.
  • Perform regular health checks on client-side QRadar components.
  • Work closely with clients to ensure that their log sources (e.g., Windows/Linux servers, databases, firewalls, VPN, web proxy, mail gateway, intrusion prevention systems, cloud platforms, custom logs, etc.) feed into the SIEM. Provide advice and support to clients on how to configure their log sources to send useful events to the SIEM. Work with client IT personnel – where required – to configure their log sources. Verify log sources feed into the SIEM correctly.
  • Troubleshoot and resolve technical issues impacting event flow from log sources to SIEM. Identify and resolve technical and performance issues affecting log collection.
  • Assess clients’ log coverage and identify gaps where it would be useful to onboard security events to improve coverage and detection capability.
  • Develop custom parsers to extract required data from events, where the log source type is not supported by QRadar.
  • Maintain accurate and up-to-date architecture, configuration, and operations documentation.

SIEM Content Engineer

  • Develop, test, implement and fine-tune rules to detect suspicious, malicious, or abnormal activity that may indicate an attack or security policy violation in client environments.
  • Work with lead SOC analysts to develop rule response procedures, i.e., the SOC Analyst Playbook.
  • Develop custom parsers to extract required data from events, where the log source type is not supported by QRadar.
  • Develop reports and dashboards as per client requirements.
  • Extract data from SIEM so that it can be analyzed in external systems.
  • Work with SOC analysts to fine-tune detection rules to increase accuracy and reduce false positives.
  • Maintain and fine-tune user behavior analytics (UBA) SIEM solution component.
  • Assist SOC analysts with complex investigations, e.g., bulk extraction and analytics of data, where required.

Automation

  • Improve SOC effectiveness and efficiency through use of automation, e.g., automating the collection of data for enrichment purposes.
  • Assist Portal and Service Desk development teams in accessing SIEM data via APIs.
  • Integrate external data feeds into the SOC.
  • Develop and fine-tune automated playbooks (using Security Orchestration, Automation & Response technology).
  • Deploying and maintain open-source technologies used by the SOC, Managed Detection & Response (MDR) and Incident Response Teams, e.g., incident tracking, indicators of compromise (IOC) repository, Yara rule repository, malware analysis sandbox, etc.

Ad hoc

  • Support the company Incident Response Team (IRT) on incident response and digital forensic (DFIR) projects, where required, e.g., querying and exporting log data, building rules to detect in-progress attacks, etc.

 

Collaboration – refers to formal and informal relationship:

This position reports to the Managed Detection & Response Engineering Team Manager.

The position interfaces with the following internal roles:

  • Other engineers and developers
  • SOC Analysts
  • MDR Analysts
  • Project managers

The position interfaces with the following client roles:

  • IT Security team
  • Infrastructure and Operations teams, e.g., Windows, Unix, firewall, backup, environment provisioning
  • Change Management
  • System and Application owners
  • Project managers

 

Knowledge and experience:

General across all three functions

  • Minimum of 3 years’ experience in Linux system administration, development / programming, security product administrator / engineer / analyst, or equivalent.
  • Good understanding of TCP/IP networking.
  • Good understanding of the cybersecurity landscape, threats, vulnerabilities, controls, etc.
  • Working understanding of some of the following security technologies: Firewalls, VPN, intrusion prevention system, routers, switches, Windows and Linux servers, Active Directory, web proxies, mail gateways, databases, identity and access management systems, Office 365, Active Directory, endpoint protection products (antivirus), endpoint detection and response (EDR), web application firewalls, etc.

SIEM Platform Engineer

  • Hands-on experience with any SIEM product and experience integrating log sources into SIEM in a mid- to senior-level role
  • Broad IT experience and knowledge – e.g., networking, servers, databases, applications – and ability to integrate into SIEM – e.g., via syslog, Windows Event Collector, JDBC, files over SMB/NFS, event data via APIs and web services, etc.
  • Hands-on server administration (Linux mandatory, Windows optional)
  • Server network configuration and troubleshooting
  • Practical scripting experience, e.g., Unix shell, Python and/or PowerShell
  • Exposure to a variety of security products and logs
  • Strong technical troubleshooting skills
  • Data analysis skills

SIEM Content Engineer

  • Hands-on experience with any SIEM product in a mid- to senior-level role
  • Experience developing SIEM content, i.e., rules, reports, and dashboards
  • Exposure to a variety of security products and logs
  • Exposure to attacker tactics, techniques, procedures, and tools
  • Ethical hacking / penetration testing experience would be advantageous
  • Solid SQL query development experience, to be able to develop QRadar AQL
  • Analysis of security logs
  • Ability to extract useful data out of security logs and transform this into value for SOC analysts and the company clients

Automation

  • Experience in integrating technologies / platforms
  • Experience in scripting, programming languages, web services, APIs, databases, etc.
  • Experience in writing robust code
  • Ability to identify repetitive manual tasks and automate them
  • Experience working with SOAR technologies would be advantageous but is not required
  • Experience programming in Python
  • Formal programming language certification(s) would be advantageous but not required

Other advantageous knowledge and experience

  • Incident response
  • Digital forensics

 

Skills and competencies:

  • Good verbal communication
  • Good documentation skills

 

Behavioral qualities / attributes:

  • Self-discipline and self-management (no micro-management)
  • Passion for security
  • Attention to detail and quality
  • Task ownership and delivery
  • Team player
  • Good interpersonal and communication skills
  • Ability to build and manage relationships
  • Pro-active
  • Desire to learn
  • Contribution to team development / knowledge sharing
Upload your CV/resume or any other relevant file. Max. file size: 20 MB.