مهندس اكتشاف

Detection Engineer

The Detection Engineer is a critical role within our security operations team, responsible for enhancing our threat detection capabilities. This position involves translating threat intelligence and understanding adversary tactics into actionable detection logic, ensuring our security systems can effectively identify and respond to malicious activities.

• Design and Implement Detection Rules: Create and deploy detection rules and alerts across various security platforms, including SIEM, EDR, NDR, and cloud security tools.
• High-Fidelity Detections: Develop detections based on threat intelligence, MITRE ATT&CK techniques, and emerging threats, ensuring they are accurate and reliable.
• Query Language Proficiency: Write detection logic using query languages such as KQL, SPL, Sigma, YARA, and others.
• Custom Parsers and Correlation: Build custom parsers and correlation rules to process and analyze security event data effectively.
• Detection Diversity: Engineer detections for both known threats (IOCs) and behavioral/anomaly-based patterns.
• Optimization: Continuously tune and optimize detection rules to minimize false positives while maintaining comprehensive coverage.

• Proactive Threat Hunting: Conduct threat hunting campaigns to identify gaps in detection coverage and potential security incidents.
• Adversary Analysis: Study and analyze adversary tactics, techniques, and procedures (TTPs) to develop new detection strategies.
• Emerging Threat Research: Stay updated on emerging threats and translate research findings into actionable detection content.
• Data-Driven Decision Making: Develop hypotheses and use data analytics to validate or refute potential threat scenarios.
• Documentation: Document threat hunting activities, findings, and lessons learned for future reference.

• Regular Testing: Perform regular testing of detection rules using attack simulation and red team exercises to ensure their effectiveness.
• MITRE ATT&CK Framework: Validate detections against the MITRE ATT&CK framework to ensure comprehensive coverage of attack patterns.
• Test Tools: Utilize tools like Atomic Red Team, Caldera, or custom scripts to generate test telemetry and measure detection performance.
• KPI Reporting: Measure and report on detection coverage and detection engineering KPIs to track progress.
• Purple Team Exercises: Collaborate with offensive security teams to conduct purple team exercises, enhancing detection capabilities.

• Log Source Onboarding: Identify and onboard new log sources to improve detection visibility and coverage.
• Log Quality Assurance: Ensure log quality, completeness, and proper normalization across all data sources.
• Configuration and Optimization: Work with IT and engineering teams to configure optimal logging and telemetry settings.
• MITRE ATT&CK Mapping: Map data sources to MITRE ATT&CK techniques to identify coverage gaps and prioritize improvements.
• Data Ingestion Optimization: Optimize data ingestion pipelines for detection use cases, ensuring efficient data processing.

• Detection-as-Code: Develop automation workflows for detection deployment and management, utilizing Detection-as-Code principles.
• Tool Development: Build tools and scripts to streamline detection engineering processes, improving efficiency.
• Automated Response: Create automated response playbooks for common detection scenarios, enabling swift and effective incident response.
• CI/CD Implementation: Implement continuous integration/continuous deployment (CI/CD) practices for detection content, ensuring rapid iteration and deployment.
• Threat Intelligence Integration: Integrate threat intelligence feeds into detection platforms to provide real-time threat data.

• Incident Management: Manage detection-related incidents, requests, and changes through ITSM workflows, ensuring efficient resolution.
• Ticketing Systems: Create and track detection engineering work items in ticketing systems like ServiceNow or Jira.
• Change Management: Document detection deployments, modifications, and rollbacks, adhering to change management processes.
• Problem Resolution: Participate in problem management to identify and resolve recurring detection issues, ensuring system stability.
• CMDB Maintenance: Maintain accurate CMDB entries for detection rules and security monitoring infrastructure.
• Reporting: Generate regular reports on detection coverage, effectiveness, and operational metrics for stakeholders.
• SLA Compliance: Ensure proper Service Level Agreement (SLA) compliance for detection development and tuning requests.

• SOC Analyst Collaboration: Partner with SOC analysts to refine detections based on operational feedback, improving detection accuracy.
• Incident Response Integration: Collaborate with incident response teams to develop detections from post-incident findings, enhancing response capabilities.
• Threat Intelligence Operationalization: Work with threat intelligence teams to operationalize intelligence into actionable detections, staying ahead of emerging threats.
• Documentation and Runbooks: Create and maintain detection engineering documentation and runbooks, ensuring knowledge sharing and consistency.
• Mentorship: Mentor junior detection engineers and SOC analysts, fostering a culture of continuous learning and improvement.

• Technical Expertise: Proficiency in detection and query languages (SPL, KQL, SQL, Sigma, YARA) is essential.
• Security Platforms: Hands-on experience with SIEM, EDR, NDR, and cloud security platforms is required.
• Threat Intelligence: Deep understanding of the MITRE ATT&CK framework and its application in detection engineering.
• Programming & Scripting: Proficiency in Python, PowerShell, and Bash for automation and tool development.
• Log Analysis: Strong log analysis and parsing skills across various log formats (Windows Event Logs, Syslog, cloud logs).
• Data Science: Understanding of data normalization, enrichment, and correlation techniques, along with statistical analysis and anomaly detection methods.
• ITSM & Documentation: Experience with ITSM platforms and ITIL processes, strong documentation skills, and the ability to create clear technical runbooks.
• Operating Systems & Networks: Deep knowledge of Windows, Linux, and macOS internals, network protocols, and packet capture.
• Communication & Collaboration: Excellent communication skills for technical and non-technical audiences, proactive mindset, and strong team collaboration abilities.

• Education: Bachelor's degree in Computer Science, Information Security, or a related field (or equivalent experience).
• Certifications: GIAC Certified Detection Analyst (GCDA) certification is preferred.
• Experience: 3-5 years of experience in security operations, threat detection, or SOC environments, with proven detection development expertise.
• Open-Source Contributions: Contributions to open-source detection projects (Sigma rules, YARA rules) are advantageous.
• Machine Learning & Behavioral Analytics: Experience with machine learning or behavioral analytics for detection is beneficial.
• Offensive Security Background: Background in offensive security, penetration testing, or red teaming is desirable.
• Detection-as-Code: Experience building Detection-as-Code pipelines and infrastructure.
• Threat Emulation: Familiarity with threat emulation and breach & attack simulation (BAS) tools.