Role Summary:
We are looking for a technically strong and process-driven SIEM Integration & Engineering Specialist with proven experience in Microsoft Sentinel to lead and execute end-to-end integration, onboarding, log parsing, transformation, and ingestion optimization activities. You will own the engineering lifecycle of log source integration, tuning, troubleshooting ingestion issues, and developing reusable automation/SOPs to support multiple enterprise and MSSP customers.
Key Responsibilities: Integration & Configuration
Create and maintain onboarding checklists for all new log sources: log size estimation, ingestion strategy, placement logic (Syslog/CommonSecurityLog/CustomLog), best onboarding method (agent, API, etc.).
Evaluate and implement native vs custom ingestion using REST APIs, syslog, CEF, Syslog-NG, and event hubs.
Manage Data Collection Rules (DCRs) for structured and unstructured data including transformations, filters, multi-line handling, and custom table mapping.
Author SOPs and “How-to” documentation for custom log normalization, transformation logic, and DCR limitations.
Recommend and justify table selection strategy (e.g., CommonSecurityLog vs. CustomLog) based on customer needs and Sentinel performance.
Ingestion Optimization & Tuning
Identify and resolve log duplication issues using correlation, diagnostic settings, and parsing analysis.
Choose between agent-based and agentless ingestion strategies; document troubleshooting methods and share reusable configurations.
Design ingestion pipelines considering performance throttling, throughput optimization, and pre-ingestion routing (like log routers, collectors, proxies).
Collaborate with customers to align ingestion design with retention policies and data costs.
Health Monitoring & Troubleshooting
Develop and maintain log rotation configurations/scripts for Linux and Windows sources, including detection and remediation of rotation issues.
Create scheduled health checks, KQL rules, and workbooks to detect connector failures, latency, heartbeat gaps, and log drop-offs.
Document common ingestion failure patterns (encoding errors, firewall/network issues, schema mismatches) with precise troubleshooting playbooks.
Maintain playbooks for character encoding issues (UTF-8, BOM) and solutions for encrypted log payloads or malformed syslog headers.
Forwarding & Collection Methods
Lead Windows Event Forwarding (WEF) implementation via GPO with enhanced configurations, filtering, and troubleshooting best practices.
Configure and tune Sysmon, Syslog-NG, Rsyslog, and Logstash for Linux and application logs; implement JDBC or file-based DB integrations.
Create reusable templates for schema mapping and log parsing pipelines for non-standard applications and tools.
Scripting & Automation
Build PowerShell/Bash scripts to automate onboarding of frequently used log sources.
Maintain or create ARM/Bicep templates for Sentinel infrastructure provisioning, including DCRs, diagnostic settings, and analytics rules.
Script or pipeline complex log transformations, parsing pipelines, and even alert tuning workflows (e.g., via Logic Apps).
Access Management & Security
Define and manage RBAC roles for Sentinel, data source connectors, and ingestion tools.
Implement Managed Identity-based ingestion for secure connections (e.g., Azure Function Apps, Logstash, REST APIs).
Audit and document access control, permission requirements, and secure token-based configurations used for custom integrations.
Must-Have Skills:
3+ years of hands-on experience with Microsoft Sentinel including DCR, KQL, and ingestion pipeline management.
Solid understanding of Syslog, CEF, Windows Event Forwarding, REST APIs, and custom data connectors.
Expertise in KQL, JSON, PowerShell/Bash, and parsing logic for complex logs.
Proven experience developing health monitoring solutions and troubleshooting data latency, connector failures, and ingestion issues.
Strong experience in SOP development, documentation, and reusable automation.
Familiarity with data transformation logic, log source prioritization, and cost management strategies in Sentinel.
Ability to work closely with security teams, cloud architects, and customer IT teams to implement best practices.
Nice-to-Have Skills:
Experience with Logstash, Syslog-NG, Rsyslog, and JDBC log integrations.
Prior work with Managed Sentinel deployments or other MSSP environments.
Familiarity with SOAR automation (Logic Apps) and integrating Sentinel with external alerting platforms.
Knowledge of Microsoft Defender XDR, Azure Security Center, or other Microsoft Security solutions.
Exposure to compliance-driven onboarding (HIPAA, PCI-DSS, ISO 27001) for regulated customers.
Soft Skills & Approach:
Process-oriented mindset with strong documentation habits.
Ability to work independently while handling multiple log source requests.
Troubleshooting-first approach with a mindset of identifying root cause, not just symptoms.
Strong communication skills for knowledge transfer and training of L1/L2 teams.
Deliverables/Artifacts the Role Will Own:
Master log source onboarding guidebook
SOP library for custom and native integrations
Collection of scripts and templates (DCR, KQL rules, health monitors, log rotation)
Workbook for ingestion health monitoring
Repository of common failure scenarios and fix playbooks
