Security Consultant - Intelligence & Operations

Introduction

The Sentinel Content Engineer is responsible for designing, implementing, tuning, and maintaining Microsoft Sentinel content to enable effective detection, response, and automation within the Client Security Operations Center (CSOC). This role ensures that Sentinel provides high-fidelity detections, automated response capabilities, and actionable dashboards aligned with the threat landscape and client requirements. The engineer works closely with SOC analysts (L1/L2), threat intelligence teams, and client stakeholders to develop and continuously improve security use cases, analytics rules, and playbooks.

In this role, you'll work in one of our IBM Consulting Client Innovation Centers (Delivery Centers), where we deliver deep technical and industry expertise to a wide range of public and private sector clients around the world. Our delivery centers offer our clients locally based skills and technical expertise to drive innovation and adoption of new technology.

Your role and responsibilities

Key Responsibilities / Tasks
Detection Engineering

• Develop and maintain Sentinel analytics rules using KQL (Kusto Query Language).
• Translate client requirements and threat intelligence into detection use cases.
• Tune existing rules to reduce false positives while maintaining coverage.
• Map detections to MITRE ATT&CK framework for coverage reporting.

SOAR Automation & Playbooks

• Design, implement, and maintain Logic Apps playbooks for automated response and enrichment.
• Integrate playbooks with external systems (ticketing platforms, TI feeds, EDR, proxy, MISP, etc.).
• Work with analysts to automate repetitive tasks (e.g., enrichment, notification, containment actions).

Content Lifecycle Management

• Establish and follow a content development lifecycle (design, test, deploy, maintain).
• Maintain proper version control, documentation, and rollback procedures.
• Regularly review and update detection and automation based on lessons learned from incidents.

Data Integration & Normalization

• Onboard log sources into Sentinel (Azure, Microsoft 365, EDR, firewall, proxy, custom apps).
• Ensure data connectors and normalization follow Sentinel's schema (ASIM).
• Work with client infrastructure teams to resolve ingestion issues and data gaps.

Dashboards & Reporting

• Create Sentinel workbooks and dashboards for operational monitoring and executive reporting.
• Provide SOC metrics, KPIs, and threat visibility dashboards for clients and leadership.

Collaboration & Continuous Improvement

• Work with SOC L2/L3 analysts to refine detection and response workflows.
• Incorporate threat intelligence feeds and client-specific IoCs into Sentinel content.
• Proactively identify gaps in monitoring coverage and propose improvements.
• Support security incident investigations by providing query expertise and custom rules.

Required education

Master's Degree

Preferred education

Master's Degree

Required technical and professional expertise

• Microsoft Sentinel Expertise
  • Strong hands-on experience with Microsoft Sentinel (SIEM + SOAR).
  • Proficiency in KQL (Kusto Query Language) for writing and optimizing queries.
  • Experience with Logic Apps for playbook creation and orchestration.
  • Familiarity with Microsoft security stack (Defender, EOP, Azure Security Center).
• Detection & Response Engineering
  • Ability to translate threat intelligence and MITRE ATT&CK techniques into detection logic.
  • Experience tuning detections to balance coverage and noise reduction.
  • Knowledge of incident response workflows and SOC operations.
• Automation & Scripting
  • Proficiency with PowerShell, Python, or other scripting languages for automation.
  • Experience with API integrations (REST, Graph API).
• Log Management & Data Analysis
  • Understanding of common log sources (Windows Event Logs, network devices, cloud services).
  • Experience with log normalization, parsing, and schema mapping (ASIM).
• Soft Skills & Behavioral Competencies
  • Strong problem-solving and analytical mindset.
  • Ability to communicate complex technical concepts to analysts and stakeholders.
  • Proactive in identifying improvements and proposing new detection/automation content.
  • High attention to detail with commitment to documentation and knowledge sharing.

Preferred technical and professional experience

• Bachelor's degree in Cybersecurity, Computer Science, or equivalent experience.
• 3-5 years of experience in SOC, SIEM engineering, or security content development.
• Microsoft Security certifications preferred:
  • SC-200 (Microsoft Security Operations Analyst)
  • SC-100 (Microsoft Cybersecurity Architect)
  • AZ-500 (Azure Security Engineer Associate)
• Other security certifications a plus (GCIA, GCTI, Splunk Certified, etc.).

ABOUT BUSINESS UNIT

IBM Consulting is IBM's consulting and global professional services business, with market leading capabilities in business and technology transformation. With deep expertise in many industries, we offer strategy, experience, technology, and operations services to many of the most innovative and valuable companies in the world. Our people are focused on accelerating our clients' businesses through the power of collaboration. We believe in the power of technology responsibly used to help people, partners and the planet.

YOUR LIFE @ IBM

In a world where technology never stands still, we understand that, dedication to our clients success, innovation that matters, and trust and personal responsibility in all our relationships, lives in what we do as IBMers as we strive to be the catalyst that makes the world work better.

Being an IBMer means you'll be able to learn and develop yourself and your career, you'll be encouraged to be courageous and experiment everyday, all whilst having continuous trust and support in an environment where everyone can thrive whatever their personal or professional background.

Our IBMers are growth minded, always staying curious, open to feedback and learning new information and skills to constantly transform themselves and our company. They are trusted to provide on-going feedback to help other IBMers grow, as well as collaborate with colleagues keeping in mind a team focused approach to include different perspectives to drive exceptional outcomes for our customers. The courage our IBMers have to make critical decisions everyday is essential to IBM becoming the catalyst for progress, always embracing challenges with resources they have to hand, a can-do attitude and always striving for an outcome focused approach within everything that they do.

Are you ready to be an IBMer?

ABOUT IBM

IBM's greatest invention is the IBMer. We believe that through the application of intelligence, reason and science, we can improve business, society and the human condition, bringing the power of an open hybrid cloud and AI strategy to life for our clients and partners around the world.

Restlessly reinventing since 1911, we are not only one of the largest corporate organizations in the world, we're also one of the biggest technology and consulting employers, with many of the Fortune 500 companies relying on the IBM Cloud to run their business.

At IBM, we pride ourselves on being an early adopter of artificial intelligence, quantum computing and blockchain. Now it's time for you to join us on our journey to being a responsible technology innovator and a force for good in the world.

IBM is proud to be an equal-opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, gender, gender identity or expression, sexual orientation, national origin, genetics, pregnancy, disability, neurodivergence, age, or other characteristics protected by the applicable law. IBM is also committed to compliance with all fair employment practices regarding citizenship and immigration status.

OTHER RELEVANT JOB DETAILS

IBM wants you to bring your whole self to work and for you this might mean the ability to work flexibly. If you are interested in a flexible working pattern, please talk to our recruitment team to find out if this is possible in the current working environment.

Client-provided location(s): Bucharest, Romania

Job ID: IBM-60755

Employment Type: OTHER

Posted: 2025-11-12T18:49:44