Job Description

The Sentinel Platform Engineer – L3 is the highest-tier technical expert responsible for end-to-end engineering, optimization, and advanced troubleshooting of the Microsoft Sentinel platform within the SOC. This role ensures platform reliability, architecture governance, seamless data ingestion, analytics development, automation, threat detection maturity, and integration with enterprise security controls.
The L3 engineer also acts as the primary escalation point for complex incidents and provides guidance to L1/L2 SOC teams.

͏

Key Responsibilities

1. Sentinel Platform Ownership & Architecture

• Own full lifecycle management of Microsoft Sentinel, including architecture design, scaling, performance optimization, and maintenance.
• Define and enforce Sentinel platform governance, naming standards, and RBAC policies.
• Design and enhance Log Analytics workspace architecture, data retention policies, and workspace linking.
• Ensure high availability, cost optimization, and platform resilience.

2. Data Connectors & Ingestion Engineering

• Onboard, configure, and troubleshoot Sentinel data connectors (Syslog, CEF, AMA, custom connectors, API integrations).
• Build and manage scalable data ingestion pipelines for security logs from telco, cloud, network, and core systems.
• Optimize ingestion costs, data normalization (ASIM), and data mapping.

3. Analytics Rules & Threat Detection Engineering

• Develop and optimize KQL-based analytic rules for advanced threat detection.
• Improve detection logic through threat hunting patterns, MITRE ATT&CK mapping, and false-positive reduction.
• Perform periodic health checks on analytics rule performance and data coverage.

4. SOAR, Automation & Playbook Engineering

• Build advanced Logic Apps and SOAR playbooks for automated response.
• Integrate automation across security tools, ITSM, identity systems, and network controls.
• Troubleshoot complex automation failures and enhance playbook efficiencies.

5. Advanced Troubleshooting & Escalation Support

• Serve as final technical escalation point for Sentinel platform issues.
• Analyze and resolve ingest failures, connector breakdowns, workspace anomalies, and rule malfunctions.
• Support IR teams with deep-dive KQL investigations and platform-level forensics.

6. Monitoring, Health, and Performance Management

• Continuously monitor Sentinel health, connector stability, ingestion latency, and automation performance.
• Conduct regular platform audits and enforce configuration compliance.
• Maintain dashboards for platform KPIs and operational maturity.

7. Documentation, Standards, and Best Practices

• Create and maintain engineering runbooks, platform architecture diagrams, and standard operating procedures.
• Mentor L1/L2 SOC analysts and provide technical knowledge sessions.
• Participate in change management, risk assessments, and security architecture reviews.

͏

Required Skills & Experience

Technical Skills

• Expert-level hands-on experience with Microsoft Sentinel (minimum 4–6 years).
• Strong proficiency in KQL, including performance tuning and complex query building.
• Deep understanding of:
  • Log Analytics Workspaces
  • Azure Monitor Agent (AMA)
  • Sentinel Analytics, Workbooks, Watchlists
  • Logic Apps / SOAR automation
  • REST API integration
  • ASIM & Schema Mapping
• Knowledge of security frameworks: MITRE ATT&CK, NIST CSF, ISO 27001.
• Experience with Windows, Linux, network logs, firewalls, proxies, identity systems (AD/AAD).
• Strong debugging skills in ingestion issues, schema mismatches, parsing/normalization.