What You’ll Do
The SIEM Content Development Specialist plays a critical role in advancing the Cyber Security Operations Center’s ability to detect and respond to cybersecurity incidents. This role focuses on designing and developing cutting‑edge detection content leveraging a wide array of security technologies and telemetry to identify malicious activity and guide security analysts through effective response playbooks.
Working within a threat‑led framework, the specialist collaborates across teams to translate threat intelligence into actionable detection logic and response workflows. The position demands strong technical acumen, analytical thinking, and problem‑solving capabilities, along with the ability to communicate clearly with peers, leadership, and cross‑functional stakeholders.
Key accountabilities and decision ownership:
* Contribute to continuous improvement initiatives across multiple technologies by developing and refining content that enhances threat detection and response capabilities.
* Develop and optimise threat detection content, including tuning of threat and vulnerability management technologies and continual refinement of SIEM rules and logic to enhance detection accuracy and operational performance.
* Lead and contribute to the optimisation and modernisation of SIEM content, supporting the adoption of next‑generation SIEM technologies and cloud‑native security tools.
* Manage the lifecycle of detection content, including development, testing, release, and retirement, using version control and documentation best practices.
* Collaborate with DevOps/SecOps teams to integrate security content into broader CI/CD workflows.
* Collaborate with the CSOC Manager to support improvements in security operations through effective content contributions.
* Support security event analysis by participating in and may drive security event analysis activities to address current cyber threats.
* Assist in threat response activities, providing analytical input from a blue‑team perspective to help identify potential threat‑group behaviours.
* Contribute to the creation of cybersecurity reports and advisories, ensuring timely and accurate dissemination to key stakeholders.
* Participate in residual risk assessments, supporting post‑incident analysis and the documentation of operational and technical lessons learned.
* Collaborate with data owners and customers to understand data sources and use cases and successfully translate requirements into actionable content.
Who You Are
* Minimum 2‑5 years of SIEM content (rule logic and code) development experience.
* Minimum 2 years of SOC analyst experience (Level 2 or above).
* Extensive hands‑on experience in security event analysis and the creation and refinement of SIEM/EDR rules.
* Deep knowledge of IPv4/IPv6, TCP networking protocols, Windows and Linux operating systems.
* Exceptional working knowledge of security technologies such as SIEM (ArcSight, Sentinel, QRadar, LogRhythm, Splunk), EDR (Microsoft Defender, FireEye, Tanium), IDS/IPS, firewalls, proxies, web application firewalls, anti‑virus, etc.
* Comprehensive understanding of Windows Security Event logs and Syslog.
* Excellent familiarity with endpoint/perimeter security attack vectors and detection (blue/purple teaming).
* Excellent familiarity with standard security frameworks such as MITRE, cyber‑kill chain, and APT campaign strategies.
* Outstanding knowledge of cloud platforms such as Azure, Office 365, Google Cloud, AWS, Oracle.
* Experience with modern SIEM platforms, including cloud‑native or hybrid solutions.
* Hands‑on experience with CI/CD pipelines and automation tools for security content deployment.
* Proficiency in version control systems (e.g., Git) for managing SIEM content.
* Excellent working knowledge of regular expression development.
* Scripting and programming experience is highly desirable.
* Kusto or SQL knowledge, including rule/query optimisation.
* Proven ability to prioritise workload, meet deadlines and utilise time effectively.
* Good interpersonal and communication skills, works effectively as a team leader and the ability.
* Experience in security event analytics, for example Elastic, Azure Sentinel or Splunk.
Preferred
* Demonstrable experience in critical thinking and data or logical analysis.
* Knowledge of typical security devices such as firewalls, intrusion detection systems, anti‑virus, anti‑spam.
* Understanding of cyber‑threat concepts such as the cyber‑kill chain, attack methods, and threat actors.
* Experience with investigating intrusions in Linux and cloud environments.
Must have technical and professional qualifications
* 3+ years of related experience.
* Excellent verbal and written communication skills.
* Highly disciplined and motivated, able to work independently or under direction.
* Deep understanding of threat‑actor techniques and tools.
What’s In It For You
* Yearly bonus: 10%
* Annual leave: 28 days + bank holidays + option to buy/sell/carry over 5 days per year.
* Charity days: 5 days per year.
* Maternity leave: 52 weeks – first 13 weeks fully paid, followed by 26 weeks half pay.
* Private pension with up to 5% personal contribution and 2:1 matching up to 10%.
* Access to private medical, private dental, free health assessments, share‑save scheme.
* Additional discounts: Vodafone retail, gym, cinema, cycle‑to‑work, season ticket loan.
#J-18808-Ljbffr