We are looking for Elastic Security Consultant/Specialist for our client's project based at Birmingham/London, UK – 3 day per week Onsite
Role Overview
An Elastic Security Specialist is responsible for designing, implementing, and maintaining security detection, alerting, and response capabilities using the Elastic Stack. You will work cross-functionally with SOC teams, threat hunters, and engineers to translate adversary behaviours into automated detection rules, build investigative workflows, and integrate Elastic Security with external security tools.
Key Responsibilities
* Detection Engineering
* Author and optimize detection rules in Elastic Security (EQL, Rule DSL, Sigma-to-ES mappings).
* Develop look-back and schedule intervals, ensuring coverage of varied threat actor behaviours.
* Tune rule thresholds and enrich alerts with contextual data (asset, user identity, threat intelligence).
* Alert & Exception Management
* Configure and maintain exception lists for noisy or benign events to reduce false positives.
* Design workflows for automated alert remediation via connectors (e.g., ServiceNow, Jira).
* Threat Hunting & Investigation
* Create and run ad hoc SIEM queries to hunt for IOC/IOA patterns across logs, network, endpoint data.
* Build Kibana dashboards and Timelion/ECharts visualizations for SOC monitoring.
* Integration & Automation
* Integrate Elastic Security with endpoint agents (Elastic Agent, Beats), EDR platforms, and threat intel feeds.
* Automate incident enrichment using Ingest Pipelines, transforms, and Machine Learning anomaly detection jobs.
* Platform Hardening & Scaling
* Advise on cluster sizing, index lifecycle management (ILM), snapshot/restore strategies for long-term data retention.
* Implement RBAC, field- and document-level security, and secure communications (TLS, SSL) for sensitive logs.
Required Technical Skills
* Deep expertise in Elastic SIEM / Elastic Security architecture and components.
* Deep expertise on the fundamentals of the overall Elastic stack components and it's mode of deployment/s.
* Proficiency in Elasticsearch Query DSL, EQL, and Kibana Canvas/dashboards.
* Hands-on experience with Beats (Filebeat, Winlogbeat, Auditbeat) and Elastic Agent.
* Familiarity with threat intelligence platforms and IOC ingestion (STIX/TAXII).
* Solid understanding of security operations concepts: MITRE ATT&CK, kill-chain, SOC workflows.
* Scripting skills: Python, Shell, or Painless for pipeline processors.
* Deep familiarity with Filebeat modules (e.g. system, nginx, Kafka) and Metricbeat modules (e.g. docker, kubernetes, system) for out-of-the-box ingestion.
* Hands-on with Elastic Agent policies—creating integrations for logs, metrics, and uptime using Fleet.
* Ability to customize prospectors/inputs, multiline patterns, and conditionals in Beats to ensure complete, ECS-compliant event capture.
* Design and optimize Logstash pipelines: inputs (beats, syslog, Kafka), filters (grok, kv, date, geoip), and outputs (Elasticsearch, Kafka).
* Build native Elasticsearch ingest pipelines—using processors (grok, dissect, script, kv, CSV, geo_IP) to normalize and enrich events before indexing.
Soft Skills & Attributes
* Analytical mindset with attention to detail.
* Strong written and verbal communication, able to document playbooks and runbooks.
* Collaborative, able to guide cross-functional teams on detection best practices