TECHNICAL SKILL PROFILE — INTERNAL HR SCREENING
Security Engineer 1 — SIEM & Threat Detection
Technical Skill Requirements | Mid-Level (8–10 Years)
| Document ID | TSP-ENG-1-2026 |
| Role Level | Mid-Level / Senior Individual Contributor (8–10 years experience) |
| Classification | Confidential — Internal HR Use Only |
1. Role Summary
This profile defines the technical skills and experience required for a Security Engineer specializing in Security Information and Event Management (SIEM), Security Orchestration Automation and Response (SOAR), and threat detection. The role demands hands-on engineering depth across the Microsoft security stack, with particular strength in Microsoft Sentinel, Defender XDR, and incident response automation. The candidate must be capable of both deployment and ongoing operations in a complex enterprise environment.
| Discipline | Cloud Security Engineering — SIEM / SOAR / Threat Detection |
| Experience Band | 8–10 years in cybersecurity or cloud security engineering |
| Seniority | Mid-Level to Senior Individual Contributor |
| Primary Stack | Microsoft Sentinel · Defender XDR · Defender for Endpoint P2 · Defender for Office 365 · Defender for Cloud · Purview Insider Risk Management |
| Compliance Scope | SOC 2 (CC7.x monitoring / detection), HIPAA §164.312(b) audit controls, HITRUST awareness |
2. Experience Requirements
2.1 Overall Experience
- 8–10 years total experience in cybersecurity or cloud infrastructure security
- Minimum 3 years of hands-on experience on the Microsoft security stack in production enterprise environments
- Demonstrated experience across both deployment (greenfield / brownfield) and steady-state operations
- Experience in environments with 500+ managed endpoints
- Exposure to regulated industries (healthcare, financial services, or equivalent) preferred
2.2 SIEM — Microsoft Sentinel
- 3+ years of Microsoft Sentinel deployment and operations experience
- Proficient in designing and deploying Log Analytics Workspaces and connecting data connectors (M365, Defender, Azure Activity, custom sources)
- Ability to configure and tune analytics rules, custom alert thresholds, and suppression logic
- Experience building and maintaining Sentinel workbooks for compliance and operational reporting
- Hands-on configuration of cross-workspace queries and multi-tenant Sentinel architectures preferred
2.3 KQL — Kusto Query Language
- Advanced KQL proficiency: joins, let statements, time-series analysis, summarise, render
- Able to author complex threat-hunting queries independently, without templates
- Experience building parameterised workbooks and custom dashboards from KQL
- Performance optimisation of high-cardinality queries across large data volumes
2.4 SOAR — Playbook & Automation Engineering
- Experience designing and building production-grade SOAR playbooks using Azure Logic Apps
- Ability to author, test, and document end-to-end automated incident response workflows
- Experience integrating Sentinel playbooks with external systems (ticketing, notification, identity) via Logic App connectors
- Familiarity with Azure Automation Runbooks and PowerShell-based remediation scripts
- Ability to conduct and document playbook testing including failure mode analysis
2.5 Defender XDR Suite
- Defender for Endpoint P2: large-scale deployment (500+ devices), onboarding via Intune/Group Policy/MDE script, policy management
- Defender Vulnerability Management (MDVM): dashboard configuration, CVE prioritisation, remediation workflow ownership
- Defender for Office 365 Plan 2: Safe Attachments, Safe Links, anti-phishing policy configuration, attack simulation training administration
- Microsoft Defender for Cloud Apps (MCAS): Cloud Discovery configuration, app risk scoring, anomaly detection policy setup
- Familiarity with Defender XDR unified portal: incident queue management, alert correlation, advanced hunting
2.6 Cloud Security Posture — Defender for Cloud
- Defender for Cloud (CSPM) deployment on Azure subscriptions
- Regulatory compliance dashboard configuration (HIPAA HITRUST, SOC 2 templates)
- Ability to interpret secure score, review recommendations, and drive remediation
2.7 Incident Response
- Hands-on experience authoring or significantly contributing to Incident Response plans
- Documented experience facilitating or participating in IR tabletop exercises
- Familiarity with SLA-based IR frameworks: detection, containment, notification timelines
- Experience with breach scenario documentation, post-incident reviews, and playbook iteration
- Awareness of HIPAA breach notification requirements (§164.410, 60-day rule) preferred
2.8 Purview Insider Risk Management
- Experience configuring Purview Insider Risk Management policies: data exfiltration, policy violations, departing employee scenarios
- Ability to review and interpret IRM alerts and produce reports for compliance or leadership review
- Understanding of IRM prerequisites (DLP labels, MDE integration)
2.9 Compliance Framework Awareness
- Working knowledge of SOC 2 Trust Services Criteria — particularly CC7.x (system monitoring, anomaly detection, incident response)
- Familiarity with HIPAA Security Rule §164.312(b) — Audit Controls requirements
- Awareness of HITRUST r2 framework structure and its relationship to HIPAA
- Understands what constitutes valid audit evidence for control testing purposes
3. Technical Skills Assessment
HR screening reference: use the table below to map candidate CV and interview responses against minimum proficiency thresholds.
| Skill / Tool | Category | Min. Proficiency | Min. Years | Requirement |
| Microsoft Sentinel | SIEM | Deployment + Operations | 3+ | Required |
| KQL (Kusto Query Language) | SIEM | Advanced | 3+ | Required |
| Azure Logic Apps (SOAR) | SOAR | Production playbook build | 2+ | Required |
| Defender for Endpoint P2 | Endpoint | Enterprise deployment | 2+ | Required |
| Defender Vulnerability Mgmt | Endpoint | Dashboard + remediation | 2+ | Required |
| Defender for Office 365 P2 | Email Security | Policy configuration | 2+ | Required |
| MCAS / Defender for Cloud Apps | Cloud Security | Cloud Discovery + policies | 1+ | Required |
| Defender for Cloud (CSPM) | Cloud Security | CSPM deployment | 1+ | Highly Preferred |
| Purview Insider Risk Mgmt | Compliance | Policy configuration | 1+ | Highly Preferred |
| Azure Automation / PowerShell | Automation | Runbook authoring | 1+ | Preferred |
| Incident Response Planning | IR | Authored or co-authored | 2+ | Required |
| Tabletop Exercise Facilitation | IR | Participated / facilitated | 1+ | Preferred |
| SOC 2 CC7.x Controls | Compliance | Working knowledge | — | Highly Preferred |
| HIPAA §164.312(b) | Compliance | Awareness | — | Preferred |
| HITRUST r2 Framework | Compliance | Awareness | — | Nice to Have |
| Multi-tenant Sentinel | SIEM | Architecture awareness | — | Nice to Have |
4. Certifications
| Certification | Issuing Body | Requirement |
| SC-200: Security Operations Analyst Associate | Microsoft | Required |
| AZ-500: Azure Security Engineer Associate | Microsoft | Highly Preferred |
| SC-100: Cybersecurity Architect Expert | Microsoft | Nice to Have |
Note: SC-200 is a hard requirement. Candidates without it must demonstrate an active study commitment and a credible path to certification within 90 days of joining.
5. Non-Technical Requirements
5.1 Communication & Documentation
- Ability to produce clear, structured technical documentation (alert rules, playbook runbooks, IR plans, evidence reports)
- Comfortable presenting security metrics and maturity status to non-technical stakeholders
- Able to translate SOC alerts and incidents into plain-language briefings for leadership
5.2 Evidence & Audit Mindset
- Understands that in compliance-driven environments, every control must be evidenced — screenshots, exports, sign-off records
- Experience producing or contributing to evidence packages for external auditors or assessors
- Systematic approach to naming, organising, and retaining compliance artefacts
5.3 Autonomy & Engineering Discipline
- Capable of independently owning a technical domain with minimal supervision
- Strong diagnostic and troubleshooting skills — able to isolate root causes in complex multi-layer environments
- Applies change management discipline: tests in non-production, documents changes, seeks approval before production deployment
6. HR Screening Checklist
Complete during phone screen or initial review. Verified column to be signed off by hiring manager after technical interview.
| Screening Question | Candidate Response | Verified |
| Does the candidate have 8–10 years of cybersecurity / cloud security experience? | ||
| Has the candidate deployed Microsoft Sentinel in a production environment? | ||
| Can the candidate demonstrate KQL skills (complex joins, time-series, custom workbooks)? | ||
| Has the candidate built SOAR playbooks using Azure Logic Apps in production? | ||
| Has the candidate deployed Defender for Endpoint P2 across 500+ devices? | ||
| Does the candidate hold SC-200, or have a documented plan to obtain it within 90 days? | ||
| Has the candidate worked in a regulated industry environment (healthcare, finance, or equivalent)? | ||
| Has the candidate worked on an Incident Response plan? | ||
| Can the candidate describe SOC 2 CC7.x controls in their own words? | ||
| Is the candidate comfortable producing evidence artefacts for external auditors? |
Legend: Record candidate response in ‘Candidate Response’ column (Yes / No / Partial). Hiring manager to mark ‘Verified’ after technical validation.
Job Category: Security Engineer
Job Type: Full Time
Job Location: Kalyani Nagar