Tier 2/3 Cyber Security Analyst / Microsoft Sentinel/Microsoft Defender

Tier 2/3 Cyber Security Analyst / Microsoft Sentinel/Microsoft Defender Job Locations: US-DC-Washington Requisition ID: View phone number on click.appcast.io Position Category: Information Technology Clearance: Top Secret Responsibilities Position: Tier 2/3 Cyber Security Analyst - Microsoft Sentinel and Microsoft Defender Program: Peraton Federal Strategic Cyber Mission Peraton is seeking an experienced Tier 2/3 Cyber Security Analyst to join our Federal Strategic Cyber Mission program. This role requires a seasoned cybersecurity professional with extensive hands‑on experience implementing, configuring, and operating Microsoft Sentinel and Microsoft Defender security solutions. The ideal candidate will serve as a senior escalation point for complex security incidents, lead advanced threat‑hunting operations, and drive the maturation of detection capabilities across the Microsoft security ecosystem. Incident Detection, Analysis, and Response Detect, classify, process, track, and report cybersecurity events and incidents across the enterprise. Serve as senior escalation point for Tier 1 and Tier 2 triage, conducting in‑depth analysis of complex and coordinated threats in a 24x7x365 environment. Analyze logs from multiple sources (host, EDR, firewalls, IDS, servers) to identify, contain, and remediate suspicious activity. Characterize and analyze network traffic to identify anomalies and potential threats. Perform forensic analysis of host artifacts, network traffic, and email content. Analyze malicious scripts and code to mitigate threats. Conduct malware analysis and develop IOCs to support threat identification and mitigation. Microsoft Sentinel & Defender Engineering and Operations Design, implement, configure, and maintain Microsoft Sentinel SIEM, including workspace architecture, data connectors, and log ingestion pipelines. Develop and tune analytics rules, scheduled queries, NRT rules, and fusion rules to optimize detection fidelity. Create and maintain Sentinel workbooks, hunting queries, and automation playbooks (Logic Apps). Implement and manage Microsoft Defender for Endpoint (MDE), including ASR rules, AIR, policy configuration, and KQL‑based advanced hunting. Configure and operationalize Microsoft Defender for Identity, including sensor deployment, threat‑detection tuning, and lateral movement path analysis. Manage Microsoft Defender for Office 365, including Safe Attachments, Safe Links, anti‑phishing policies, and investigation capabilities. Implement and maintain Microsoft Defender for Cloud for CSPM, workload protection, and cloud‑native threat detection across multi‑cloud environments. Develop custom KQL queries for hunting, detection engineering, and security analytics across M365 Defender and Sentinel. Integrate Sentinel with SOAR, developing automated response playbooks and orchestration workflows. Monitor data connector health, troubleshoot ingestion issues, and optimize log collection. Implement and manage Microsoft Entra ID security capabilities including Conditional Access, Identity Protection, PIM, and access reviews. Threat Hunting & Intelligence Conduct proactive hunts for APTs using Sentinel and MDE hunting capabilities. Integrate and operationalize threat intelligence within Sentinel to enhance detection. Analyze threat intelligence reporting and apply adversary methodology knowledge to improve detection posture. Map detections and hunting hypotheses to MITRE ATT&CK and D3FEND frameworks. Collaboration & Reporting Collaborate with customer teams to investigate and respond to events and incidents. Monitor and respond via SOAR, hotline, and designated email inboxes. Create tickets and initiate workflows in accordance with SOPs. Coordinate and report incident information to CISA as required. Engage with local, national, and international CIRTs as directed. Submit alert tuning requests and lead ongoing detection engineering efforts. Mentor and provide technical guidance to Tier 1 and Tier 2 analysts on Microsoft security tools and incident response processes. Qualifications Minimum Requirements Education & Experience: Bachelor's degree and a minimum of 5 years of cybersecurity experience, OR a high school diploma and 9 years of cybersecurity experience. Minimum 3 years of hands‑on experience implementing and operating Microsoft Sentinel (workspace deployment, analytics rule development, workbook creation, playbook automation). Minimum 3 years of experience implementing and managing Microsoft Defender solutions (Defender for Endpoint, Defender for Identity, Defender for Office 365, and/or Defender for Cloud). Certifications: Must possess (or be able to obtain prior to start date) at least one of the following; continued certification is required as a condition of employment: CCNA‑Security; CND; CySA+; GICSP; GSEC; Security+ CE; SSCP Technical Skills Extensive proficiency in Kusto Query Language (KQL) for advanced detections, hunting queries, and Sentinel/M365 Defender analytical workbooks. Experience designing and implementing Microsoft Sentinel analytics rules (scheduled, NRT, fusion). Proven experience deploying and managing Microsoft Defender for Endpoint (policy configuration, ASR rules, AIR, live response). Experience with Microsoft Defender for Identity (sensor deployment, detection tuning, identity‑based investigations). Demonstrated experience across the full Incident Response lifecycle (Preparation through Lessons Learned). Knowledge of SOAR platforms and automated response systems (ServiceNow, Splunk SOAR, Sentinel Playbooks/Logic Apps). Experience with SIEM platforms (Sentinel, Splunk, Elastic, QRadar). Experience with EDR solutions (MDE, ElasticXDR, CarbonBlack, CrowdStrike). Knowledge of cloud security monitoring and incident response, especially in Azure. Ability to integrate IOCs and track APT actor activity. Ability to analyze threat intelligence and understand adversary techniques. Knowledge of static and dynamic malware analysis techniques. Knowledge of MITRE ATT&CK and D3FEND frameworks and ability to map detections. Clearance & Citizenship U.S. Citizenship required. Ability to obtain a Top Secret security clearance. Preferred Qualifications Microsoft SC200 (Security Operations Analyst) – highly preferred Microsoft SC100 (Cybersecurity Architect) Microsoft AZ500 (Azure Security Engineer) Microsoft SC300 (Identity and Access Administrator) Experience architecting multitenant or multiworkspace Sentinel environments Experience with Sentinel content hub solutions and custom content development Proficiency with Microsoft Defender for Cloud workload protection across Azure, AWS, and GCP Experience developing Logic Apps and Power Automate flows for security automation Proficiency with Splunk for monitoring, alerting, and threat hunting Knowledge of Microsoft Azure/Entra ID access and identity management (Conditional Access, PIM, Identity Protection) Experience with digital forensics tools (Autopsy, Magnet Forensics, KAPE, CyLR, Volatility, Zimmerman tools) Experience with ServiceNow SOAR for automated ticketing and response Proficiency in Python, PowerShell, and Bash for automation and tool development Ability to perform static/dynamic malware analysis and reverse engineering Experience integrating cyber threat intelligence and IOC‑based hunting into Sentinel TI module Experience leading purple team exercises and translating findings into actionable detections Preferred Certifications Microsoft: SC200, SC100, AZ500, SC300, SC900 Industry: SecurityX/CASP+, CySA+, Cloud+, GCIH, GCIA, GCFA, GNFA, GREM, GEIR, CCSP, CCSK, CHFI, GCLD, PRMP Practical: TryHackMe SAL1, HackTheBox CDSA, CyberDefenders CCD EEO: Equal opportunity employer, including disability and protected veterans, or other characteristics protected by law. #J-18808-Ljbffr Peraton