Lead Threat Detection Engineering

Information Security Engineering

Location: 1525 W W T Harris Blvd., Charlotte, NC – 28262 – Hybrid Roles Charlotte, Chandler, Minneapolis, Dallas (Las Colinas)

Job Descriptions:

In this contingent resource assignment, you may:

• Consult on complex initiatives with broad impact and large-scale planning for Information Security Engineering.
• Review and analyze complex multi-faceted, larger scale or longer-term Information Security Engineering challenges that require in-depth evaluation of multiple factors including intangibles or unprecedented factors.
• Contribute to the resolution of complex and multi-faceted situations requiring solid understanding of the function, policies, procedures, and compliance requirements that meet deliverables.
• Strategically collaborate and consult with client personnel.

Required Qualifications:

5+ years of Information Security Engineering experience, or equivalent demonstrated through one or a combination of the following: work or consulting experience, training, military experience, education.

This is a Threat Detection Engineering position. - 5+ years in threat detection engineering, security operations, or incident response, with at least 3 years focused on writing and tuning detections.

Demonstrated ownership of a detection lifecycle or detection engineering program (requirements, design, implementation, tuning, decommission).

Proven experience working in large or complex environments (multi-tenant, multi-cloud, or global enterprises).

Technical Skills – Detection Engineering:

Strong experience writing and tuning detections in:

• SIEM: Splunk (SPL proficiency required; advanced search, macros, data models, scheduled searches, alerting).
• EDR/XDR: CrowdStrike (Falcon platform; custom IOA rules, detection tuning, exclusion logic).
• Microsoft Security:
• Microsoft Defender for Endpoint / Defender for Cloud Apps.
• Kusto Query Language (KQL) for Microsoft Sentinel and M365 Defender.
• Cloud Platforms:
• Azure (log analytics, activity logs, Azure AD, Defender for Cloud).
• GCP (Cloud Logging, Security Command Center, IAM, network telemetry).
• Ability to translate attacker techniques (TTPs) into detection logic across multiple platforms.

Threat & Attack Knowledge:

Deep understanding of:

• MITRE Telecommunication&CK (enterprise matrix; TTP coverage, mapping detections to Telecommunication&CK).
• Common adversary tradecraft: phishing, ransomware, lateral movement, privilege escalation, exfiltration, cloud account compromise, identity misuse.
• Ability to perform detection gap analysis based on recent threats (e.g., ransomware families, cloud-native attacks, identity-based attacks).
• Familiarity with threat client sources and how to operationalize them into detection content.

Detection Fidelity & Quality:

Demonstrated experience:

• Measuring and improving detection fidelity (precision/recall, false positive/negative analysis).
• Designing and executing test plans for detections (simulations, red team findings, adversary emulation tools).
• Using test frameworks (e.g., Atomic Red Team, Caldera, commercial breach & attack simulation) to validate detection coverage.
• Experience building and maintaining:
• Top talker" detection dashboards and metrics.
• Feedback loops with SOC analysts to continuously refine detection logic.
• Runbooks or playbooks tied to specific detections.

Data Engineering & Telemetry Understanding:

Strong grasp of logging and telemetry:

• Windows event logs, Sysmon, Linux logs.
• Network telemetry (NetFlow, firewall logs, proxy/DNS).
• Identity and access logs (Azure AD, Okta, on-prem AD).
• Cloud-native logs (Azure, GCP, AWS if applicable).

Ability to:

• Assess log quality and coverage (what's being collected, from where, and how often).
• Specify data requirements for new or improved detections.
• Work with platform or infra teams to onboard or normalize new log sources.

Engineering & Automation Mindset:

Proficiency in one or more scripting/programming languages (Python, PowerShell, or similar) for:

• Detection content automation (mass updates, testing, reporting).
• Building small tools to support detection analysis or enrichment.
• Experience with version control and SDLC-like processes for detection content:
• Git (branching, pull requests, code review).
• Change management, testing, and staged rollout of new rules.
• Familiarity with infrastructure-as-code / configuration-as-code for security tooling (nice to have, not required).

EEO: "Mindlance is an Equal Opportunity Employer and does not discriminate in employment on the basis of – Minority/Gender/Disability/Religion/LGBTQI/Age/Veterans."