Security Automation Engineer

Role Summary

A Security Automation Engineer to build and operationalize the automation that correlates CrowdStrike Falcon Device Control telemetry with Active Directory/Azure Entra ID group changes in Microsoft Sentinel, and then programmatically updates CrowdStrike device control policy group membership via API. The engineer will own the scripting, testing, and configuration working - with our client - required to implement the end‑to‑end flow defined in our design.

Key Responsibilities

Build the event pipeline & data model

• Stand up and harden the FDR to S3 delivery for Falcon Device Control events (e.g., DcRemovableStorageDeviceConnected, DcUsbDevicePolicyViolation, DcUsbDeviceWhitelisted, etc.), ensuring schema normalization and lifecycle management in S3.
• Configure Microsoft Sentinel ingestion for FDR data and AD/Entra ID user/group events; develop KQL parsers, tables, and data normalizations to support correlation.

Correlation & detection logic

• Author KQL analytics/rules that join Windows Event IDs 4728/4729/6416/4663 with CrowdStrike Device Control events to identify when a user's group status should change host USB policy posture.
• Implement suppression/thresholding to reduce flapping and false positives (e.g., batch group changes, burst‑aware dedupe).

Automation & integration

• Build idempotent automation (PowerShell, Python, Logic Apps, Functions, or similar) that calls CrowdStrike APIs to move hosts into/out of the Device Control allow group based on Sentinel signals. Include robust error handling, retries, and audit logging.
• Package automation as CI/CD artifacts (IaC where appropriate), with secure secrets handling (Key Vault/Secrets Manager).

Testing & validation

• Develop unit tests for parsers and functions, integration tests for end‑to‑end flows (synthetic Windows events + synthetic FDR samples), and UAT runbooks for security operations.
• Create simulation data (sanitized/synthetic) to validate rules for Event IDs 4728, 4729, 6416, 4663 and representative FDR Device Control events prior to production cutover.

Operations & documentation

• Build dashboards in Sentinel that show pipeline health, rule efficacy, and host policy transitions.
• Document the full runbook: deployment, rollback, break‑glass steps, and change control.
• Train L2/L3 SOC and Help Desk on troubleshooting and manual override procedures.

Minimum Qualifications

• 5+ years in security engineering/automation with SIEM (Microsoft Sentinel) and endpoint security integrations.
• Proficiency in KQL, Python and/or PowerShell, and REST/OAuth2 API integration.
• Hands‑on experience with CrowdStrike Falcon (preferably Device Control), FDR pipelines, and API‑driven policy management. 
• Solid understanding of Windows Security Event Log semantics-especially 4728/4729 (group membership changes), 6416 (new device recognized), 4663 (file access)-and how to correlate with endpoint telemetry.
• Cloud data engineering basics: AWS S3 object lifecycle, schema evolution, and secured ingestion; Azure identity fundamentals.

Preferred Qualifications

• Experience building SOAR playbooks (e.g., Sentinel Automation Rules/Logic Apps) and CI/CD pipelines for security automations.
• Prior implementation of device control/DLP workflows and handling USB policy exceptions at scale.
• Exposure to regulated environments (e.g., healthcare/life sciences) and change‑controlled releases.
• Familiarity with Entra ID (formerly Azure AD) group modeling and hybrid AD sync nuances.