SOAR Automation Engineer (Alabang)

About the role

You will join our Security Automation team to eliminate toil, accelerate incident response, and measurably reduce risk. You will be the hands-on expert designing, building, and operating automations across Microsoft Sentinel SOAR (Logic Apps/Playbooks) that streamline day-to-day IR activities and reduce MTTA/MTTR and analyst effort.

What will you do?

• Design & build SOAR playbooks in Microsoft Sentinel to automate enrichment, triage, notifications, containment, and post-incident tasks (e.g., block indicators, disable accounts, isolate endpoints).
• Integrate ecosystems: EDR/XDR, firewalls, TI feeds, cloud platforms, identity stores (Entra ID), messaging (Teams/Slack), and evidence stores.
• Own reliability: implement robust error handling, retries/idempotency, health checks, observability (logs/metrics), and secrets management (e.g., Key Vault).
• Improve detection-to-response flow: enrich alerts, reduce false positives, and streamline handoffs between SIEM, SOAR, and ServiceNow.
• Governance & SDLC: version control (Git), code reviews, CI/CD, change control, documentation and runbooks.

Enable the SOC: create reusable automation building blocks, write playbook docs, and train analysts to safely run automations.

What do you need to succeed?

• 4+ years working with SOAR (preferably Microsoft Sentinel/Logic Apps) and/or 4+ years hands-on experience with ServiceNow automtions.
• Strong SOAR engineering: event parsing, enrichment patterns, containment actions, webhooks, OAuth/service principals, and API integrations.
• Proficiency in scripting/automation: Python and/or PowerShell; comfortable with JSON, REST, and event-driven patterns.
• Git-based SDLC and basic CI/CD familiarity; writing clean, tested, maintainable code.
• Clear, concise communication with engineers, analysts, and stakeholders.
   

Nice to have

• KQL (Microsoft Sentinel analytics, hunting, watchlists, data connectors).
• Microsoft cloud automation: Azure Logic Apps, Functions, Automation Accounts, Key Vault, Managed Identities, RBAC.
• Knowledge of EDR/XDR (Microsoft Defender), TIPs, and common IR tools.
• Experience with IntegrationHub spokes (e.g., Microsoft, Slack/Teams, Jira) or building custom spokes.
• Familiarity with Infrastructure-as-Code (ARM/Bicep/Terraform), Zero Trust patterns.
• Practical security ops mindset: incident lifecycle, SOC workflows, MITRE ATT&CK concepts, and measurable improvements to MTTR.

Languages: English (High level)

Qualifications

• Bachelor's degree in computer science/engineering or equivalent hands-on experience.
• Minimum 3 years working SOAR (Microsoft Sentinel preferred).

Desired certifications, courses and training

• SC-100: Microsoft Cybersecurity Architect.
• AZ-500: Azure Security Engineer.
• AZ-400: DevOps Engineer Expert.