Cywarden, Inc.
Website:
cywarden.com
Job details:
Job Title: SOAR Engineer
Location: Chandigarh
Experience: 8+ Years
Employment Type: Full-time
About the role
Join Cywarden as a hands-on SOAR & SIEM Engineer to design, deploy and operate automated security orchestration and advanced detection at scale. You’ll implement and own Cortex playbooks and Sentinel content, integrate ticketing and threat-intel pipelines, and accelerate the SOC’s ability to detect, investigate, and respond — turning repeat incidents into automated, reliable remediation.
What success looks like
You will deliver a production-ready Cortex XSOAR automation platform, a tuned Microsoft Sentinel detection stack, and a set of robust playbooks and runbooks that reduce MTTR, improve analyst effectiveness, and drive measurable SOC maturity.
Core responsibilities
Phase 1 — Deploy & configure SOAR
- Deploy and harden a Cortex XSOAR environment; implement multi-tenant/role-based access, logging, and backup policies.
- Integrate telemetry and tooling: ingest alerts and context from Microsoft Sentinel, Cortex XDR, ticketing systems (ServiceNow / Jira), and threat-intel feeds.
- Develop automated playbooks for common incident types (phishing, malware, brute force, data exfiltration) that perform triage, enrichment, containment, and ticketing.
- Build custom integrations and playbooks using Python and YAML for client-specific workflows and third-party APIs.
- Implement incident classification, enrichment pipelines (threat intel, asset CMDB, user context), and auto-remediation flows where safe.
- Configure case management, SLAs, and automated assignment/notification rules to ensure timely escalations.
- Create war-room templates, collaboration workflows, and analyst handoff mechanisms.
Phase 2 — Operate, maintain & evolve
- Maintain playbooks, manage integrations, and respond to evolving use-cases and platform upgrades.
- Implement change-management and testing processes for playbook updates and connector changes.
- Continuously review playbook performance and implement improvements to reduce false positives and automation errors.
- Train SOC analysts on playbook usage, triage automation, and custom integrations.
Microsoft Sentinel & detection engineering
- Architect, deploy and optimize Microsoft Sentinel workspaces, connectors, and data ingestion pipelines.
- Create, test, and tune analytics rules and hunting queries using KQL; maintain watchlists, workbooks, and hunting notebooks.
- Integrate threat-intel platforms and IOCs into detection logic and SOAR playbooks.
- Build automation rules and logic apps that drive triage, enrichment, and automated response actions from Sentinel to XSOAR.
- Proactively hunt for threats using advanced KQL and collaborate with threat intel to operationalize new detections.
Escalation, investigations & collaboration
- Act as Tier 2/3 escalation point for complex investigations; assist L1 analysts with forensic enrichment and response decisions.
- Use Endpoint tooling such as Microsoft Defender for Endpoint and network telemetry to validate and contain threats.
- Produce clear incident documentation, playbook runbooks, and SOC dashboards for leadership and audit purposes.
- Mentor junior engineers and analysts on automation best practices, KQL, Python integrations, and incident handling.
Must-have skills & experience
- 8+ years in security engineering, SOC automation, or incident response; 4+ years working with Sentinel or Cortex ecosystems preferred.
- Hands-on experience deploying and operating Cortex XSOAR playbooks (Python/YAML) and managing integrations.
- Strong Microsoft Sentinel capability: KQL authoring, analytics rule creation, workbooks, data connectors, and automation rules.
- Practical experience building Logic Apps or automation that trigger containment actions (isolate host, block IOC, disable accounts).
- Solid scripting skills (Python required; PowerShell/Bash a plus).
- Proven ability to translate SOC use-cases into automation and to validate safe auto-remediation.
- Good understanding of endpoint forensics, EDR workflows, and log sources (endpoints, AD/Entra, cloud, network).
- Excellent documentation skills, clear communicator, and comfortable working in 24×7 shift environments.
Nice-to-have
- Certifications: Palo Alto/Prisma or Cortex XSOAR certifications, Microsoft certifications (SC-200, AZ-500, MS-500).
- Experience integrating XSOAR with ServiceNow/Jira and threat-intel platforms.
- Familiarity with Cribl, Splunk or other log routing/processing tools.
- Experience with purple-team exercises, adversary emulation, or building detection content from threat intelligence.
Click on Apply to know more.