Security Automation Engineer

Raritan, NJ - USA

Monthly Salary: Not Disclosed

Posted on: 7 hours ago

Vacancies: 1 Vacancy

Job Summary

Details:

Stefanini Groupis looking for a Security Automation Engineerfor a globally recognized company! For interested applicants click the apply button or you may reach out Micah Andres at (248)386-7399/for faster processing. Thank you!

Role Summary

A Security Automation Engineer to build and operationalize the automation that correlates CrowdStrike Falcon Device Control telemetry with Active Directory/Azure Entra ID group changes in Microsoft Sentinel and then programmatically updates CrowdStrike device control policy group membership via API. The engineer will own the scripting testing and configuration working - with our client - required to implement the endtoend flow defined in our design.

Key Responsibilities

Build the event pipeline & data model

Stand up and harden the FDR to S3 delivery for Falcon Device Control events (e.g. DcRemovableStorageDeviceConnected DcUsbDevicePolicyViolation DcUsbDeviceWhitelisted etc.) ensuring schema normalization and lifecycle management in S3.
Configure Microsoft Sentinel ingestion for FDR data and AD/Entra ID user/group events; develop KQL parsers tables and data normalizations to support correlation.

Correlation & detection logic

Author KQL analytics/rules that join Windows Event IDs 4728/4729/6416/4663 with CrowdStrike Device Control events to identify when a users group status should change host USB policy posture.
Implement suppression/thresholding to reduce flapping and false positives (e.g. batch group changes burstaware dedupe).

Automation & integration

Build idempotent automation (PowerShell Python Logic Apps Functions or similar) that calls CrowdStrike APIs to move hosts into/out of the Device Control allow group based on Sentinel signals. Include robust error handling retries and audit logging.
Package automation as CI/CD artifacts (IaC where appropriate) with secure secrets handling (Key Vault/Secrets Manager).

Testing & validation

Develop unit tests for parsers and functions integration tests for endtoend flows (synthetic Windows events synthetic FDR samples) and UAT runbooks for security operations.
Create simulation data (sanitized/synthetic) to validate rules for Event IDsand representative FDR Device Control events prior to production cutover.

Operations & documentation

Build dashboards in Sentinel that show pipeline health rule efficacy and host policy transitions.
Document the full runbook: deployment rollback breakglass steps and change control.
Train L2/L3 SOC and Help Desk on troubleshooting and manual override procedures.

Details:

Minimum Qualifications

5 years in security engineering/automation with SIEM (Microsoft Sentinel) and endpoint security integrations.
Proficiency in KQL Python and/or PowerShell and REST/OAuth2 API integration.
Handson experience with CrowdStrike Falcon (preferably Device Control) FDR pipelines and APIdriven policy management.
Solid understanding of Windows Security Event Log semantics-especially 4728/4729 (group membership changes) 6416 (new device recognized) 4663 (file access)-and how to correlate with endpoint telemetry.
Cloud data engineering basics: AWS S3 object lifecycle schema evolution and secured ingestion; Azure identity fundamentals.

Preferred Qualifications

Experience building SOAR playbooks (e.g. Sentinel Automation Rules/Logic Apps) and CI/CD pipelines for security automations.
Prior implementation of device control/DLP workflows and handling USB policy exceptions at scale.
Exposure to regulated environments (e.g. healthcare/life sciences) and changecontrolled releases.
Familiarity with Entra ID (formerly Azure AD) group modeling and hybrid AD sync nuances.

#LI-MA1

#LI-HYBRID

Required Experience:

Details:Stefanini Groupis looking for a Security Automation Engineerfor a globally recognized company! For interested applicants click the apply button or you may reach out Micah Andres at (248)386-7399/for faster processing. Thank you!Role SummaryA Security Automation Engineer to build and operatio...

Details:

Role Summary

Key Responsibilities

Build the event pipeline & data model

Stand up and harden the FDR to S3 delivery for Falcon Device Control events (e.g. DcRemovableStorageDeviceConnected DcUsbDevicePolicyViolation DcUsbDeviceWhitelisted etc.) ensuring schema normalization and lifecycle management in S3.
Configure Microsoft Sentinel ingestion for FDR data and AD/Entra ID user/group events; develop KQL parsers tables and data normalizations to support correlation.

Correlation & detection logic

Author KQL analytics/rules that join Windows Event IDs 4728/4729/6416/4663 with CrowdStrike Device Control events to identify when a users group status should change host USB policy posture.
Implement suppression/thresholding to reduce flapping and false positives (e.g. batch group changes burstaware dedupe).

Automation & integration

Build idempotent automation (PowerShell Python Logic Apps Functions or similar) that calls CrowdStrike APIs to move hosts into/out of the Device Control allow group based on Sentinel signals. Include robust error handling retries and audit logging.
Package automation as CI/CD artifacts (IaC where appropriate) with secure secrets handling (Key Vault/Secrets Manager).

Testing & validation

Develop unit tests for parsers and functions integration tests for endtoend flows (synthetic Windows events synthetic FDR samples) and UAT runbooks for security operations.
Create simulation data (sanitized/synthetic) to validate rules for Event IDsand representative FDR Device Control events prior to production cutover.

Operations & documentation

Build dashboards in Sentinel that show pipeline health rule efficacy and host policy transitions.
Document the full runbook: deployment rollback breakglass steps and change control.
Train L2/L3 SOC and Help Desk on troubleshooting and manual override procedures.

Details:

Minimum Qualifications

5 years in security engineering/automation with SIEM (Microsoft Sentinel) and endpoint security integrations.
Proficiency in KQL Python and/or PowerShell and REST/OAuth2 API integration.
Handson experience with CrowdStrike Falcon (preferably Device Control) FDR pipelines and APIdriven policy management.
Solid understanding of Windows Security Event Log semantics-especially 4728/4729 (group membership changes) 6416 (new device recognized) 4663 (file access)-and how to correlate with endpoint telemetry.
Cloud data engineering basics: AWS S3 object lifecycle schema evolution and secured ingestion; Azure identity fundamentals.

Preferred Qualifications

Experience building SOAR playbooks (e.g. Sentinel Automation Rules/Logic Apps) and CI/CD pipelines for security automations.
Prior implementation of device control/DLP workflows and handling USB policy exceptions at scale.
Exposure to regulated environments (e.g. healthcare/life sciences) and changecontrolled releases.
Familiarity with Entra ID (formerly Azure AD) group modeling and hybrid AD sync nuances.

#LI-MA1

#LI-HYBRID

Required Experience: