SIEM Rule Developer
- 5+ years technical experience working in a SOC and cyber security incident response.
- 4+ year experience in SIEM administrator and integration.
- Experience with one or more Security Information and Event Management (SIEM) solutions. (such as McAfee, LogLogic, Splunk, QRadar, ArcSight)
- In-depth understanding of security threats (preferably OWASP Top 10 vulnerabilities), threat attack methods and the current threat environment
- Understanding of common attacks (e.g. brute force, SYN flood, session hijack, smurf etc.) and their SIEM signatures
- Experience in security monitoring, Incident Response (IR), security tools configuration and security remediation
- Must have excellent troubleshooting and analytical skills. Must be able to clearly articulate and propose security solutions in business terms. Must be able to multitask in a fast-paced environment.
- Understanding of network protocols (TCP/IP stack, SSL/TLS, IPSEC, SMTP/IMAP, FTP, HTTP etc.)
- Understanding of Operating System, Web Server, database and Security devices (firewall/NIDS/NIPS) logs and log formats.
- Understanding of String Parsing and Regular Expressions.
- Desirable Software Tools Proficiency â€“ McAfee SIEM, WireShark, Nessus, tcpdump, Nikto, Outlook etc.
- Development of parsers (Regex based) and correlation rules to detect cyber-attacks and insider threats. Customization of default parsers.
- Development of trend analysis graphs for critical events based on event correlation.
- Ensure integration of critical IT Infrastructure of RJIL with SIEM
- Ensure precise Data source configuration at DS and SIEM appliance end to pull logs of different Data sources like OS, DB, Application, web/file server and security devices (NIPS, firewall, HIPs, proxy, WAF) etc.
â€“Monitor health status of SIEM appliances and troubleshoot network, storage, parsing and software configuration issues.
â€“Interact with OEM team for support and closure of support issues.
â€“Develop SIEM playbooks and train SOC monitoring team on SIEM correlation rules, parsers, raw packets and incident detection.
- Optimize SIEM performance by monitoring cache at DS, ERC and ESM, storage pool utilization at ELM, balancing overall EPS across multiple ERCs, monitoring processes/services/queries running at ERC ,ESM and ACE vis-Ã -vis their CPU utilization etc.
â€“Development and maintenance of issue tracker with detailed RCA.
â€“Monitor and control SIEM access lists, develop backend customized reports as per requirements of SOC monitoring team.
â€“Prepare SIEM dashboards, Integration