WorkWave - Security Operations Engineer

• We are seeking a Security Operations Engineer with a builder’s mindset to join our team. In this role, you will bridge the gap between Security and Engineering, partnering with our engineering teams to consolidate our logging and build a unified observability platform (logs, metrics, synthetics). • You will be the primary architect of our detection logic, responsible for implementing our new SIEM and transforming raw data into high-fidelity alerts. While you will not be the sole monitor of our environment, you will serve as the technical escalation point for our MDR provider (Sophos) and the primary owner of our incident response framework—building the runbooks, playbooks, and triage guides that define how we respond to threats. This is a unique opportunity for an experienced professional to step up from day-to-day analysis and own the design and implementation of a modern detection and response program. • ## SIEM Implementation & Detection Engineering • Serve as the primary implementer for the new SIEM solution, configuring data ingestion and tuning the platform for optimal performance. • Own the security observability platform on Grafana (Loki/LogQL, Prometheus/PromQL, Grafana Alerting; OTel for collection), including onboarding sources, parsing, enrichment, and alert routing. • Own the "Content Engineering" lifecycle: Write, test, and tune detection rules and queries (LogQL, PromQL, SPL, KQL, SQL, etc.) to identify malicious activity with low false-positive rates. • Partner with the Engineering team to ensure the new observability platform captures the right security telemetry and logs. • Serve as the primary operator for security monitoring and initial incident triage, participating in the on-call rotation. • ## Telemetry Engineering & Observability (Security) • Define logging standards and required security telemetry for product and infrastructure. • Own log onboarding, parsing, enrichment, normalization, retention, and cost controls. • Build dashboards and SLOs for security telemetry health (coverage, latency, drop rate). • ## Incident Response & Process Development • Develop and maintain the library of Incident Response documents, including Triage Books, Runbooks, and Playbooks for future on-call rotation. • Act as the primary technical liaison for our MDR provider (Sophos), ensuring they have the context needed to monitor effectively. • Lead deeper analysis and threat hunting investigations for complex alerts escalated by the MDR or internal teams. • Own alert routing and incident tracking integration (PagerDuty + Jira/Slack), including severity model, escalation paths, and reporting. • Lead incident coordination, write post-incident reviews, and drive corrective actions with Engineering. • Own phishing detection/response workflows and playbooks (user reports, triage, containment). • ## Operational Health & Optimization • Continuously evaluate the efficacy of alerts and automations; refine logic to reduce alert fatigue. • Assist in defining log schemas to ensure data is parsed correctly for both security and engineering use cases. • Evaluate and implement AI-assisted tools to streamline query generation and dashboard creation. • Own the integration and correlation between MDR alerts and internal SIEM/incident tracking. • Implement least-privilege access to security telemetry and ensure logging pipelines avoid sensitive data leakage.