وظيفة مهندس اكتشاف لدى جامعة الملك عبدالله للعلوم والتقنية في مكة المكرمة

About the role

The Detection Engineer is responsible for designing, building, and continuously improving the organization’s threat detection capabilities. This role translates threat intelligence and adversary tactics into high‑fidelity detection logic, conducts proactive threat hunting to identify coverage gaps, and engineers automated detection content across the security stack. The Detection Engineer ensures security operations can effectively identify malicious activity while minimizing alert fatigue through precision detection engineering.

Major Accountabilities

Detection Development & Engineering

• Design, develop, and deploy detection rules and alerts across multiple security platforms (SIEM, EDR, NDR, cloud security tools)
• Create high‑fidelity detections based on threat intelligence, MITRE ATT&CK techniques, and emerging threats
• Write detection logic using query and rule languages (KQL, SPL, Sigma, YARA, etc.)
• Develop custom parsers and correlation rules for security event data
• Build detections for both known threats (IOCs) and behavioral or anomaly‑based patterns
• Continuously tune and optimize detection rules to reduce false positives while maintaining coverage

Threat Hunting & Research

• Conduct proactive threat‑hunting campaigns to identify gaps in detection coverage
• Analyze adversary tactics, techniques, and procedures (TTPs) to inform new detections
• Research emerging threats and translate findings into actionable detection content
• Develop hypotheses and use data analytics to validate or refute threat scenarios
• Document threat‑hunting activities, findings, and lessons learned

Detection Testing & Validation

• Perform regular testing of detection rules using attack simulation and red‑team exercises
• Validate detection efficacy against the MITRE ATT&CK framework
• Use tools such as Atomic Red Team, CALDERA, or custom scripts to generate test telemetry
• Measure and report on detection coverage and detection‑engineering KPIs
• Conduct purple‑team exercises in collaboration with offensive security teams

Data Source Engineering

• Identify and onboard new log sources to improve detection visibility
• Ensure log quality, completeness, and normalization across all data sources
• Partner with IT and engineering teams to configure optimal logging and telemetry
• Map data sources to MITRE ATT&CK techniques to identify coverage gaps
• Optimize data‑ingestion pipelines to support detection use cases

Automation & Tooling

• Develop automation workflows for detection deployment and management (Detection‑as‑Code)
• Build tools and scripts to streamline detection‑engineering processes
• Create automated response playbooks for common detection scenarios
• Implement CI/CD pipelines for detection content
• Integrate threat‑intelligence feeds into detection platforms

ITSM & Operational Management

• Manage detection‑related incidents, requests, and changes through ITSM workflows
• Create and track detection‑engineering work items in ticketing systems (ServiceNow, Jira, etc.)
• Document detection deployments, modifications, and rollbacks in alignment with change‑management processes
• Support problem management to identify and resolve recurring detection issues
• Maintain accurate CMDB records for detection rules and monitoring infrastructure
• Generate reporting on detection coverage, effectiveness, and operational performance
• Ensure SLA compliance for detection development and tuning requests

Collaboration & Knowledge Sharing

• Partner with SOC analysts to refine detections using operational feedback
• Collaborate with incident‑response teams to create detections from post‑incident learnings
• Work with threat‑intelligence teams to operationalize intelligence
• Create and maintain detection‑engineering documentation and runbooks
• Mentor junior detection engineers and SOC analysts

Technical Competencies

Detection & Query Languages

• Expert proficiency in at least two query languages: SPL (Splunk), KQL (Sentinel/Kusto), SQL, or equivalent
• Experience authoring detection logic in Sigma, YARA, Snort, Suricata, or similar formats
• Ability to translate detection logic across multiple platforms

Security Platforms & Tools

• Hands‑on experience with SIEM platforms (Splunk, Elastic Security, Microsoft Sentinel, Chronicle, QRadar)
• Experience with EDR/XDR solutions (CrowdStrike, SentinelOne, Microsoft Defender, Carbon Black)
• Familiarity with NDR tools (Zeek, Suricata, Corelight) and cloud security platforms
• Knowledge of SOAR platforms and detection orchestration tools

Threat Intelligence & Frameworks

• Deep understanding of MITRE ATT&CK and its application to detection engineering
• Experience operationalizing threat intelligence
• Strong knowledge of adversary behavior, TTPs, and attack patterns
• Familiarity with threat‑intelligence platforms and commercial/open‑source feeds

Programming & Scripting

• Proficiency in Python for automation, analytics, and tool development
• Experience with PowerShell and/or Bash for detection testing and validation
• Understanding of APIs, RESTful services, and data structures
• Experience with Git and CI/CD workflows

Log Analysis & Data Science

• Strong log analysis and parsing skills across diverse data types (endpoint, network, cloud, identity)
• Understanding of normalization, enrichment, and correlation techniques
• Familiarity with statistical analysis and anomaly‑detection approaches
• Knowledge of common log formats (JSON, CEF, LEEF, Syslog)

ITSM & Documentation

• Experience with ITSM platforms (ServiceNow, Jira Service Management, or equivalent)
• Working knowledge of ITIL processes (Incident, Change, Problem, Knowledge Management)
• Strong documentation skills, including runbooks and technical procedures
• Experience tracking and reporting security operations metrics and KPIs

Operating Systems & Networks

• Deep understanding of Windows, Linux, and macOS internals and forensic artifacts
• Strong knowledge of networking concepts, protocols, and traffic analysis
• Understanding of authentication and identity technologies (Kerberos, NTLM, SAML, OAuth)
• Familiarity with AWS, Azure, and/or GCP logging and security telemetry

Qualifications

• Bachelor’s degree in Computer Science, Information Security, or a related field (or equivalent experience)
• GIAC Certified Detection Analyst (GCDA) or equivalent preferred

Experience

• 3–5 years of experience in security operations, threat detection, or SOC environments
• Proven track record developing detection rules across multiple platforms
• Contributions to open‑source detection projects (e.g., Sigma, YARA)
• Experience with behavioral analytics or machine‑learning‑driven detection
• Exposure to offensive security, red teaming, or penetration testing
• Experience implementing Detection‑as‑Code pipelines
• Hands‑on experience with breach‑and‑attack simulation or threat‑emulation tools