Tier 2/3 Cyber Security Analyst - Microsoft Sentinel and Microsoft Defender

About

Peraton is seeking an experienced Tier 2/3 Cyber Security Analyst to join our Federal Strategic Cyber Mission program. This role requires a seasoned cybersecurity professional with extensive hands‑on experience implementing, configuring, and operating Microsoft Sentinel and Microsoft Defender security solutions. The ideal candidate will serve as a senior escalation point for complex security incidents, lead advanced threat‑hunting operations, and drive the maturation of detection capabilities across the Microsoft security ecosystem.

Key Responsibilities:

Incident Detection, Analysis, and Response

• Detect, classify, process, track, and report cybersecurity events and incidents across the enterprise.
• Serve as senior escalation point for Tier 1 and Tier 2 triage, conducting in‑depth analysis of complex and coordinated threats in a 24x7x365 environment.
• Analyze logs from multiple sources (host, EDR, firewalls, IDS, servers) to identify, contain, and remediate suspicious activity.
• Characterize and analyze network traffic to identify anomalies and potential threats.
• Perform forensic analysis of host artifacts, network traffic, and email content.
• Analyze malicious scripts and code to mitigate threats.
• Conduct malware analysis and develop IOCs to support threat identification and mitigation.

Microsoft Sentinel & Defender Engineering and Operations

• Design, implement, configure, and maintain Microsoft Sentinel SIEM, including workspace architecture, data connectors, and log ingestion pipelines.
• Develop and tune analytics rules, scheduled queries, NRT rules, and fusion rules to optimize detection fidelity.
• Create and maintain Sentinel workbooks, hunting queries, and automation playbooks (Logic Apps).
• Implement and manage Microsoft Defender for Endpoint (MDE), including ASR rules, AIR, policy configuration, and KQL-based advanced hunting.
• Configure and operationalize Microsoft Defender for Identity, including sensor deployment, threat‑detection tuning, and lateral movement path analysis.
• Manage Microsoft Defender for Office 365, including Safe Attachments, Safe Links, anti-phishing policies, and investigation capabilities.
• Implement and maintain Microsoft Defender for Cloud for CSPM, workload protection, and cloud-native threat detection across multi-cloud environments.
• Develop custom KQL queries for hunting, detection engineering, and security analytics across M365 Defender and Sentinel.
• Integrate Sentinel with SOAR, developing automated response playbooks and orchestration workflows.
• Monitor data connector health, troubleshoot ingestion issues, and optimize log collection.
• Implement and manage Microsoft Entra ID security capabilities including Conditional Access, Identity Protection, PIM, and access reviews.

Threat Hunting & Intelligence

• Conduct proactive hunts for APTs using Sentinel and MDE hunting capabilities.
• Integrate and operationalize threat intelligence within Sentinel to enhance detection.
• Analyze threat intelligence reporting and apply adversary methodology knowledge to improve detection posture.
• Map detections and hunting hypotheses to MITRE ATT&CK and D3FEND frameworks.

Collaboration & Reporting

• Collaborate with customer teams to investigate and respond to events and incidents.
• Monitor and respond via SOAR, hotline, and designated email inboxes.
• Create tickets and initiate workflows in accordance with SOPs.
• Coordinate and report incident information to CISA as required.
• Engage with local, national, and international CIRTs as directed.
• Submit alert tuning requests and lead ongoing detection engineering efforts.
• Mentor and provide technical guidance to Tier 1 and Tier 2 analysts on Microsoft security tools and incident response processes.

Minimum Requirements

Education & Experience

• Bachelor’s degree and a minimum of 5 years of cybersecurity experience, OR a high school diploma and 9 years of cybersecurity experience.
• Minimum 3 years of hands-on experience implementing and operating Microsoft Sentinel (workspace deployment, analytics rule development, workbook creation, playbook automation).
• Minimum 3 years of experience implementing and managing Microsoft Defender solutions (Defender for Endpoint, Defender for Identity, Defender for Office 365, and/or Defender for Cloud).

Certifications

• Must possess (or be able to obtain prior to start date) at least one of the following; continued certification is required as a condition of employment: CCNA-Security; CND; CySA+; GICSP; GSEC; Security+ CE; SSCP

Technical Skills:

• Extensive proficiency in Kusto Query Language (KQL) for advanced detections, hunting queries, and Sentinel/M365 Defender analytical workbooks.
• Experience designing and implementing Microsoft Sentinel analytics rules (scheduled, NRT, fusion).
• Proven experience deploying and managing Microsoft Defender for Endpoint (policy configuration, ASR rules, AIR, live response).
• Experience with Microsoft Defender for Identity (sensor deployment, detection tuning, identity-based investigations).
• Demonstrated experience across the full Incident Response lifecycle (Preparation through Lessons Learned).
• Knowledge of SOAR platforms and automated response systems (ServiceNow, Splunk SOAR, Sentinel Playbooks/Logic Apps).
• Experience with SIEM platforms (Sentinel, Splunk, Elastic, QRadar).
• Experience with EDR solutions (MDE, ElasticXDR, CarbonBlack, CrowdStrike).
• Knowledge of cloud security monitoring and incident response, especially in Azure.
• Ability to integrate IOCs and track APT actor activity.
• Ability to analyze threat intelligence and understand adversary techniques.
• Knowledge of static and dynamic malware analysis techniques.
• Knowledge of MITRE ATT&CK and D3FEND frameworks and ability to map detections.

Clearance & Citizenship

• U.S. Citizenship required.
• Ability to obtain a Top Secret security clearance.

Preferred Qualifications:

• Microsoft SC‑200 (Security Operations Analyst) — highly preferred
• Microsoft SC‑100 (Cybersecurity Architect)
• Microsoft AZ‑500 (Azure Security Engineer)
• Microsoft SC‑300 (Identity and Access Administrator)
• Experience architecting multi‑tenant or multi‑workspace Sentinel environments
• Experience with Sentinel content hub solutions and custom content development
• Proficiency with Microsoft Defender for Cloud workload protection across Azure, AWS, and GCP
• Experience developing Logic Apps and Power Automate flows for security automation
• Proficiency with Splunk for monitoring, alerting, and threat hunting
• Knowledge of Microsoft Azure/Entra ID access and identity management (Conditional Access, PIM, Identity Protection)
• Experience with digital forensics tools (Autopsy, Magnet Forensics, KAPE, CyLR, Volatility, Zimmerman tools)
• Experience with ServiceNow SOAR for automated ticketing and response
• Proficiency in Python, PowerShell, and Bash for automation and tool development
• Ability to perform static/dynamic malware analysis and reverse engineering
• Experience integrating cyber threat intelligence and IOC-based hunting into Sentinel TI module
• Experience leading purple team exercises and translating findings into actionable detections
• Additional preferred certifications:
  • Microsoft: SC‑200, SC‑100, AZ‑500, SC‑300, SC‑900
  • Industry: SecurityX/CASP+, CySA+, Cloud+, GCIH, GCIA, GCFA, GNFA, GREM, GEIR, CCSP, CCSK, CHFI, GCLD, PRMP
  • Practical: TryHackMe SAL1, HackTheBox CDSA, CyberDefenders CCD