The mission of Microsoft Digital is to power, protect, and transform Microsoft as the voice of our digital transition in the market. ​​​​​​As part of Microsoft’s Cloud + AI Group, we are responsible for building, managing, and securing the platform, products, processes, and services that powers Microsoft. We build, maintain, and implement a cloud-first approach to our technology and experiences, from custom-built business solutions developing our campus of the future and our productivity and collaboration experiences like Teams and SharePoint, to horizontal 3rd party solutions like SAP and Adobe. As a steward of Microsoft and our customer’s data, a core function of Microsoft Digital is ensuring the security of every aspect of the business. Microsoft Digital is responsible for company-wide information security and compliance, with a strategic focus on information protection, assessment, awareness, governance, and enterprise business continuity. Microsoft Digital’s charter is also to influence and work alongside engineers across the company and with strategic partners to build and grow their cloud products and services. As customer zero, we deploy these services inside Microsoft and then share best practices with enterprise customers at scale across the globe. We have exciting opportunities for you to innovate, influence, transform, inspire and grow within our organization and we encourage you to apply to learn more! 

The Digital Security and Resilience (DSR) team is looking for a seasoned Security Engineer to work as a Cyber Hunt Analyst in the Cyber Defense Operations Center (CDOC). As part of this dynamic and high-impact team - you will have the opportunity to seek out adversary tactics, techniques, and procedures (TTP) in our environment through the use of advanced security technologies combined with your own creative hunting methodologies.

In this role, you will focus on developing and executing threat hunting operations to discover adversary activities that are not detected through traditional detection capabilities.  You will be able to leverage first class security partners and threat intelligence teams to derive and hunt on known indicators of compromise, as well as developing strategies for discovering new techniques used by adversaries.

For greatest impact, you will develop and automate your hunt methodologies and findings to operationalize the capability across the Security Operations Center (SOC).  Extending beyond the traditional blue team role, you will engage red teams and participate in purple team exercises that will build your perspective of the adversarial mindset as well as identify new techniques that need to be hunted.  Finally, you will play a critical role in the continuous monitoring and response to major Incidents affecting the enterprise.

Preferred work locations:

Atlanta, Georgia

Austin, Texas

Redmond, Washington

Reston, Virginia

Remote in the U.S.

Responsibilities

Key responsibilities:

Develop, document, and execute threat hunting operations to detect known adversary TTPs.

Perform threat hunting operations across numerous data sets and security products to identify new and emerging adversary TTPs.

Build and deploy automation and tools that enable hunting methodologies, investigation techniques, data enrichment, and workflow efficiencies. Operationalize these capabilities across the SOC.

Document and communicate hunt methodologies and findings. Provide metrics to measure the impact of hunting operations.

Collaborate with internal security partners, red teams, and threat intelligence teams to identify, prioritize, and research threat actor behaviors.

Detect and respond to advanced threats, actor techniques, anomalous or suspicious activity, combined with intelligence, to identify potential and active risks to systems and data

Provide investigations, response, and root cause analysis to major incidents affecting the enterprise

Qualifications

Basic Qualifications:

Bachelor’s degree in Computer Science or Engineering, or a related field, or equivalent alternative education, skills, and/or practical experience.

3 years of experience in security operations, threat hunting and analysis, and/or incident response

At least 1 year of experience automating and/or scripting with Python, Jupyter Notebooks, PowerShell, C#, or javascript

At least 1 year of experience working with SQL-based databases, Kusto, Log Analytics.

Preferred Qualifications:

Must have strong verbal and written communication skills; ability to communicate effectively to internal and external business partners as well as technical, and non-technical staff

Demonstrated enthusiasm for learning new things and ability to pick up new ideas quickly

Participate in current operations shifts, on call rotation, and focus area rotations

Demonstrated knowledge of common/emerging attacks techniques. 

Experience developing on Azure PaaS technologies such as; Functions (and Durable Functions), Storage (blob, table, queues) and Logic Apps

Experience correlating across very large and diverse datasets (Azure Data Lake, Azure Data Explorer, Cosmos DB).

Experience in analyzing a wide variety of network and host security logs to detect and resolve security issues

Understanding of common threat analysis model’s such as the Diamond Model, Cyber Kill Chain, and MITRE ATT&CK

Deep understanding of system internals on MacOS, Windows, and Linux

Background in malware analysis

Experience working within a diverse organization to gain support for your ideas; Seeks to leverage work of others to increase effectiveness

Ability to effectively multi-task and prioritize in a fast-paced environment

Demonstrates maturity and leadership qualities when dealing with conflicting views and difficult conversations 

The ideal candidate will have experience in a team environment, experience in a Security Operations Center or equivalent experience in enterprise scale services and platforms, experience in development of security tools and automated investigations to support hunting operations, technical depth in highly dynamic, complex environment.

Microsoft is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to age, ancestry, color, family or medical care leave, gender identity or expression, genetic information, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran status, race, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable laws, regulations and ordinances.  We also consider qualified applicants regardless of criminal histories, consistent with legal requirements. If you need assistance and/or a reasonable accommodation due to a disability during the application or the recruiting process, please send a request via the Accommodation request form.