SIEM Content Developer/Detection Engineer

Job Locations DE-Wiesbaden
Job Post Information* : Posted Date 7 months ago(9/8/2022 12:02 PM)
Location : Location
Potential for Remote
Clearance Requirement
Top Secret/SCI
Job Requires Relocation
Job Requires Relocation


SOS International LLC (SOSi) is seeking a SIEM Content Developer/Detection Engineer to join our team in Wiesbaden, Germany. Create analytics to alert intrusion detection analysts using device audit and network log data. Build dashboards, reports, charts, and saved searches to increase efficiency of cyber defense workloads with specific emphasis on network operations and cyber warfare tactics, techniques, and procedures for DoD information networks. Analyze host and network events to determine the best way to address Mitre Attack correlations to determine adversary capability, and develop analytics based on indicators of compromise to leverage the SIEM. Coordinate the signature updates for various NIDS and HIDS solutions. Drive the tuning of analytic platforms to improve efficiencies in detection of anomalies and malicious events. Prepare reports on current analytics based from the capabilities of the detection rates. Develop and maintain analytical procedures to meet changing requirements and ensure maximum operations.


  • Create analytics with a SIEM to identify patterns, anomalies, and compromising indicators to alert Cyber Incident responders  
  • Create dashboards in the SIEM platform to tip analysts to malicious activities directed against the DoD information systems 
  • Create dashboards and report in the SIEM platform to assist network defenders in identifying issues and concerns 
  • Perform daily review of analytic performance on the SIEM identifying correlation engine slowdowns 
  • Evaluate intrusion detection sensor configurations for proper alert capability 
  • Evaluate intrusion detection signature for appropriateness to DoD networks and implement rules as required 
  • Coordinate upgrades to host and network alert systems to improve detection capabilities 
  • Contribute to the design, development and implementation of countermeasures, system integration, and tools specific to Cyber and Information Operations  
  • Assist in the integration of additional security platforms to correlate new data with HIDS and NIDS alerts 
  • Prepare and presents technical reports and briefings  
  • Assist all sections of the Defensive Cyber Operations team as required in performing analytic detection 
  • Write reports on capabilities of the defensive cyber operations to increase customer situational awareness and improve the customer’s cyber security posture


  • An active in scope Top Secret/SCI clearance is required
  • US citizenship required
  • Bachelor of Science/Arts (Engineering or Computer Science or Science or Business Administration or Mathematics) +3, AS +7, major certification +7 or 11+ years specialized experience
  • DoD IAT Level II certification (CCNA-Security, CND, CySA+, GICSP, GSEC, Security+ CE, or SSCP) or higher is required
  • DoD 8570 CSSP-Auditor (CySA+, GCIA, GCIH, SCYBER, CEH)
  • A current computing environment certification such as MCSA, RHCSA, CCNA, CEH, ArcSight, etc. 
  • Must have a full, complete, and in-depth understanding of all aspects of Defensive Cyber Operations 
  • Must have experience in developing complex dashboards, report, and automated searches in Splunk, ArcSight, or Elastic/Kibana 
  • Must be fluent in all aspects of government and corporate communications media to include all MS Office products and common task ticketing systems 
  • Must have a good breadth of knowledge of common ports and protocols of system and network services 
  • Experience with intrusion detection systems such as Snort, Suricata, TippingPoint, and Zeek  
  • Experience in packet captures and analyzing a network packet 
  • Experience with one or more scripting languages such as PowerShell, Bash, Python 
  • Must have the demonstrated ability to communicate with a variety of stakeholders in a variety of formats

Preferred Qualifications

  • Experience with analyzing packets using Arkime 
  • Experience with Microsoft Windows event IDs 
  • Experience with Linux audit log analysis 
  • Familiarity with Git and VScode 
  • Strong written and verbal communications skills  
  • Self-starter with excellent judgment, capable of independent decision making
  • Fluency in a foreign language is desirable, but not required.

Working Conditions

  • Working conditions are normal for an office environment.
  • Fast paced, deadline-oriented environment.
  • May require periods of non-traditional working hours including consecutive nights or weekends (if applicable)

SOSi is an equal employment opportunity employer and affirmative action employer. All interested individuals will receive consideration and will not be discriminated against on the basis of race, color, religion, sex, national origin, disability, age, sexual orientation, gender identity, genetic information, or protected veteran status. SOSi takes affirmative action in support of its policy to advance diversity and inclusion of individuals who are minorities, women, protected veterans, and individuals with disabilities.


Sorry the Share function is not working properly at this moment. Please refresh the page and try again later.
Share on your newsfeed