Senior siem engineer - ey gds spain - hybrid - ey

As a Senior SIEM Engineer, you are part of the EY Cyber Security team, working in a Threat Detection & Response (TDR) environment with a strong focus on Microsoft Sentinel and XDR. You design, integrate, and operate SIEM use cases and automations and support clients in securely operating modern cloud-native security platforms. Knowledge of Splunk or open-source SIEM ecosystems (e.G., Elastic/ELK, Wazuh) is considered a strong advantage.

• Integrate data sources into Microsoft Sentinel (cloud, identity, endpoint, network, and on-prem) and ensure data quality and normalization.
• Design, implement, and operate analytics rules, SIEM use cases, and hunting queries (KQL;
  SPL experience is a plus).
• Develop and maintain playbooks and automations using Azure Logic Apps to enrich, orchestrate, and standardize response workflows.
• Act as a technical subject matter expert for SIEM and Microsoft Sentinel/XDR solutions and provide hands‑on guidance to stakeholders.

• Continuously optimize detection, response, and automation capabilities (tuning, false‑positive reduction, performance, and maintainability).
• Contribute to engineering best practices such as documentation, repeatable deployments, and (where applicable) detection/content as code.

• Strong knowledge of cloud security concepts, SIEM architectures, and the MITRE ATT&CK framework.
• Hands‑on engineering mindset with solid troubleshooting, analytical thinking, and attention to detail.
• Pragmatic communicator who can translate complex technical topics into actionable recommendations for different audiences.
• Ownership and quality focus: audit‑ready documentation, structured delivery, and continuous improvement.

• 2 – + 4 years of experience in SIEM engineering (design, onboarding, use case development, tuning, and operations), ideally with Microsoft Sentinel.
• Hands‑on experience with Azure, Windows/Linux, and scripting (e.G., Python, PowerShell, Bash) as well as automation concepts.
• Experience building or operating SOAR‑style automations (e.G., Logic Apps / playbooks) in a security operations context.
• English at least B2 (written and spoken) is required.

• Splunk experience (SPL, data onboarding, correlations, dashboards) and/or open-source SIEM experience (e.G., Elastic/ELK, Wazuh).
• Experience working in regulated environments and familiarity with operational processes (ITSM, incident workflow alignment).
• Relevant certifications (e.G., SC-200, AZ‑500, or comparable cloud/security certifications) are a plus.