Microsoft Sentinel Content Developer

Job Description

Job Title: Microsoft Sentinel Content Developer Location: Bengaluru, Chennai, Pune, Hyderabad or Coimbatore Experience Level: 4?12 years Employment Type: Contract JOB TYPE : Hybrid JD : Role Overview: We are looking for a skilled and proactive Microsoft Sentinel Content Developer to support our SIEM transformation initiatives. The ideal candidate will have hands-on experience in log parsing, normalization, and detection rule development, with a strong understanding of both Splunk and Microsoft Sentinel environments. This role requires working closely with Datadog observability pipelines and Microsoft Sentinel to ensure seamless log ingestion and detection coverage. Key Responsibilities: Log Parsing & Normalization: Perform parsing and normalization of logs at the Datadog observability pipeline level. Create and manage Data Collection Rules (DCRs) in Microsoft Sentinel with custom parsing and transformation logic. Map logs to Microsoft Sentinel Normalized Schema (ASIM) where applicable. Ensure high-quality, structured data ingestion for effective detection and investigation. Detection Rule Migration: Analyze and understand existing Splunk detection rules written in SPL. Translate and migrate detection logic into Microsoft Sentinel analytic rules using KQL. Optimize rules for performance, accuracy, and minimal false positives. Content Development: Develop and maintain custom analytic rules , hunting queries , and workbooks in Sentinel. Collaborate with threat detection teams to build use cases aligned with MITRE ATT&CK and other frameworks. Collaboration & Documentation: Work closely with SOC, engineering, and cloud teams to understand log sources and detection requirements. Document parsing logic, rule mappings, and enrichment strategies for operational transparency. Required Skills: Strong experience with Microsoft Sentinel , KQL , and Data Collection Rules (DCR) . Hands-on experience with Splunk SPL and detection rule development. Familiarity with Datadog log formats and observability pipelines. Understanding of ASIM schema , Microsoft Defender XDR , and Sentinel connectors. Experience with log enrichment , GeoIP , and custom field mapping . Ability to work independently and take ownership of content development tasks. Preferred Qualifications: Microsoft certifications (e.g., SC-200, AZ-500). Knowledge of threat detection frameworks (MITRE ATT&CK, CIS, etc.). Familiarity with CI/CD pipelines for Sentinel content deployment.