🤖 15+ AI Agents working for you. Find jobs, score and update resumes, cover letter, interview questions, missing keywords, and lots more.
Cookies & analytics consent
We serve candidates globally, so we only activate Google Tag Manager and other analytics after you opt in. This keeps us aligned with GDPR/UK DPA, ePrivacy, LGPD, and similar rules. Essential features still run without analytics cookies.
Read how we use data in our Privacy Policy and Terms of Service.
🤖 15+ AI Agents working for you. Find jobs, score and update resumes, cover letter, interview questions, missing keywords, and lots more.
Stefanini • Raritan, New Jersey, United States
Role & seniority: Security Automation Engineer (mid–senior level); hands-on owner of end-to-end automation for security telemetry and policy updates.
Stack/tools: CrowdStrike Falcon Device Control; Microsoft Sentinel; Active Directory / Azure Entra ID; Windows Event Logs (4728/4729/6416/4663); AWS S3; KQL; Python and/or PowerShell; REST/OAuth2 APIs; CI/CD tooling; Logic Apps/Functions; Key Vault/Secrets Manager.
Build and harden the data pipeline from Falcon Device Control events to Sentinel, including AD/Entra ID group changes and S3/S3 lifecycle/schema normalization.
Develop correlation/detection logic with KQL to align group changes with device-control policy posture, including suppression and dedupe to reduce noise.
Implement idempotent automation (scripts/flows) that call CrowdStrike APIs to adjust host policy based on Sentinel signals; ensure robust error handling, auditing, and CI/CD packaging.
5+ years in security engineering/automation with SIEM (Microsoft Sentinel) and endpoint security integrations
Proficiency in KQL, Python and/or PowerShell; REST/OAuth2 API integration
Hands-on with CrowdStrike Falcon (Device Control), FDR pipelines, and API-driven policy management
Understanding of Windows Security Event Logs (4728/4729/6416/4663) and correlation with telemetry
Cloud data engineering basics (AWS S3 lifecycle, secure ingestion) and Azure identity fundamentals
Nice-to-have
Job Description
Stefanini Group is looking for a Security Automation Engineer for a globally recognized company! For interested applicants, click the apply button or you may reach out Micah Andres at (248) 386-7399/Micah.Andres@Stefanini.com for faster processing. Thank you!
Role Summary
A Security Automation Engineer to build and operationalize the automation that correlates CrowdStrike Falcon Device Control telemetry with Active Directory/Azure Entra ID group changes in Microsoft Sentinel, and then programmatically updates CrowdStrike device control policy group membership via API. The engineer will own the scripting, testing, and configuration working - with our client - required to implement the end‑to‑end flow defined in our design.
Key Responsibilities
Build the event pipeline & data model
Stand up and harden the FDR to S3 delivery for Falcon Device Control events (e.g., DcRemovableStorageDeviceConnected, DcUsbDevicePolicyViolation, DcUsbDeviceWhitelisted, etc.), ensuring schema normalization and lifecycle management in S3. Configure Microsoft Sentinel ingestion for FDR data and AD/Entra ID user/group events; develop KQL parsers, tables, and data normalizations to support correlation.
Correlation & detection logic
Author KQL analytics/rules that join Windows Event IDs 4728/4729/6416/4663 with CrowdStrike Device Control events to identify when a user's group status should change host USB policy posture. Implement suppression/thresholding to reduce flapping and false positives (e.g., batch group changes, burst‑aware dedupe).
Automation & integration
Build idempotent automation (PowerShell, Python, Logic Apps, Functions, or similar) that calls CrowdStrike APIs to move hosts into/out of the Device Control allow group based on Sentinel signals. Include robust error handling, retries, and audit logging. Package automation as CI/CD artifacts (IaC where appropriate), with secure secrets handling (Key Vault/Secrets Manager).
Testing & validation
Develop unit tests for parsers and functions, integration tests for end‑to‑end flows (synthetic Windows events + synthetic FDR samples), and UAT runbooks for security operations. Create simulation data (sanitized/synthetic) to validate rules for Event IDs 4728, 4729, 6416, 4663 and representative FDR Device Control events prior to production cutover.
Operations & documentation
Build dashboards in Sentinel that show pipeline health, rule efficacy, and host policy transitions.
Document the full runbook: deployment, rollback, break‑glass steps, and change control. Train L2/L3 SOC and Help Desk on troubleshooting and manual override procedures.
Minimum Qualifications
5+ years in security engineering/automation with SIEM (Microsoft Sentinel) and endpoint security integrations. Proficiency in KQL, Python and/or PowerShell, and REST/OAuth2 API integration. Hands‑on experience with CrowdStrike Falcon (preferably Device Control), FDR pipelines, and API‑driven policy management. Solid understanding of Windows Security Event Log semantics-especially 4728/4729 (group membership changes), 6416 (new device recognized), 4663 (file access)-and how to correlate with endpoint telemetry.
Cloud data engineering basics: AWS S3 object lifecycle, schema evolution, and secured ingestion; Azure identity fundamentals.
Preferred Qualifications
Experience building SOAR playbooks (e.g., Sentinel Automation Rules/Logic Apps) and CI/CD pipelines for security automations. Prior implementation of device control/DLP workflows and handling USB policy exceptions at scale. Exposure to regulated environments (e.g., healthcare/life sciences) and change‑controlled releases. Familiarity with Entra ID (formerly Azure AD) group modeling and hybrid AD sync nuances.