SIEM Architect Engineering Lead - Remote Eligible

Kyndryl Security Engineering Manager

At Kyndryl, we design, build, manage and modernize the mission-critical technology systems that the world depends on every day. So why work at Kyndryl? We are always moving forward – always pushing ourselves to go further in our efforts to build a more equitable, inclusive world for our employees, our customers and our communities.

Key Responsibilities

1. Leadership & Strategic Direction

• Lead and mentor a multi-disciplinary engineering team including SIEM Engineers, SOAR Developers, Automation Leads, Content Writers, and GenAI Developers.
• Define the strategic roadmap for SIEM/SOAR architecture and engineering in alignment with SOC transformation goals.
• Drive technical governance, ensuring consistent engineering standards, compliance, and documentation across platforms.
• Establish and track delivery KPIs, SLAs, and transformation milestones for all engineering workstreams.
• Represent the engineering function in client governance forums, audit reviews, and transformation workshops.

2. SIEM Architecture, Engineering & Operations

• Architect, design, and maintain a scalable SIEM ecosystem (Azure Sentinel / Splunk / QRadar / ArcSight / Exabeam / LogRhythm).
• Oversee data ingestion pipelines, custom parsers, correlation rules, and threat-detection logic aligned with MITRE ATT&CK and compliance mandates (ISO 27001, PCI-DSS, GDPR, SOC 2).
• Ensure continuous platform availability, performance, and scalability across multi-tenant and hybrid environments.
• Define standards for log normalization, enrichment, and retention policies to optimize performance and cost.
• Provide L3-level operational support and escalation handling for critical security engineering incidents.
• Collaborate with infrastructure and cloud teams to integrate SIEM with EDR, DLP, NDR, XDR, CASB, and IAM platforms.

3. SOAR & Automation Excellence

• Oversee the development and maintenance of SOAR playbooks and runbooks using Azure Logic Apps, Splunk SOAR, or Palo Alto Cortex XSOAR.
• Ensure playbooks are modular, version-controlled, and aligned with incident response lifecycle (Detection → Containment → Eradication → Recovery).
• Collaborate with the Automation Lead to design hyper-automated workflows for alert triage, enrichment, ticketing, and response actions.
• Continuously reduce MTTR (Mean Time To Respond) through intelligent orchestration and auto-remediation workflows.
• Promote the use of KQL, Python, and PowerShell scripting for automation, enrichment, and custom data transformation.

4. AI & GenAI Integration

• Guide the GenAI Developer in embedding AI-driven agents into SOC workflows for predictive analytics, RCA generation, and threat summarization.
• Leverage Copilot, OpenAI APIs, and custom ML models to automate Tier-2 analysis and enhance analyst decision-making.
• Explore and implement AI-based behavioral analytics, anomaly detection, and LLM-driven knowledge assistants for Smart SOC operations.
• Ensure ethical AI use, data privacy, and traceability in all AI-enabled workflows.

5. Content Engineering & Use Case Development

• Oversee the Content Writer and Detection Engineers to create and maintain: correlation rules and detection logic; hunting queries and dashboards; playbooks and automation guides.
• Ensure all detections are mapped to ATT&CK, D3FEND, and NIST frameworks with proper RCA documentation and use case catalogs.
• Conduct periodic content reviews to refine noise levels, false positives, and detection efficacy.

6. Governance, Compliance & Risk Management

• Define and maintain the engineering governance framework ensuring audit readiness, version control, and change traceability.
• Collaborate with risk and compliance teams to demonstrate adherence to data handling, retention, and access policies.
• Support internal and external audits, security assessments, and compliance certifications.
• Ensure all engineering activities have proper approvals, rollback plans, and post-implementation validations (PIRs).

7. Transformation & Continuous Improvement

• Drive SOC modernization initiatives such as data lake integration, cloud-native ingestion, behavioral analytics, and unified telemetry.
• Foster a DevSecOps culture across the engineering team to enable continuous integration and deployment of new detections.
• Evaluate new OEM features, APIs, and security tools for operational benefit and integration feasibility.
• Partner with vendors and OEMs (Microsoft, Palo Alto, Splunk, IBM, etc.) for rapid incident resolution and roadmap alignment.

Required Technical Skills

• Core SIEM Expertise:
• Azure Sentinel / Microsoft Defender XDR, Splunk ES, QRadar, or ArcSight platform design and tuning.
• Data ingestion using Syslog, API connectors, Event Hubs, and Log Analytics.
• Advanced KQL, SPL, or AQL scripting for custom rules and analytics.
• Log normalization, schema mapping, and parser creation.
• SOAR & Automation:
• Azure Logic Apps, Splunk SOAR, or XSOAR playbook design.
• API integration with ITSM tools (ServiceNow, Remedy, Jira).
• Knowledge of Python, PowerShell, or Logic App JSON for automation scripting.
• AI / GenAI:
• Familiarity with OpenAI, Azure OpenAI, or AWS Bedrock APIs.
• Exposure to AI-based SOC assistants, LLM prompt engineering, and predictive analytics pipelines.
• Security Integration:
• Experience integrating SIEM/SOAR with EDR, XDR, DLP, NDR, IAM, Cloud Security Posture Management (CSPM).
• Network and endpoint telemetry integration for unified threat visibility.
• Cloud & Infrastructure:
• Deep understanding of Azure, AWS, or GCP security architectures.
• Familiarity with Kubernetes, containers, and API gateways for modern log ingestion.

Diversity is a whole lot more than what we look like or where we come from, it's how we think and who we are. We welcome people of all cultures, backgrounds, and experiences. But we're not doing it single-handily: Our Kyndryl Inclusion Networks are only one of many ways we create a workplace where all Kyndryls can find and provide support and advice. This dedication to welcoming everyone into our company means that Kyndryl gives you – and everyone next to you – the ability to bring your whole self to work, individually and collectively, and support the activation of our equitable culture. That's the Kyndryl Way.

With state-of-the-art resources and Fortune 100 clients, every day is an opportunity to innovate, build new capabilities, new relationships, new processes, and new value. Kyndryl cares about your well-being and prides itself on offering benefits that give you choice, reflect the diversity of our employees and support you and your family through the moments that matter – wherever you are in your life journey. Our employee learning programs give you access to the best learning in the industry to receive certifications, including Microsoft, Google, Amazon, Skillsoft, and many more. Through our company-wide volunteering and giving platform, you can donate, start fundraisers, volunteer, and search over 2 million non-profit organizations. At Kyndryl, we invest heavily in you, we want you to succeed so that together, we will all succeed.

If you know someone that works at Kyndryl, when asked 'How Did You Hear About Us' during the application process, select 'Employee Referral' and enter your contact's Kyndryl email address.