Turn attacker behaviour into high-signal, low-noise detections.
Detection Engineers sit between threat intel and the SOC. You translate attacker TTPs into Sigma / KQL / SPL rules, validate them with purple-team exercises, and own the false-positive rate so analysts trust what the alert queue says.
Tools in scope
FAANG / large tech
Live exercise: write a rule for a TTP, defend why it's not noisy.
MDR vendor
Multi-tenant tradeoffs and cross-client rule packaging come up a lot.
// Sample question
Walk me through how you'd design and validate a detection for OAuth illicit consent grants in M365.
Start from the TTP (Initial Access / Phishing via OAuth). Identify the AuditLogs event (Consent to application) and the high-risk signals (new app, broad scopes, external publisher). Author a Sigma / KQL rule, baseline FP rate over 30 days, validate with Atomic Red Team, then package with an analyst-facing runbook covering revocation steps.
AI-graded, role-specific, feedback on every answer. Free to start.