l3 edr sme

Role Description
Role Proficiency:

Provide support to a specific SIEM or EDR technology for global customers; to ensure and maintain the platform is functioning as expected. Independently monitor and proactively take ownership for resolution of issues and work matters.

Outcomes

• Monitor investigate and provide meaningful resolution of tickets and issues across multiple customers for the specified SIEM or EDR type. Escalate issues observed accordingly to a team member if appropriate to ensure optimal performance of the supported platform
• Assist with service requests for platform types such as access requests as well as more targeted requests for specific modules on platform such as dashboard creation and query support. Investigate larger issues to ensure optimal service for internal and external stakeholders.
• Provide assistance with maintenance activities to help with improving understanding of architecture of supported platforms; as well as self-study to building proficiency for supported toolsets
• Proactively develop and maintain documentation and knowledge articles for the broader team related to customer support
• Generate relevant reporting as required for platforms supported on a regular basis; ensuing internal and external reporting requirements are met.
• Ensure in-life requests are being actioned in a timely manner for self as well as junior roles to ensure effective maintenance and management of the customer platform.
• With minimal supervision provide support where required to other platform engineers by taking ownership of issues and ensuring requests are rectified focusing on the impact to the customer
• Provide supervision and guidance to junior members of the team.

Measures Of Outcomes

• Percent of Adherence to processes and methodologiesa.Percent of adherence to SLAs for in-life ticketing processesb.Percent of adherence to workflows and completeness of audit trails for activities undertaken.
• Productivity score maintaineda.Number of issues identified early in the event of issues with delivering tasks or workload.b.Number of issues with effective evidence provided for escalations during triage.
• Number of opportunities to enhance change documentation to ensure processes remain relevant for the broader team.
• Number: of relevant skill related training and development activities undertaken; evidenced by certification.
• Number of opportunities to and improve helping to reduce false positives

Outputs Expected
Technical Expertise:

• Demonstrate comprehension and experience in the specific SIEM or EDR platform that Engineer is working on.
• Comfortable with and awareness of the customers being supported; capable of providing support towards high level customer QBR (Quarterly Business Review) preparation.
• Use technology to identify with the ability to implement technical solutions to issues with queries/rules/dashboards/data feeds
• Provide input to customer requirements or issues i.e. Ability to have understanding to translate a customer requirement into a technical solution of how that could be achieved in the respective platform.
• Provide support to Junior members.

Platform Management – Incidents And Requests

• Provide accurate updates to appropriate Service and Change Requests; ensuring audit trails are preserved and SLAs are achieved.
• Take the lead to identify issues with the specified platform type or its supporting infrastructure.
• Proactive identification of issues with behavioural analysis/patterns identified with suggestions for resolutions.
• Provide support to Junior members.

Stakeholder Focus

• Ensure relevant reporting metrics of customer information provided in a timely manner; and engaging customer/TAM/Project team where required.
• Ensure customer specific processes are being followed.
• Undertake mandatory and proactive learning and development opportunities.

Skill Examples

• Good communication skills
• Skill in being prepared to undertake background check/validation to ensure integrity.
• Ability to work unsupervised with the assigned SIEM or EDR technologies and their supporting infrastructure
• Ability to work from CLI.
• Ability to work with multiple querying languages
• Aptitude in working with querying data and the role of a SIEM/EDR
• Ability to show analytical skills working across multiple technologies and customers.

Knowledge Examples
Knowledge Examples

• Experience working with Security Operations and/or EDR/SIEM Platform Management role.
• A deep understanding of the workings of supported toolsets and technologies.
• Knowledge of IT Infrastructure and basic networking concepts
• Knowledge of MITRE ATT&CK framework and how it can be applied to use cases.
• Knowledge of creation of detection rules as well as improving and enhancing SIEM/EDR
• Knowledge of Big Data and Data manipulation.
• Desirable: Certifications in IT infrastructure / SIEM / EDR / Ethical Hacking
• Desirable: Academic qualifications and/or relevant work experience in lieu of qualification.

Additional Comments
Role Overview: We are looking for a highly skilled and motivated L3 EDR Subject Matter Expert (SME) to join our Managed EDR (MEDR) team. The SME will play a key role in managing, optimizing, and evolving enterprise-grade EDR/XDR platforms across multiple client environments. This role demands strong technical expertise, analytical thinking, and a proactive approach to improving platform performance, automation, and service delivery.

Key Responsibilities
Platform Administration & Optimization

• Own the administration, configuration, and tuning of EDR/XDR platforms (e.g., Microsoft Defender, Cybereason, SentinelOne, CrowdStrike,).
• Maintain and optimize policies, exclusions, and performance baselines.
• Conduct regular platform health checks, upgrades, and patch validations.
• Manage multi-tenant or multi-client environments within SaaS/Hybrid EDR deployments. Incident Support & Advanced Troubleshooting
• Serve as the highest escalation point (L3) for complex platform or endpoint issues.
• Collaborate with SOC teams during critical incidents for technical deep-dive analysis.
• Perform root cause analysis and provide platform-level remediations. Automation & Operational Excellence
• Develop scripts or playbooks (PowerShell, Python, API integrations) to automate repetitive administrative tasks.
• Identify areas for process improvement to enhance speed, efficiency, and reliability of the MEDR service. Service Delivery & Client Support
• Work closely with client security teams and product owners for change management, onboarding, and continuous improvement.
• Create and maintain detailed operational documentation, SOPs, and configuration baselines.
• Provide technical inputs during service reviews and roadmap discussions. Security Engineering & Continuous Improvement
• Contribute to EDR policy enhancements, integration with SIEM/SOAR tools, and telemetry enrichment.
• Research and test new EDR features, threat detection techniques, and best practices.
• Mentor L1/L2 analysts and guide them on advanced EDR operations.

Required Skills & Qualifications

• Strong hands-on experience with Cybereason, Microsoft Defender for Endpoint, SentinelOne, CrowdStrike, or Cortex XDR (at least two mandatory).
• Deep understanding of endpoint security architecture, EDR telemetry, and threat hunting workflows.
• Experience in policy fine-tuning, device group management, automation (PowerShell, Python), and API-based integrations.
• Knowledge of Windows, macOS, and Linux endpoint internals and troubleshooting.
• Familiarity with MITRE ATT&CK, incident lifecycle, and EDR-SIEM integrations.
• Excellent documentation, communication, and cross-functional collaboration skills.
• Strong analytical and problem-solving skills.
• Ownership mindset with ability to operate independently.
• Mentorship and knowledge-sharing orientation.
• Continuous learner attitude towards emerging EDR and XDR technologies.

Skills
SentinelOne, EDR, Crowdstrike, Cybereason