Incident Coordinator & Threat Hunting Engineer bei Drees & Sommer SE

Creating a future worth living for future generations gets us out of bed every morning. Depending on the project, we are consultants, implementers, or both for sustainable, innovative and economical solutions for real estate, industry, energy and infrastructure. Our more than 6,500 employees at 70 locations worldwide support our customers in interdisciplinary teams. Our thinking is both visionary and realistic. We work independently and as part of a team. With passion and the latest technologies. We unite. Join us at Dreso and let’s create a world we want to live in.

We are seeking a dedicated Incident Coordinator & Threat Hunting Engineer to join our team and help protect and continuously improve our organization’s security posture. In this role, you will monitor and defend our systems in real-time, lead incident response and threat hunting efforts, and drive strategic security enhancements. You’ll play a critical part in safeguarding company data and services from cyber threats. This is an exciting opportunity for a mid-level professional who enjoys both hands-on security operations and contributing to long-term security strategy. If you thrive on solving complex security challenges – from rapidly responding to incidents to proactively hunting for hidden threats – and want to make a real impact on our security maturity, we’d love to hear from you.

Key Responsibilities:

Security Monitoring & Operations:

• Monitor Security Information and Event Management (SIEM) dashboards and alerts to identify and analyze potential threats in real time using Microsoft Sentinel (Log Analytics, KQL, Analytic Rules, Workbooks) and Microsoft 365 Defender (Defender XDR Incidents, Advanced Hunting). Include Microsoft Purview DLP alerts where applicable.
• Perform in-depth analysis of suspicious activities, anomalies, and malware indicators; triage security events and escalate incidents as appropriate with KQL, Microsoft 365 Defender Advanced Hunting, Entra ID (Azure AD) sign-in/audit logs, and Sentinel Investigation graphs.
• Conduct regular vulnerability assessments and support penetration testing efforts to uncover security weaknesses, working with IT teams to remediate findings via Microsoft Defender Vulnerability Management (MDVM) and Defender for Cloud recommendations; third-party tools may supplement as needed.
• Support patch management by tracking critical vulnerabilities and verifying that systems and applications are updated in a timely manner to reduce exposure using Intune/Windows Update for Business, Azure Update Manager, and Defender for Cloud VM/Container hardening guidance.

Incident Response:

• Investigate and contain cybersecurity incidents or breaches – coordinate actions such as evidence collection, digital forensic analysis (disk, memory, logs), and system recovery to minimize damage leveraging Microsoft Defender XDR (Defender for Endpoint/Office 365/Identity/Cloud Apps), Microsoft Sentinel, MDE Live Response, and Entra ID.
• Lead post-incident analysis to determine root causes and create incident reports with actionable recommendations to prevent recurrence.
• Develop and maintain incident response playbooks and procedures, ensuring they stay up-to-date with emerging threats and lessons learned from past events (e.g., Sentinel Playbooks with Logic Apps, Automation Rules, and MDE custom detections).
• Coordinate with IT infrastructure, development, and business teams during incident response to ensure effective communication and swift resolution of issues.

Threat Hunting & Digital Forensics:

• Proactively hunt for threats lurking in our networks and systems that may evade automated defenses, by analyzing security logs, network traffic, and endpoint data for signs of malicious activity across Microsoft Sentinel, Defender XDR, and Microsoft Purview audit logs.
• Develop hypotheses of potential attacker tactics (using frameworks like MITRE ATT&CK) and investigate those leads to uncover stealthy threats; create custom detection queries or scripts to support hunting operations (KQL in Sentinel and Advanced Hunting in Microsoft 365 Defender; create Sentinel Analytic Rules and custom detections).
• Perform deep-dive forensic analysis on digital evidence (such as malware samples, system images, memory dumps) to extract indicators of compromise and understand attack techniques using MDE investigation packages, Live Response file collection, and appropriate memory/disk tools; integrate IOCs into Sentinel and Defender.
• Continuously collaborate with the SOC team to integrate threat hunting findings into improved monitoring rules and to enhance overall incident detection capabilities by tuning Sentinel rules, Watchlists, UEBA, and Defender XDR alerts.

Security Architecture & Engineering:

• Collaborate with IT to design and implement security enhancements across our networks, cloud environments, and applications with emphasis on Azure, Microsoft 365, and hybrid via Azure Arc (e.g., Conditional Access, Entra ID PIM, network segmentation using NSGs/Azure Firewall, security baselines, Defender for Cloud hardening).
• Evaluate new security technologies and tools (for example, advanced threat detection platforms or forensic tools), providing input on their potential value and overseeing pilot implementations including Microsoft Security Copilot integrations and Defender for Cloud Just-in-Time access where appropriate.

Education & Experience: Bachelor’s degree in Computer Science, Information Security, or a related field. Approximately 3-5 years of hands-on experience in cybersecurity roles (e.g., SOC Analyst, Security Engineer, Incident Responder, Threat Hunter), or equivalent expertise.

Technical Skills:

• SIEM and Monitoring: Solid experience with Microsoft Sentinel (required) and log analysis – able to write KQL queries, interpret events, and spot anomalies across various log sources (Log Analytics, Entra ID, M365, Defender, Azure PaaS/IaaS). Experience with other SIEMs is a plus.
• Endpoint & Network Security: Strong knowledge of intrusion detection/prevention systems, endpoint protection/EDR solutions (Microsoft Defender for Endpoint; familiarity with Defender for Identity, Defender for Office 365, Defender for Cloud Apps), and firewall/network security technologies (Azure Firewall, NSGs, Azure WAF).
• Vulnerability Management: Experience conducting vulnerability assessments with Microsoft Defender Vulnerability Management (MDVM) and Defender for Cloud and supporting penetration testing; good understanding of network and application security fundamentals to interpret findings and recommend fixes (experience with Nessus/Qualys is a plus).
• Incident Response & Forensics: Proven incident response skills – familiar with digital forensics techniques (disk imaging, memory analysis) and malware analysis basics to investigate incidents. Able to follow incident management frameworks (e.g., NIST or SANS) and document findings clearly using Microsoft Sentinel cases, MDE Live Response, and Microsoft Purview eDiscovery/Audit where applicable.
• Threat Hunting: Ability to proactively hunt for threats using SIEM and EDR data with KQL and Microsoft 365 Defender Advanced Hunting, analyze large datasets to identify patterns or indicators of compromise, and knowledgeable about threat hunting methodologies (hypothesis-driven investigations, use of threat intelligence).
• Security Architecture Understanding: Good grasp of security architecture principles – capable of assessing system designs for weaknesses and suggesting practical improvements. Familiarity with security frameworks and best practices (such as MITRE ATT&CK, CIS Controls) and Microsoft guidance (Azure Well-Architected Framework – Security, Microsoft Cloud Security Benchmark, Microsoft Security Baselines).

Certifications: Certifications such as CISSP, GIAC (e.g., GCIH, GCFA, GCIA), CEH/OSCP, or other relevant credentials are a plus and will be considered favorably. These demonstrate a foundation of knowledge and a commitment to the field. Microsoft certifications highly valued (e.g., SC-200 Security Operations Analyst, AZ-500 Azure Security Engineer, SC-100 Cybersecurity Architect, SC-300 Identity and Access Administrator).

• A dynamic and collaborative environment where cybersecurity is a strategic priority 
• A team that values creativity, initiative, and continuous improvement 
• To ensure your work-life balance, we offer the option of mobile working 
• We promote your professional and personal development through individual training and further education at the Drees & Sommer Academy 
• We support your health with a bonus for sports enthusiasts. We offer the possibility of subscribing to a private health insurance policy 
• Employees benefit from tax advantages related to their commuting expenses for the office 
• Fiscal advantages for employees expenses in meal costs during the worktime. Employee referral program with attractive bonus scheme 
• Supporting career and family by receiving tax benefits for kindergarten expenses