Senior Purple Operations Engineer

Mission

Strengthen Sporty’s detection and response capability by tuning EDR, SIEM, and security monitoring platforms so they produce high-quality alerts, reduce noise, and give security teams clear signals on real threats.

The Purple Operations Engineer owns the quality, coverage, and reliability of security detections across endpoint, identity, cloud, network, and application telemetry. This role works closely with Threat Intelligence, Red Team, Purple Team, SOC, Detection Engineering, and Incident Response to convert threats, incidents, and attack simulations into tuned alerts, correlation rules, dashboards, playbooks, and control checks.

What you'll be doing

• Tune EDR, SIEM, and XDR detections to reduce false positives and improve alert quality.
• Build and maintain detection rules, correlation searches, dashboards, watchlists, and response workflows.
• Translate Red Team, Purple Team, incident, and Threat Intelligence findings into repeatable defensive checks.
• Validate that EDR policies, prevention rules, logging, sensor health, and response actions work as expected.
• Review noisy alerts and tune thresholds, exclusions, lookups, entity context, and suppression logic.
• Support SOC analysts with clear alert descriptions, triage steps, severity logic, and escalation guidance.
• Improve log coverage, parsing, field normalization, enrichment, and data quality.
• Map detections to MITRE ATT&CK where useful. ATT&CK is widely used to describe adversary tactics and techniques based on real-world observations.
• Write portable detection content using formats such as Sigma, which is designed as a generic signature format for SIEM detections.
• Track detection gaps, false positive trends, alert health, and platform performance

What you'll bring

• Experience tuning EDR, SIEM, XDR, or SOC monitoring platforms. 
• Strong understanding of endpoint, identity, cloud, network, and web attack behaviors.
• Practical experience writing detection logic in KQL, SPL, EQL, Lucene, Sigma, YARA, or similar.
• Familiarity with MITRE ATT&CK mapping and detection coverage analysis.
• Ability to turn Red Team, Purple Team, and incident findings into clear detection logic.
• Experience reducing false positives through rule tuning, exceptions, automation, and better entity context. Microsoft Sentinel supports this through automation rules and analytics rule changes.
• Strong scripting ability in Python, PowerShell, Bash, or similar.
• Good understanding of SOC workflows, incident triage, escalation, and response playbooks.
• Strong documentation skills.

Technology Expertise

Any of the following: Microsoft Defender XDR, CrowdStrike Falcon, SentinelOne, Microsoft Sentinel, Splunk Enterprise Security, Elastic Security, Google SecOps, Sigma, YARA, KQL, SPL, EQL, Lucene, Python, PowerShell, Bash, MITRE ATT&CK, Atomic Red Team, Caldera, Vectr, TheHive, Jira, Confluence, GitHub, GitLab, osquery, Sysmon, Zeek, Suricata, AWS CloudTrail, GuardDuty, Azure, Entra ID, Google Workspace, Okta, Cloudflare, Kubernetes logs.

What’s in it for you

• Sporty is a remote first company in pursuit of sustainability
• A competitive salary + individual performance based bonuses every quarter
• 28 days paid annual leave
• Our core working hours are 10am-3pm in your local time zone with flexibility outside of this
• Referral bonuses & flash bonuses
• Top of the line equipment
• Annual company retreats to provide great internal networking opportunities

Interview Process

• Remote video screening with our Talent Acquisition Team 
• Online assessment via Hackerrank
• Remote video interview with Team Members (60 Mins)
• Final discussion with the hiring manager (60 mins)

If you're interested, we encourage you to apply! Every application is reviewed by a member of our team (AI is not used in our recruitment process), and we aim to respond within 48 hours.