Analyst - Security Operations
Indexed description
About Us
Core42, a leader in AI-powered cloud and digital infrastructure, is driving transformative technology solutions globally. Leveraging advanced resources and partnerships, Core42 empowers clients to harness sovereign AI infrastructure, especially in sectors with stringent regulatory needs. With a mission to redefine digital transformation, we combine sovereign capabilities with scalable, high-performance compute infrastructure, positioning itself at the forefront of AI innovation in the Middle East and beyond.
The opportunity
Analyst – Security Operations, Core42 – Abu Dhabi, UAE. We are looking for a senior (L3) Incident Analyst to anchor the technical depth of our 24×7 Security Operations Center. This role detects, triages, investigates and responds to security incidents across our private-cloud platform and the enterprise services it supports. The successful candidate is a hands-on practitioner who can own an incident end to end — from the first alert in Splunk through containment, eradication and recovery — while also raising the quality of our detections and acting as a senior escalation point and mentor for less-experienced analysts. The environment is a private cloud built on OpenStack and Red Hat OpenShift, instrumented with Splunk (SIEM), Cribl (data pipeline), Elastic Security (EDR) and Corelight (NDR); comfort working across virtualized and containerized infrastructure log sources is expected.
Your key responsibilities
Security Monitoring, Triage & Detection
- Monitor security alerts and events in Splunk to identify threats, anomalies and malicious activity across the private-cloud platform and enterprise services
- Perform triage and investigation of security events, acting as the senior technical decision point on whether an alert represents a genuine incident
- Serve as the L3 escalation point for L1/L2 analysts, providing investigative guidance and validating findings before escalation
- Investigate EDR and NDR alerts involving malware, suspicious scripts, credential theft, lateral movement, persistence, ransomware and endpoint or network compromise
Incident Response (full lifecycle)
- Own security incidents end to end across the full response lifecycle: identification, containment, eradication, recovery and post-incident review
- Execute containment and remediation actions in coordination with platform, infrastructure, network and application teams
- Lead the response on assigned incidents and coordinate cross-team activity to ensure timely investigation, escalation and resolution
- Develop and maintain incident response playbooks and standard operating procedures (SOPs), and drive their improvement after each major incident
SIEM, Detection Engineering & Log Pipeline
- Create, tune and optimize Splunk correlation searches, alerts, dashboards and reports to improve detection quality and coverage
- Write and maintain efficient SPL queries supporting investigation, hunting, reporting and detection engineering
- Reduce alert fatigue by tuning noisy detections, lowering false positives and strengthening correlation logic, weighing false-positive cost against miss cost when making tuning decisions
- Support onboarding of new log sources and validate log quality, parsing, field extraction and normalization
- Manage and maintain Cribl Stream/Edge pipelines for log routing, filtering, enrichment and normalization, optimizing data flow and Splunk license consumption
Threat Hunting & Intelligence
- Conduct hypothesis-driven threat hunts to uncover advanced persistent threats (APTs) and techniques that evade existing detections
- Map detection coverage to MITRE ATT&CK, identify and report gaps, and convert successful hunts into durable detections
- Apply threat intelligence and frameworks (MITRE ATT&CK, Cyber Kill Chain, Diamond Model) to enrich investigations and improve detection and response
- Identify patterns, trends and indicators of compromise (IOCs) to proactively detect and prevent recurrence
Documentation, Reporting & Governance
- Conduct root cause analysis (RCA) and produce clear incident reports for management and stakeholders
- Maintain accurate, detailed records of incidents, actions taken, evidence collected and lessons learned in the case-management platform
- Contribute to the continuous improvement of security monitoring use cases and detection rules
- Support audit and compliance requirements by providing evidence of incident-management activities
Working arrangement
- Full-time role reporting to the SOC Manager, operating within a 24×7 Security Operations Center
- Participation in rotational shifts — day, evening and night — including weekends and public holidays on a rotational basis
- Defined acknowledgement, triage and escalation SLAs apply to each shift, with structured shift handovers to maintain continuity of in-flight incidents
What we’re looking for
(a) Required skills / qualifications
Education
- Bachelor’s degree in Computer Science, Information Security, Cybersecurity or a related field; equivalent professional experience and certifications will be considered in lieu of a degree
Experience
- 5–8 years in security operations, incident response or SOC monitoring, with at least 2 years at a senior (L3) or equivalent level
- Proven hands-on experience with Splunk — advanced SPL, dashboard development, alert creation, correlation and administration
- Demonstrated experience with Cribl Stream/Edge — data routing, filtering, pipelines and log enrichment
- Strong background in incident analysis, investigation, evidence handling, escalation management and full-lifecycle response aligned with industry standards
Technical skills
- SIEM: Splunk Enterprise / Splunk Cloud — advanced SPL, dashboard development, correlation searches, alert tuning, administration
- Data Pipeline: Cribl Stream / Cribl Edge — log routing, parsing, filtering, enrichment and pipeline management
- EDR / NDR: Elastic Security (EDR) and Corelight (NDR) for endpoint and network threat detection, investigation and response
- Incident Response: end-to-end IR lifecycle, playbook and SOP development, RCA, evidence collection and handling
- Threat Frameworks: MITRE ATT&CK (including coverage mapping), Cyber Kill Chain, Diamond Model
- Networking: strong understanding of TCP/IP, DNS, HTTP/S, firewalls, proxies and IDS/IPS
- Operating Systems: proficiency in Windows and Linux environments
- Scripting: proficiency in Python, Bash or PowerShell for automation and analysis
- Platform Technologies: familiarity with private-cloud and platform log sources — Red Hat OpenShift, OpenStack, Commvault, Scality and related infrastructure
- Ticketing / Case Mgmt: ServiceNow, Jira or equivalent for incident tracking, evidence attachment, escalation notes and closure documentation
(b) Preferred skills / qualifications
Industry certifications, such as:
- Splunk Core Certified Power User or Splunk Certified Admin
- Cribl Certified Admin
- GIAC certifications relevant to detection and response — GCIA, GCIH, GCDA or GCFA
- Blue Team Level 2 (BTL2) or equivalent hands-on defensive certification
- Experience monitoring OpenStack and Kubernetes/OpenShift environments
- Familiarity with detection-as-code practices (version control and peer review of detection content)
What working at Core42 offers
With a diverse team of 1,100+ employees from 68 nationalities, we foster an inclusive, innovative and collaborative environment. At Core42, we foster a culture grounded in trust, accountability and high performance. We are united by our values: Grit, where we overcome challenges with resilience and determination, Passion, which drives us to pursue excellence in everything we do, and Impact, as we aim to inspire progress and create meaningful change. Our team members thrive in an environment where each person’s contributions propel us forward, and together, we commit to achieving extraordinary results.
- Competitive Salary: We offer an attractive salary package based on your skills and experience
- Yearly Bonus: In recognition of your contributions, you will receive a performance-based annual bonus
- Exclusive Discount Cards: Access special benefits with Esaad and Fazaa cards, offering discounts across a wide range of services
- Premium Family Insurance: We provide comprehensive health coverage, including dental, vision and life insurance, ensuring the well-being of you and your family
- Learning & Development: We offer access to top-tier learning platforms to help you grow in your career. Learn at your own pace with unlimited access to premium courses.
Create a free Caio profile to unlock more results and save your role and location preferences.
Unlock free search