Faizan Arshad

SOC Analyst | Threat Hunter & Detection Engineer | Splunk ES · Sentinel · CrowdStrike | MITRE ATT&CK-Mapped Use Cases | SPL & KQL | Cortex XSOAR | Cloud Environments

Washington DC-Baltimore Area

About

Security operations professional with 6+ years detecting, investigating, and containing threats across federal consulting, financial services, and telecom environments. Deep hands-on experience across Splunk Enterprise Security, Microsoft Sentinel, CrowdStrike Falcon, and Cortex XSOAR — with demonstrable depth in detection engineering, SOAR automation, and multi-cloud security monitoring (AWS, Azure). Operates at the intersection of alert triage and proactive threat hunting, mapping adversary behavior to MITRE ATT&CK to reduce dwell time and detection gaps. Built SOAR playbooks and SPL/​KQL detection logic that cut analyst workload and improved mean time to respond. Equally effective as a solo contributor on complex incident investigations or as a force-multiplier across distributed SOC teams in high-stakes federal environments. Technical Skills SIEM & Log Analysis Splunk, Splunk Enterprise Security (ES), Microsoft Sentinel, IBM QRadar, Elastic SIEM (ELK Stack), Wazuh, Security Onion Detection Engineering Splunk SPL, Kusto Query Language (KQL), MITRE ATT&CK, Sigma Rules, Use Case Development, Detection Tuning, False Positive Reduction, Log Source Onboarding Network & Threat Analysis Wireshark, Zeek, Suricata, Snort, Intrusion Detection Systems (IDS/​IPS), Palo Alto /​ Fortinet /​ Cisco Firepower /​ Check Point Firewall Monitoring, TCP/​IP, DNS, HTTP/​HTTPS Analysis Threat Intelligence MISP, Recorded Future, ThreatConnect, VirusTotal, AlienVault OTX, OpenCTI, IOC & TTP Analysis, IOC Pivoting, Adversary Behavior Analysis Malware & Forensics KAPE, Volatility (Memory Forensics), Static Malware Analysis, AnyRun, Cuckoo Sandbox, Malware Triage Email Security Microsoft Defender for Office 365, Microsoft 365 Security Investigations, Phishing Analysis EDR / XDR CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Microsoft Defender XDR SOAR & Automation Palo Alto Cortex XSOAR, Splunk SOAR (Phantom), Tines, Swimlane, Python, PowerShell, Bash, SOC Playbook Development, Runbook Engineering Cloud Security AWS CloudTrail, AWS GuardDuty, AWS Security Hub, Azure Security Monitoring, AWS Security Monitoring Endpoint & Identity Windows Event Logs, Sysmon, Active Directory Security, Identity & Access Management (IAM), Linux Log Analysis, Process & Command-Line Analysis Vulnerability Management Nessus, Tenable Security Center (Tenable SC), Qualys, Vulnerability Prioritization & Remediation

Experience

  • Security Operations Engineer at Accenture Federal Services
    Apr 2024 - Present · 2 yrs 4 mos

    •Architect and own Splunk ES correlation search library across 14 log sources, reducing alert-to-triage handoff from 31 minutes to 17 minutes. •Designed Cortex XSOAR playbooks automating phishing triage, IOC enrichment, and containment actions — eliminating 847 manual analyst-hours per quarter. •Lead detection engineering for a federal agency SOC, mapping 23 new use cases to MITRE ATT&CK techniques and retiring 17 noisy legacy rules to reduce false-positive volume. •Instrument CrowdStrike Falcon telemetry pipeline into Splunk for unified endpoint-to-SIEM visibility across a 4,200-node federal environment. •Conduct threat hunts against AWS CloudTrail and GuardDuty findings, pivoting on IOCs in MISP and Recorded Future to uncover 3 confirmed lateral movement attempts. •Author detection logic in SPL targeting credential-dumping (T1003), scheduled task persistence (T1053), and Kerberoasting (T1558.003) patterns in Active Directory telemetry. •Partner with the federal client's IR team during major incidents — leading investigation scoping, evidence collection, and executive-level incident briefings for 2 P1 events. •Onboard 6 new log sources into Splunk including Palo Alto firewall, Sysmon, and Azure AD sign-in logs, authoring field extractions and data normalization transforms. •Mentor junior analysts on SPL query construction and ATT&CK-based triage methodology, reducing escalation misclassifications by half over two quarters.

  • Cyber Security Analyst at Capital One
    Feb 2022 - Mar 2024 · 2 yrs 2 mos

    •Built and tuned Microsoft Sentinel analytics rules across Azure AD, M365, and Defender XDR signal streams — cutting mean time to detect (MTTD) from 43 minutes to 11 minutes. •Owned Splunk SOAR automation for alert enrichment workflows, integrating VirusTotal, ThreatConnect, and internal CMDB lookups to auto-close 61% of low-fidelity alerts without analyst touch. •Investigated 1,400+ security events per quarter spanning insider threat, OAuth abuse, and cloud misconfiguration using KQL queries against a 3.1TB/​day Sentinel ingestion pipeline. •Engineered KQL detection rules for Azure AD identity abuse scenarios — including impossible travel, token replay, and MFA fatigue — aligned to MITRE T1110, T1078, and T1556 techniques. •Performed phishing triage and email forensics via Microsoft Defender for Office 365, containing 3 BEC campaigns before financial impact through rapid mailbox investigation and credential reset coordination. •Conducted adversary simulation exercises using MITRE ATT&CK Evaluations methodology to validate existing detections and surface 9 coverage gaps subsequently addressed with new Sentinel rules. •Collaborated with the cloud security team to baseline AWS GuardDuty findings and CloudTrail anomalies, building Sentinel workbooks that surfaced cross-cloud threat correlation. •Documented incident response runbooks for 8 threat categories, standardizing investigation steps and reducing new-analyst onboarding time.

  • SOC Analyst at Verizon
    Oct 2019 - Feb 2022 · 2 yrs 5 mos

    •Monitored and triaged 300–400 daily security alerts in IBM QRadar across a 9-node enterprise network environment covering 47,000 endpoints. •Performed network traffic analysis using Wireshark and Zeek to investigate anomalous lateral movement patterns, contributing to containment of a confirmed ransomware pre-positioning event. •Developed 11 custom QRadar offense rules targeting DNS tunneling, excessive failed authentications, and anomalous data exfiltration volume to address gaps in default rulesets. •Executed Tier 1 and Tier 2 incident triage across intrusion, malware, and policy violation categories — escalating 94 confirmed incidents with full NIST IR lifecycle documentation. •Supported vulnerability assessment cycles using Nessus and Tenable SC, prioritizing critical findings across 6 business units and tracking remediation status through ServiceNow. •Integrated Suricata IDS alerts into QRadar via log source extension, adding network-layer detection coverage that had previously been a blind spot for the SOC team. •Partnered with the network operations center to correlate Cisco Firepower IPS events against SIEM alerts, reducing duplicate ticketing and triage overhead across 2 overlapping teams. •Maintained IOC repositories in AlienVault OTX and coordinated threat intelligence sharing across the SOC team using standardized STIX/​TAXII feed ingestion.