Richard Pugh III

Senior SIEM/SOAR Sentinel Architect/Engineer with well over 25 years experience

Rancho Cucamonga, California, United States

About

Experience

  • Senior Sentinel Architect at Applabsystems
    Dec 2024 - Present · 1 yr 8 mos

    Architect and manage dual-SIEM environment with Splunk Enterprise (5+ TB/day) and Microsoft Sentinel for 45,000+ user hybrid environment spanning on-premises infrastructure and Azure/AWS cloud workloads • Design and maintain Splunk indexer cluster with 24 indexers across 3 data centers, configured with site-aware replication factor of 3 and search factor of 2 for high availability and disaster recovery • Manage search head cluster with 6 search heads providing high availability for security analysts, deploying knowledge bundles, managing search artifacts, and load balancing search workloads • Administer deployment server managing 15,000+ Universal Forwarders across Windows servers, Linux systems, and network devices with serverclass configurations for targeted app deployment Deploy and manage Microsoft Sentinel workspace architecture with multi-workspace design separating production, development, and compliance data with cross-workspace queries for unified visibility • Configure 50+ Sentinel data connectors including Windows Security Events (via AMA), Azure AD, Microsoft 365, Defender for Endpoint, Defender for Cloud, AWS CloudTrail, and custom CEF/Syslog sources • Develop Sentinel analytics rules including scheduled rules, near-real-time (NRT) rules, and Fusion ML-based detection for advanced multi-stage attack detection across Azure and hybrid environments • Implement Sentinel UEBA (User and Entity Behavior Analytics) for anomaly detection on user accounts and entities, identifying insider threats and compromised accounts through behavioral analysis Create Sentinel workbooks providing security dashboards for Azure AD sign-in analysis, Office 365 activity, threat intelligence correlation, and compliance monitoring with interactive visualizations • Develop KQL hunting queries mapped to MITRE ATT&CK techniques for proactive threat hunting across Azure AD, Windows endpoints, network traffic, and cloud resource activity

  • Azure Security & Sentinel Engineer at Birlasoft
    Feb 2024 - Dec 2024 · 11 mos

    Implemented Sentinel Content Hub solutions deploying pre-built analytics rules, workbooks, and playbooks for common security scenarios while customizing for client-specific requirements • Developed custom Sentinel analytics rules using KQL for client-specific threats including industry-specific compliance monitoring (HIPAA, PCI-DSS, SOX) and custom application security • Created Sentinel watchlists for threat intelligence, VIP users, critical assets, and authorized IP ranges enabling contextual enrichment in analytics rules and hunting queries • Deployed Splunk Enterprise Security for clients implementing Notable Events framework, correlation searches, Asset & Identity correlation, and Investigation Workbench for security operations • Implemented Risk-Based Alerting (RBA) reducing alert volume by 60-80% while improving detection fidelity through risk score aggregation and threshold-based notable event generation • Integrated threat intelligence platforms (MISP, Anomali, Recorded Future) with both Splunk ES and Sentinel for automated IOC matching and threat indicator enrichment • Implemented Splunk SOAR for clients requiring on-premises orchestration, developing automated playbooks for phishing, malware, account compromise, and data loss prevention scenarios • Developed Sentinel Logic Apps playbooks for Azure-native clients automating incident enrichment from Azure AD, Microsoft Graph, and Defender APIs with Teams/email notification workflows

  • Microsoft Sentinel Engineer/Threat Hunter (Senior) at Persistent Systems
    May 2023 - Feb 2024 · 10 mos

    Created Sentinel Logic Apps playbooks for cloud-specific responses: Azure AD account suspension, Defender for Endpoint isolation, conditional access policy enforcement • Implemented cross-platform incident correlation forwarding Splunk notable events to Sentinel via Logic Apps for unified incident management in hybrid environment • Built case management workflows in both platforms with SLA tracking, escalation procedures, and metrics reporting for SOC performance measurement • Onboarded OT/ICS data sources to Splunk including Claroty, Dragos, and native industrial protocol logs ensuring proper parsing and CIM normalization for ES compatibility • Configured Sentinel data connectors for cloud-native data sources with proper data collection rules optimizing cost while maintaining required visibility • Created detection use cases with parallel implementation in Splunk (SPL) and Sentinel (KQL) ensuring consistent detection coverage across hybrid environment Built Logic Apps playbooks for common Sentinel use cases: block user in Azure AD, isolate endpoint via Defender, create ServiceNow ticket, send Teams alert to SOC channel • Integrated Sentinel with third-party security tools using custom Logic Apps connectors and Azure Functions for tools without native Sentinel integration

  • Security Operations & Infrastructure Engineer at Tech Mahindra
    Apr 2020 - May 2023 · 3 yrs 2 mos

    Deployed Microsoft Sentinel for clients with Microsoft-centric environments, implementing workspace architecture, data connectors, analytics rules, and automation playbooks • Configured Sentinel data connectors for Microsoft ecosystem: Azure AD, Microsoft 365, Defender for Endpoint, Defender for Cloud, Azure Activity, and Azure Key Vault • Developed Sentinel analytics rules using KQL for scheduled detection, near-real-time alerting, and leveraged Fusion rules for advanced multi-stage attack detection • Implemented Sentinel Content Hub solutions deploying Microsoft and community-developed content packs for common security scenarios and compliance requirements • Created custom Sentinel workbooks providing security visibility dashboards for Azure AD, Office 365, endpoint security, and compliance monitoring • Developed KQL hunting queries for threat hunting exercises targeting cloud-specific threats, identity attacks, and Microsoft 365 abuse scenarios

  • Senior Security / Infrastructure Engineer at Rollins, Inc.
    Apr 2010 - Apr 2020 · 10 yrs 1 mo

    Deployed and managed enterprise Splunk SIEM for 15,000+ user organization across corporate headquarters, regional offices, and 200+ branch locations supporting security operations and compliance • Evolved Splunk deployment from initial implementation (500 GB/day) to enterprise-scale (2 TB/day) over 10-year tenure, growing infrastructure to meet expanding security requirements • Architected Splunk infrastructure progression from standalone instance to distributed deployment with indexer cluster, search head cluster, and deployment server • Managed Splunk indexer cluster with 12 indexers, configuring replication for high availability and implementing index lifecycle management for data retention compliance • Administered deployment server managing 3,000+ Universal Forwarders across Windows servers, Linux systems, and network devices with serverclass configurations • Evaluated and piloted Microsoft Sentinel (formerly Azure Sentinel) as organization began Azure cloud adoption, assessing capabilities for cloud security monitoring • Deployed initial Sentinel workspace for Azure AD and Office 365 monitoring as organization migrated to Microsoft 365, complementing on-premises Splunk deployment • Configured Sentinel data connectors for Azure AD sign-in logs, Azure AD audit logs, and Office 365 activity logs providing cloud identity and collaboration visibility • Developed initial Sentinel analytics rules for cloud-specific threats: risky sign-ins, impossible travel, mass file downloads, and external sharing anomalies