**Overview** SOSi is seeking a **Cyber Incident Handling Analyst** to support our customer in **Wiesbaden, Germany** . The Cyber Incident Handler will perform analytic analysis of cyber related events to detect and deter malicious actors using SIEM technologies, which correlate multiple security tool alerts and logs. **Essential Job Duties** + Work as a member of the Cyber Incident Response Operations Team to increase the security posture of the customers' network. + Monitor SIEM platforms for alerts, events, and rules providing insight into malicious activities and/or security posture violations. + Review intrusion detection system alerts for anomalies that may pose a threat to the customers' network. + Identify and investigate vulnerabilities, asses exploit potential and suggest analytics for automation in the SIEM engines. + Report events through the incident handling process of creating incident tickets for deeper analysis and triage activities. + Coordinates and distributes directives, vulnerability, and threat advisories to identified consumers. + Issue triage steps to local touch labor organizations and Army units to mitigate or collect on-site data. + Perform post intrusion analysis to determine shortfalls in the incident detection methods. + Develop unique queries and rules in the SIEM platforms to further detection for first line cyber defenders. + Monitor the status of the intrusion detection system for proper alert reporting and system status. + Respond to the higher headquarters on incidents and daily reports. + Provide daily updates to Defensive Cyber Operations staff on intrusion detection operation and trends of events causing incidents. + Prepare charts and diagrams to assist in metrics analysis and problem evaluation and submit recommendations for data mining and analytical solutions. + Draft reports of vulnerabilities to increase customer situational awareness and improve the customers cyber security posture. + Assist all sections of the Defensive Cyber Operations team as required in performing Analysis and other duties as assigned. + May perform documentation and vetting of identified vulnerabilities for operational use. + May prepare and presents technical reports and briefings. + Utilize a solid understanding of networking ports and protocols, their uses, and their potential misuses. **Minimum Requirements** + An active in scope Top Secret/SCI clearance is required. + Bachelor in related discipline +3, AS +7, major certification +7 or 11+ years specialized experience. + Must meet DoD 8140 DCWF 531 requirements (B.S., A-150-1980, A-150-1202, A-150-1203, A150-1250, WSS 011, WSS 012GCFA, CBROPS, FITSP-O, GISF, CCSP, CEH, Cloud+, GCED, PenTest+, Security+, or GSEC). + Must meet DoD 8140 DCWF 511 requirements (B.S., M03385G; M10395B; M22385, A-150-1980, A-150-1202, A-150-1203, A-150-1250, A-531-0451, A-531-4421, A-531-1900, WSS 011, DISA-US1377, GFACT, GISF, Cloud+, GCED, PenTest+, Security+, or GSEC). + Must have one of the following certifications(Cisco CyberOps Professional, GCED, GCFA, GCFE, GCIH, GNFA, DCITA CIRC, FIWE or Offensive Security OSDA). + Must have a full, complete, and in-depth understanding of all aspects of Defensive Cyber Operations. + Must have a good breadth of knowledge of common ports and protocols of system and network services. + Experience in packet captures and analyzing a network packet. + Experience with intrusion detection systems such as Snort, Suricata, and/or Zeek. + Experience with SIEM systems such as Splunk and/or ArcSight. + Must have the demonstrated ability to communicate with a variety of stakeholders in a variety of formats. + Must be able to obtain certification as a Technical Expert by the German Government under the Technical Expert Status Accreditation (TESA) process. **Preferred Qualifications** + Bachelors degree in Engineering, Computer Science, or Mathematics. + Experience with writing Snort or Suricata IDS rules. + Experience with writing complex Splunk SPL queries to correlate lookup tables with event logs to identify anomalies. + Experience with analyzing packets using Arkime or Wireshark. + Experience with Microsoft Windows event IDs. + Experience with Linux audit log analysis. + Familiarity with Git and VScode. + Experience with one or more scripting languages such as PowerShell, Bash, Python. **Work Environment** + Normal office conditions. + Potential to work on multiple shifts in a rotation schedule covering a 24/7/365 mission. + On site in Wiesbaden, Germany. **Working at SOSi** All interested individuals will receive consideration and will not be discriminated against for any reason.