Insider Risk Analyst (UEBA / Detection Engineering) - Charlotte, NC*
Optomi, in partnership with a client in the financial services space is hiring a Senior Insider Risk Analyst to help build and mature a growing insider risk program. This role is highly technical and focused on behavioral analytics, detection configuration, and investigative support within a Microsoft security environment.
This is an opportunity to work in an early-stage program where you will contribute directly to how detections are built, tuned, and interpreted - not just respond to alerts.
What You’ll Do
- Monitor and investigate insider risk alerts across Microsoft Purview, DLP, Defender, and Sentinel
- Write and optimize KQL queries from scratch to support investigations and detection logic
- Develop and refine behavioral detection models and use cases
- Analyze user and entity behavior to identify potential insider risk indicators
- Conduct end-to-end investigations: alert triage, evidence collection, timeline analysis, and reporting
- Translate ambiguous activity into clear hypotheses and investigative paths
- Tune policies and detections as part of an evolving insider risk program
- Collaborate with cross-functional teams (Security, Legal, HR), with most stakeholder engagement managed centrally
What We’re Looking For
- Strong experience with KQL (Kusto Query Language) — ability to write queries from scratch
- Experience with Microsoft Sentinel, Defender, and/or Purview
- Background in detection engineering, threat hunting, or behavioral analytics
- Experience analyzing logs, telemetry, and user activity patterns
- Ability to interpret behavior, not just respond to alerts
- Experience forming and testing hypotheses based on incomplete or ambiguous data
- Strong critical thinking and investigative skills
- 3–7 years in security analytics, detection engineering, insider risk, or related domains
- Background in environments involving UEBA, SIEM, or behavioral monitoring
Nice to Have
- Experience with insider threat frameworks (e.g., MITRE Insider Risk, CERT/CMU)
- Exposure to early-stage program building or detection development
- Counterintelligence or investigative background
*Open to hiring strong remote candidates
