Elasticsearch Lead Engineer - SIEM Platform:- Architect and maintain high-availability Elasticsearch clusters supporting large-scale security event ingestion
- Define and enforce Elastic Common Schema (ECS) field mappings across all data sources, ensuring consistent normalization for detection rules and analytics
- Design and develop custom data ingestion pipelines using Elasticsearch
- Integrate with AWS services including S3, Kinesis Data Streams, Lambda, and CloudWatch for log collection
- Manage AWS infrastructure: EC2, S3, IAM, and Secrets Manager - using AWS CloudFormation
- Implement data lifecycle management - hot/warm/cold/frozen tier strategies, ILM policies, and snapshot/restore to S3-based data lakes
- Partner with Detection Engineering and Threat Intelligence teams to optimize index strategies, queries, and dashboards in Kibana
- Establish and maintain cluster security controls: TLS/mTLS, role-based access control (RBAC), audit logging, and encryption at rest
- Build resilient, fault-tolerant architectures: cross-cluster replication, shard allocation awareness, and disaster recovery runbooks
- Perform activities related platform health monitoring and upgrade / patching
- Troubleshoot and manage production technical issues related to Elasticsearch cloud
- Define and enforce SLOs for ingestion latency, query performance, and cluster availability
- Mentor junior engineers and establish best practices, runbooks, and architectural standards
Qualifications- Minimum of six years related work experience.
- Undergraduate degree in a related field or the equivalent combination of training and experience.
- 6+ years of Elasticsearch / Elastic Stack (ELK) experience in a production security or observability environment
- Deep understanding of Elastic Common Schema (ECS) and experience mapping diverse log sources (Windows, Linux, network, cloud, EDR) to ECS
- Hands-on experience operating Elasticsearch at scale (10TB+/day ingest, 100+ node clusters)
- Proficiency with AWS - Kinesis, S3, IAM, CloudTrail, and AWS-native log sources
- Experience with data streaming platforms - Apache Kafka, or Confluent Platform - for high-throughput event ingestion
- Experience integrating with data lake platforms - AWS S3 / Lake Formation, Data Lake, or Apache Iceberg for long-term retention and threat hunting
- Strong understanding of security principles: least privilege, network segmentation, secrets management, audit logging
- Experience building resilient systems: replication topologies, capacity planning, chaos engineering mindset, and documented DR procedures
- Proficiency with infrastructure-as-code tools (Terraform, Ansible, or CDK) (Optional)
Preferred Qualifications- Elastic Certified Engineer or Elastic Certified Analyst certification
- Experience with Elastic Security / SIEM detection rules, ML jobs, and Timeline investigations
- Familiarity with MITRE ATT&CK framework and how it informs index and detection design
- Experience with container-based deployments of Elastic (ECK / Kubernetes)
- Knowledge of compliance frameworks: SOC 2, PCI-DSS, HIPAA, or FedRAMP
Special FactorsSponsorshipVanguard is not offering visa sponsorship for this position.