As a Splunk Security Engineer, you will play a critical role in supporting the Security Operations Center (SOC) mission by maintaining, enhancing and expanding the capabilities of the SIEM and other operational tool or platforms. This will include but may not be limited to tasks supporting content management, security orchestration development, signature development, and analytics creation.
As a Splunk Security Engineer, you will work on the Cybersecurity engineering team responsible for facilitating operational efficiency, stakeholder coordination, and mission-aligned cybersecurity initiatives. This position enhances SOC effectiveness by bridging technical operations, mission support, and strategic objectives, ensuring seamless delivery of security services. In this role, a typical day will include:
- Lead the development and maintenance of custom dashboards for detections, correlations, and performance metrics.
- Lead the creation of custom automation workflows and playbooks using platforms (e.g., Splunk SOAR, Palo Alto, Cortex, XSOAR) to streamline incident response, threat detection, and remediation processes based on organizational needs.
- Onboard log sources from various systems (Windows, Linux, network appliances, cloud services) to ensure full visibility and compliance
- Continuously monitor, update, and optimize existing automations to adapt to evolving threats, improve efficiency, and reduce false positives, incorporating feedback from SOC teams.
- Produce comprehensive documentation, including playbook designs, integration details, diagrams, and user guides, to support SOC operations and facilitate knowledge transfer.
- Research and adopt emerging automation technologies, threat intelligence, and best practices to enhance IoC detections, signature creation, SOAR capabilities and support proactive threat mitigation.
- Develop, maintain, and execute automated SOAR playbooks that interact across systems and devices
- Analyze log events, correlate data across multiple sources, and enhance threat detection and response workflows
- Using SOAR connectors, design integrations between Splunk SOAR and standard DoD products such as Trellix ePO, Tanium, Cisco (FirePower, ISE, Email Gateways, AMP, switch/routers), Palo Alto Firewalls, Microsoft Active Directory, DNS, Exchange, SharePoint, IIS, SQL, Apache, Tomcat, RSA SecurID, Tenable.SC and Nessus, VMWare vCenter/ESXi, ServiceNow, Azure and AWS, NetApp, Windows and Linux. Connectors may use APIs, tokens, or service accounts, so understanding these options is important
- Configure and manage Splunk Enterprise Security, including maintaining CIM compliance, Risk-Based Alerting (RBA), ticketing, and SIEM integrations
- Update and configure new Enterprise Security Content Updates when released.
- Lead the full lifecycle of automation - from concept through deployment to documentation and tuning
- Build visual dashboards, reports, and context-aware incident response tools
- Identify threat actor tactics, techniques and procedures and develop countermeasures (such as custom signatures and correlation logic) to detect and/or mitigate adversary activity.
- Support operational readiness, compliance, and proactive detection technologies across endpoint, cloud, network, and email infrastructures
- Maintain existing/create new fleet of Development VMs (Windows, Linux) that allow you to test and demonstrate playbook functionality
- Fully test and document playbook execution in the Development environment and be authoritative on presentation of playbook examples to new teams targeted for integration
- Review intelligence reports and provide a daily cyber assessment on the impact to networks.
- Recognize and codify attacker tools, tactics, and procedures (TTPs) in indicators of compromise (IOCs) that can be applied to current and future investigations.
