Principal Splunk Threat Detection & Integration Engineer

FULL TIMElead

OtherIntegration Engineer

0 views0 saves0 applied

Apply Now

Quick Summary

Overview

Job Title: Principal Splunk-Threat Detection & Integration Engineer Pay Type: SALARIED EXEMPT Location: Remote Summary of Position Role/Responsibilities We are hiring a Principal Splunk Threat Detection & Integration Engineer to own the detection content lifecycle in Splunk.

Requirements Summary

Detection-as-Code experience successfully operating in production — Git-versioned detection content, schema-validated definitions, and CI/CD deployment pipelines into a SIEM.

Technical Tools

pythonsplunkci-cdcybersecurityrest-apissaas

Responsibilities

~1 min read

We are hiring a Principal Splunk Threat Detection & Integration Engineer to own the detection content lifecycle in Splunk. This is a senior individual-contributor role: you build and review the most complex correlation searches and Risk-Based Alerting (RBA) logic, run the full Splunk Enterprise Security feature set (findings and intermediate findings, Risk Framework and Risk Factor Editor, Asset & Identity, and Threat Intelligence), and deliver custom integrations and automation across the security stack. You will create vendor-agnostic detections that remain effective across EDR, identity, NDR, email, and cloud platforms, mentor junior engineers, raise the bar in peer review, and act as the technical authority for the toughest cross-domain detection challenges. You will drive programs, not tickets.

Own the detection content lifecycle in Splunk Enterprise Security — design, SPL prototyping, validation, peer review, production deploy, tuning, and decommission.
Architect and govern the Risk-Based Alerting program — risk signals, risk notables, findings and intermediate findings, risk factor design, asset and identity-aware risk modifiers, throttling and deduplication strategies, and aggregate-score notable thresholds combining risk score, distinct detection sources, and distinct MITRE ATT&CK techniques.
Write, review, and optimize complex SPL — performance-conscious search design across accelerated data models, lookup and KV-store patterns, and REST-based content introspection.
Engineer the Splunk CIM normalization layer across the security-relevant data models — building base searches, calculated fields, and custom CIM mappings for non-standard log sources.
Design and operate the Asset & Identity framework — multiple authoritative data sources merged with priority-based logic, hostname normalization, time-bound IP-to-host resolution, and enrichment macros injected into every detection.
Operationalize the Threat Intelligence Framework — consolidating IOC feeds into the native ES intel KV-store collections, configuring TAXII/STIX ingestion, integrating vulnerability intelligence and CVE data, and operationalizing IOC matching into the RBA model rather than as standalone notables.
Develop custom integrations and automation across the security stack — bidirectional sync via REST APIs and HEC, custom Python connectors, modular inputs, and SOAR playbook authorship where automation is genuinely needed.
Build cross-domain detection coverage — identity, endpoint, network, cloud, web, email, SaaS, vulnerability/exposure, and insider/data — mapped to MITRE ATT&CK techniques and sub-techniques.
Onboard new log sources end-to-end when required — TA evaluation, custom extraction and parsing, CIM mapping, and ingest hardening — for the cases where new sources need to be added to the SIEM.
Manage Splunk license capacity through index-time filtering and routing, eliminating low-value telemetry without compromising detection coverage.
Build custom dashboards for the SOC integrated with detection workflows.
Document and peer-review every detection — every shipped detection has a structured wiki page with logic, MITRE mapping, exclusions, known false positives, and changelog.
Operate against tight delivery deadlines across multiple concurrent workstreams — translate requirements into deployable Splunk content under time pressure, coach Tier 1/2 analysts and Senior detection engineers, and serve as the named escalation point for the hardest cross-domain detection problems.

Other duties as assigned

This is a full-time position. Standard business hours are Monday through Friday 8:30 AM to 5:30 PM. Additional time outside of these hours may be needed to complete the essential functions of the job.

8+ years in security engineering, SOC/IR, or detection content development, including 5+ years’ operating Splunk Enterprise Security in production.
Demonstrable mastery of SPL — performance-conscious search design, complex multi-value handling, lookup and KV-store patterns, and REST API introspection.
Production experience with the full Splunk ES framework set: correlation searches, findings and intermediate findings, adaptive response, the Risk Framework and Risk Factor Editor, Asset & Identity Management, and Threat Intelligence Management.
Senior-level Risk-Based Alerting practice — you have designed RBA from risk rules through risk notables, calibrated scoring across endpoint, identity, network, and cloud detection portfolios, and tuned aggregate scoring strategies.
Splunk CIM fluency across the security-relevant data models, including building base searches, diagnosing acceleration drift, and writing custom CIM mappings for non-conforming sources.
Hands-on detection engineering across all major security domains — identity, endpoint, network, cloud, web, email, SaaS, vulnerability/exposure, and insider/data — with MITRE ATT&CK mapping discipline.
End-to-end log onboarding capability — TA evaluation, custom extraction and parsing, CIM mapping, and ingest hardening — for the cases where new sources need to be added to the SIEM.
Custom integration and automation experience — REST APIs, HEC, modular inputs, and SOAR playbook/connector authorship in Python or equivalent.
Threat intelligence operationalization experience — bringing commercial and open-source IOC feeds into a SIEM detection workflow with proper enrichment and risk-scoring integration.
Strong scripting/automation in Python (or equivalent) for REST API automation and custom security tool integration.
At least one current Splunk certification: Power User, Enterprise Security Certified Admin (legacy), Cybersecurity Defense Analyst (SPLK-5001), Cybersecurity Defense Engineer (SPLK-5002), or Enterprise Certified Architect.
Comfortable working against tight delivery deadlines across multiple concurrent workstreams.

Requirements

~1 min read

Detection-as-Code experience successfully operating in production — Git-versioned detection content, schema-validated definitions, and CI/CD deployment pipelines into a SIEM.
Relevant GIAC certifications in detection and incident response (GCDA, GCFA, GCFE, GCIH, GREM, GNFA, or GCIA).
Prior detection engineering experience in a complex SOC or SIEM-anchored security operations team.
Public detection contributions — pull requests to community detection repositories, published detection content, or open-source security tooling contributions.
Conference talk history at major security conferences.
Familiarity with industry schema and detection-rule standards beyond Splunk CIM.
Hands-on home-lab or personal detection engineering work — public detection blog, public repo, or other demonstrable portfolio.

The Company is an Equal Employment Opportunity (EEO) employer and does not discriminate based on race, color, religion, sex, sexual orientation, national origin, age, marital status, disability, veteran's status, or any other basis protected by applicable discrimination laws.