Principal Splunk Threat Detection, Integration Engineer

🕒 Abril 29

Candidatar-se

Encontrar Vagas Remotas Similares

Receber Emails de Vagas Remotas

📊 Verifique sua pontuação de currículo para esta vaga

Melhore suas chances de conseguir uma entrevista verificando sua pontuação de currículo antes de se candidatar.

Enviar Currículo

Quzara LLC

SiteLinkedInTodas as Vagas

11 - 50 funcionários

Fundada em 2015

🔒 Cibersegurança

📋 Conformidade

Cybersecurity • Compliance • Cloud Security

A Quzara LLC é uma empresa de cibersegurança que se especializa em consultoria de compliance, segurança em nuvem e operações de segurança gerenciadas. Os serviços da empresa incluem Segurança e Compliance Federal, detecção e resposta gerenciadas, auditorias de configuração de segurança em nuvem e gerenciamento de vulnerabilidades. A missão da Quzara é fornecer serviços de consultoria estratégica e tática de confiança a clientes do setor público e privado, focando em garantir conformidade de segurança e proteção contra ameaças cibernéticas. Notavelmente, o serviço Cybertorch™ da Quzara é reconhecido por sua abordagem rigorosa ao monitoramento de ameaças e resposta a incidentes, atendendo a normas como FedRAMP, DoD IL-4/IL-5 e CMMC.

Descrição

• Own the detection content lifecycle in Splunk Enterprise Security — design, SPL prototyping, validation, peer review, production deploy, tuning, and decommission. • Architect and govern the Risk-Based Alerting program — risk signals, risk notables, findings and intermediate findings, risk factor design, asset and identity-aware risk modifiers, throttling and deduplication strategies, and aggregate-score notable thresholds combining risk score, distinct detection sources, and distinct MITRE ATT&CK techniques. • Write, review, and optimize complex SPL — performance-conscious search design across accelerated data models, lookup and KV-store patterns, and REST-based content introspection. • Engineer the Splunk CIM normalization layer across the security-relevant data models — building base searches, calculated fields, and custom CIM mappings for non-standard log sources. • Design and operate the Asset & Identity framework — multiple authoritative data sources merged with priority-based logic, hostname normalization, time-bound IP-to-host resolution, and enrichment macros injected into every detection. • Operationalize the Threat Intelligence Framework — consolidating IOC feeds into the native ES intel KV-store collections, configuring TAXII/STIX ingestion, integrating vulnerability intelligence and CVE data, and operationalizing IOC matching into the RBA model rather than as standalone notables. • Develop custom integrations and automation across the security stack — bidirectional sync via REST APIs and HEC, custom Python connectors, modular inputs, and SOAR playbook authorship where automation is genuinely needed. • Build cross-domain detection coverage — identity, endpoint, network, cloud, web, email, SaaS, vulnerability/exposure, and insider/data — mapped to MITRE ATT&CK techniques and sub-techniques. • Onboard new log sources end-to-end when required — TA evaluation, custom extraction and parsing, CIM mapping, and ingest hardening — for the cases where new sources need to be added to the SIEM. • Manage Splunk license capacity through index-time filtering and routing, eliminating low-value telemetry without compromising detection coverage. • Build custom dashboards for the SOC integrated with detection workflows. • Document and peer-review every detection — every shipped detection has a structured wiki page with logic, MITRE mapping, exclusions, known false positives, and changelog. • Operate against tight delivery deadlines across multiple concurrent workstreams — translate requirements into deployable Splunk content under time pressure, coach Tier 1/2 analysts and Senior detection engineers, and serve as the named escalation point for the hardest cross-domain detection problems.

🎯 Requisitos

• 8+ years in security engineering, SOC/IR, or detection content development, including 5+ years’ operating Splunk Enterprise Security in production. • Demonstrable mastery of SPL — performance-conscious search design, complex multi-value handling, lookup and KV-store patterns, and REST API introspection. • Production experience with the full Splunk ES framework set: correlation searches, findings and intermediate findings, adaptive response, the Risk Framework and Risk Factor Editor, Asset & Identity Management, and Threat Intelligence Management. • Senior-level Risk-Based Alerting practice — you have designed RBA from risk rules through risk notables, calibrated scoring across endpoint, identity, network, and cloud detection portfolios, and tuned aggregate scoring strategies. • Splunk CIM fluency across the security-relevant data models, including building base searches, diagnosing acceleration drift, and writing custom CIM mappings for non-conforming sources. • Hands-on detection engineering across all major security domains — identity, endpoint, network, cloud, web, email, SaaS, vulnerability/exposure, and insider/data — with MITRE ATT&CK mapping discipline. • End-to-end log onboarding capability — TA evaluation, custom extraction and parsing, CIM mapping, and ingest hardening — for the cases where new sources need to be added to the SIEM. • Custom integration and automation experience — REST APIs, HEC, modular inputs, and SOAR playbook/connector authorship in Python or equivalent. • Threat intelligence operationalization experience — bringing commercial and open-source IOC feeds into a SIEM detection workflow with proper enrichment and risk-scoring integration. • Strong scripting/automation in Python (or equivalent) for REST API automation and custom security tool integration. • At least one current Splunk certification: Power User, Enterprise Security Certified Admin (legacy), Cybersecurity Defense Analyst (SPLK-5001), Cybersecurity Defense Engineer (SPLK-5002), or Enterprise Certified Architect. • Comfortable working against tight delivery deadlines across multiple concurrent workstreams.

🏖️ Benefícios

• Health insurance • 401(k) matching • Paid time off • Flexible work arrangements • Professional development opportunities