Principal Splunk Threat Detection, Integration Engineer

🕒 vor 1 Monat

Jetzt Bewerben

Ähnliche Remote-Jobs finden

E-Mails für Remote-Jobs erhalten

📊 Überprüfen Sie Ihre Lebenslauf-Bewertung für diese Stelle

Verbessern Sie Ihre Chancen auf ein Vorstellungsgespräch, indem Sie Ihre Lebenslauf-Bewertung vor der Bewerbung überprüfen.

Lebenslauf hochladen

Quzara LLC

WebsiteLinkedInAlle Stellen

11 - 50 Mitarbeiter

Gegründet 2015

🔒 Cybersecurity

📋 Compliance

Cybersecurity • Compliance • Cloud Security

Quzara LLC ist ein Cybersicherheitsunternehmen, das sich auf Beratungsdienstleistungen im Bereich Compliance, Cloud-Sicherheit und Managed Security Operations spezialisiert hat. Zu den Dienstleistungen des Unternehmens gehören Federal Security & Compliance, Managed Detection and Response, Überprüfungen der Cloud-Sicherheitskonfiguration und Schwachstellenmanagement. Die Mission von Quzara ist es, strategische und taktische vertrauenswürdige Beratungsdienstleistungen für Kunden im öffentlichen und privaten Sektor anzubieten, mit dem Schwerpunkt auf der Gewährleistung der Sicherheitskonformität und dem Schutz vor Cyberbedrohungen. Besonders hervorzuheben ist der Cybertorch™-Service von Quzara, der für seinen rigorosen Ansatz in der Bedrohungsüberwachung und Reaktionsfähigkeit bei Vorfällen anerkannt ist und Standards wie FedRAMP, DoD IL-4/IL-5 und CMMC abdeckt.

Beschreibung

• Own the detection content lifecycle in Splunk Enterprise Security — design, SPL prototyping, validation, peer review, production deploy, tuning, and decommission. • Architect and govern the Risk-Based Alerting program — risk signals, risk notables, findings and intermediate findings, risk factor design, asset and identity-aware risk modifiers, throttling and deduplication strategies, and aggregate-score notable thresholds combining risk score, distinct detection sources, and distinct MITRE ATT&CK techniques. • Write, review, and optimize complex SPL — performance-conscious search design across accelerated data models, lookup and KV-store patterns, and REST-based content introspection. • Engineer the Splunk CIM normalization layer across the security-relevant data models — building base searches, calculated fields, and custom CIM mappings for non-standard log sources. • Design and operate the Asset & Identity framework — multiple authoritative data sources merged with priority-based logic, hostname normalization, time-bound IP-to-host resolution, and enrichment macros injected into every detection. • Operationalize the Threat Intelligence Framework — consolidating IOC feeds into the native ES intel KV-store collections, configuring TAXII/STIX ingestion, integrating vulnerability intelligence and CVE data, and operationalizing IOC matching into the RBA model rather than as standalone notables. • Develop custom integrations and automation across the security stack — bidirectional sync via REST APIs and HEC, custom Python connectors, modular inputs, and SOAR playbook authorship where automation is genuinely needed. • Build cross-domain detection coverage — identity, endpoint, network, cloud, web, email, SaaS, vulnerability/exposure, and insider/data — mapped to MITRE ATT&CK techniques and sub-techniques. • Onboard new log sources end-to-end when required — TA evaluation, custom extraction and parsing, CIM mapping, and ingest hardening — for the cases where new sources need to be added to the SIEM. • Manage Splunk license capacity through index-time filtering and routing, eliminating low-value telemetry without compromising detection coverage. • Build custom dashboards for the SOC integrated with detection workflows. • Document and peer-review every detection — every shipped detection has a structured wiki page with logic, MITRE mapping, exclusions, known false positives, and changelog. • Operate against tight delivery deadlines across multiple concurrent workstreams — translate requirements into deployable Splunk content under time pressure, coach Tier 1/2 analysts and Senior detection engineers, and serve as the named escalation point for the hardest cross-domain detection problems.

🎯 Anforderungen

• 8+ years in security engineering, SOC/IR, or detection content development, including 5+ years’ operating Splunk Enterprise Security in production. • Demonstrable mastery of SPL — performance-conscious search design, complex multi-value handling, lookup and KV-store patterns, and REST API introspection. • Production experience with the full Splunk ES framework set: correlation searches, findings and intermediate findings, adaptive response, the Risk Framework and Risk Factor Editor, Asset & Identity Management, and Threat Intelligence Management. • Senior-level Risk-Based Alerting practice — you have designed RBA from risk rules through risk notables, calibrated scoring across endpoint, identity, network, and cloud detection portfolios, and tuned aggregate scoring strategies. • Splunk CIM fluency across the security-relevant data models, including building base searches, diagnosing acceleration drift, and writing custom CIM mappings for non-conforming sources. • Hands-on detection engineering across all major security domains — identity, endpoint, network, cloud, web, email, SaaS, vulnerability/exposure, and insider/data — with MITRE ATT&CK mapping discipline. • End-to-end log onboarding capability — TA evaluation, custom extraction and parsing, CIM mapping, and ingest hardening — for the cases where new sources need to be added to the SIEM. • Custom integration and automation experience — REST APIs, HEC, modular inputs, and SOAR playbook/connector authorship in Python or equivalent. • Threat intelligence operationalization experience — bringing commercial and open-source IOC feeds into a SIEM detection workflow with proper enrichment and risk-scoring integration. • Strong scripting/automation in Python (or equivalent) for REST API automation and custom security tool integration. • At least one current Splunk certification: Power User, Enterprise Security Certified Admin (legacy), Cybersecurity Defense Analyst (SPLK-5001), Cybersecurity Defense Engineer (SPLK-5002), or Enterprise Certified Architect. • Comfortable working against tight delivery deadlines across multiple concurrent workstreams.

🏖️ Vorteile

• Health insurance • 401(k) matching • Paid time off • Flexible work arrangements • Professional development opportunities