Splunk Detection Engineer at Delan Associates, Inc | Torre
Splunk Detection Engineer
Report
Delan Associates, Inc

Splunk Detection Engineer

Delan Associates, Inc
Emma
Emma
You will secure critical systems by engineering robust Splunk detections and mentoring a team.
Emma highlights
This highlight was written by Emma’s AI. Ask Emma to edit it.
Full-time

Legal agreement: Employment

Provide your expected compensation while applying
location_on
Remote (for United States residents)
Match
skeleton-gauges
You have opted out of job matches in .
To undo this, go to the 'Skills and Interests' section of your preferences.
Review preferences
Posted 6 months ago

Requirements and responsibilities

Job DescriptionTitle: Splunk Detection EngineerW-2 Only (no 1099)Must be a U.S. CitizenBackground:Company promotes the safe and secure use of technology and providing a variety of cybersecurity services including consultation, protection technologies, detection technologies, cybersecurity education and awareness, cybersecurity incident management, vulnerability management, compliance, and cybersecurity risk management.Contract Position: Full Time, 40 hour work weekPeriod of Performance: 1 YearScope:The Splunk Detection Engineer will play an important role in ensuring that security logs are appropriately formatted, ingested, tagged, and used to detect possible security events. Typical tasks may include:Integrate new data sources, which may include databases, APIs, files, etc. This may involve setting standards and working with IT administrators to update their configurationsValidating and creating appropriate configurations for CIM compliant logsProcessing requests from cybersecurity analysts for new detections within Splunk Enterprise SecurityAnalyzing existing logs to identify poorly formatted logs and potential gaps when implementing new detectionsAdding and maintaining threat feeds within Splunk Enterprise SecurityMonitoring the performance of and tuning detectionsManaging asset and identity inventory within Splunk Enterprise SecurityCreating and maintaining new Splunk appsRecommending additions or changes to Splunk or its data models to meet detection needsDeveloping searches, reports, and other functionalities for cyber based use cases, including active response, intrusion detection, vulnerability management, and related use casesAssisting users with creating and optimizing searches and dashboards and mentoring others in good development of said resources.Attend online Teams meetings with team and others as appropriateWork with team to provide status on current task, suggest improvements, discuss implementation, etcObjectives:The ideal candidate will support the projects and tasks associated with cybersecurity log collection, analysis, and event detection.Technical Direction of Work:Report to the Deputy Chief Information Security Officer within the Business and Information Services division; including daily guidance and collaboration with others in the Cyber Security Program Office CSPO.REMOTE:Typically, the work is performed remotely. For the candidate within driving distance of the Lab, there may be rare times to be onsite for in person meetings, assessments, or presentations. Most of the BIS Division works remotely and are rarely onsite. If the candidate is out of state, too far away from the Lab, onsite meetings are not feasible to attend and not required.Expectation/Deliverables:A candidate is expected to:Capture business requirements and implement the requirementsAnalyze data and perform initial planning to address identified issuesAssist with the creation of playbooks to address identified issues from analystsSeek to understand the intention of detections and corresponding playbooksProvide basic feedback on existing playbooks and detectionsIdentify telemetry quality and visibility issues SIEM parsing/normalization EDR XDR sensor health asset identity taggingAn improved candidate would also:Provide advanced recommendations to address gaps in logging and detections based on an analysis of threats and dataCreate detailed and thorough testing plans to ensure higher chance of accurate detectionsProduce clear metrics and reports FP rate backlog for technical and executive audiencesAn excellent candidate would also:Create advanced use cases for detections based on an analysis of threats and data including sample criteria to identify the behavior and mapping detections to MITRE Telecommunication CKDrive continuous improvements to existing processes or toolingPerform quality reviews and improve detections and actionsCoach guide teach others on the team in use of Enterprise SecurityMinimum Qualifications:Significant experience with Splunk and Splunk Enterprise SecuritySignificant experience with event logging solutions e.g. Splunk Universal Forwarder syslog CriblExperience with ticketing/case managementExperience with Git pipelinesFamiliarity with using Linux CLIAbility to craft queries using common languages; comfort with regex JSON and APIs; basic scripting in Python PowerShell BashExcellent analytical problem solving and communication skills both with stakeholders peers and internal customers; able to operate under pressure in a shift or on call environmentPreferred Additional QualificationsStrong grasp of TCP IP OSI model and common protocols HTTP DNS SMTP Windows Linux macOS fundamentals Active Directory Azure AD concepts basic cloud loggingExperience in system and network administrationRelevant cybersecurity experience including investigations and data analysisExperience with SOAR tools and automation developmentExperience using identity security management tools e.g. Entra ID Active Directory Shibboleth CrowdStrike Identity ProtectionCloud security experience e.g. CloudTrail GuardDuty Azure Defender M365 GCP Security Command CenterRelevant certifications (nice to have): Security CySA SSCP Microsoft SC-200 AZ-500 Splunk Core Enterprise Security Splunk Enterprise Security Certified Admin Splunk Core Certified Consultant Splunk Certified Cybersecurity Defense Analyst Splunk Certified Cybersecurity Defense Engineer Splunk Enterprise Certified Admin Splunk Enterprise Certified Architect GIAC GCIH GCIA GCFA GCTI cloud provider security certsExperience:Considerable knowledge using and administering SplunkStaying up to date with the latest cybersecurity threats vulnerabilities and best practicesStrong analytical and problem solving skillsMeticulous attention to detail to ensure thorough assessments and accurate reportingExcellent written and verbal communication skills to effectively convey findings and recommendations to technical and non technical stakeholdersAbility to work collaboratively with other cybersecurity professionals IT staff and external vendorsExperience and skill in conducting audits or reviews of technical systemsExperience working in a government environmentExperience working in a distributed IT environmentAbility to qualify for HSPD-12 card for use in two factor authenticationAble to work both independently and as a contributing member of a small technical teamAble to disseminate knowledge to current staffGovernment-Furnished Property:Company will supply a government furnished laptop PIV Card and PIV Card readerComputer Protection Program:The contractor shall adhere to all policies and procedures of the ANL Computer Protection Program must not bypass any procedures established to protect data applications hardware or communications at ANL must maintain a work environment that will satisfy audit privacy and protection requirements and must report any findings of inadequacies to the technical contact and the BIS Computer Protection Program RepresentativeThe following expectations are part of working remote:Working remotely outside of scheduled times requires supervisor approval prior to performing that remote workWhile working remotely just like when onsite all scheduled meetings must be attended using approved remote communication toolsThe candidate must be available for consultation during all scheduled work time reachable by email phone chat or other approved meansPerformance will be monitored to determine productivity for remote work at least matches that when onsite If performance and deliverables decline remote work may be suspendedShould a situation arise that requires the candidate to be onsite while scheduled to work remotely accommodation will be made to reschedule the remote work if desiredThe remote work privilege may be revoked at any time at the discretion of CompanyA flexible work schedule may also be possible if the schedule is agreed to by the candidate and approved by the supervisor and sponsorShould the laboratory close operations due to weather or other circumstances remote work is preferredLastly the candidate must track their remote work schedule into the CSPO absence calendar and be approved by CSPO supervisorPlace of Performance :Work will be performed remotely within the confines of the United States of America and team communication will be done through Microsoft tools such as Microsoft Teams and Microsoft OutlookPeriod of PerformanceWork would begin in early October 2025 for 40 hours per week for 1 year
This job opening is closed.
Optionally, you can add more information later (benefits, pre-screening questions, etc.)

Thank you

Thank you

check_circle

Payment confirmed

Torre Hunt

Torre Hunt

A member of the Torre team will contact you shortly

In the meantime, continue adding information to your job opening.