Principal Splunk-Threat Detection & Integration Engineer
Full-time
Remote
USA - Must Work EST (8:30AM - 5:30PM)
U.S Citizen
Primary Purpose and Goal of Role
We are hiring a Principal Splunk Threat Detection & Integration Engineer to own the detection content lifecycle in Splunk. This is a senior individual-contributor role: you build and review the most complex correlation searches and Risk-Based Alerting (RBA) logic, run the full Splunk Enterprise Security feature set (findings and intermediate findings, Risk Framework and Risk Factor Editor, Asset & Identity, and Threat Intelligence), and deliver custom integrations and automation across the security stack. You will create vendor-agnostic detections that remain effective across EDR, identity, NDR, email, and cloud platforms, mentor junior engineers, raise the bar in peer review, and act as the technical authority for the toughest cross-domain detection challenges. You will drive programs, not tickets.
Responsibilities
- Own the detection content lifecycle in Splunk Enterprise Security, design, SPL prototyping, validation, peer review, production deploy, tuning, and decommission.
- Architect and govern the Risk-Based Alerting program, risk signals, risk notables, findings and intermediate findings, risk factor design, asset and identity-aware risk modifiers, throttling and deduplication strategies, and aggregate-score notable thresholds combining risk score, distinct detection sources, and distinct MITRE ATT&CK techniques.
- Write, review, and optimize complex SPL, performance-conscious search design across accelerated data models, lookup and KV-store patterns, and REST-based content introspection.
- Engineer the Splunk CIM normalization layer across the security-relevant data models, building base searches, calculated fields, and custom CIM mappings for non-standard log sources.
- Design and operate the Asset & Identity framework, multiple authoritative data sources merged with priority-based logic, hostname normalization, time-bound IP-to-host resolution, and enrichment macros injected into every detection.
- Operationalize the Threat Intelligence Framework, consolidating IOC feeds into the native ES intel KV-store collections, configuring TAXII/STIX ingestion, integrating vulnerability intelligence and CVE data, and operationalizing IOC matching into the RBA model rather than as standalone notables.
- Develop custom integrations and automation across the security stack, bidirectional sync via REST APIs and HEC, custom Python connectors, modular inputs, and SOAR playbook authorship where automation is genuinely needed.
- Build cross-domain detection coverage, identity, endpoint, network, cloud, web, email, SaaS, vulnerability/exposure, and insider/data, mapped to MITRE ATT&CK techniques and sub-techniques.
- Onboard new log sources end-to-end when required, TA evaluation, custom extraction and parsing, CIM mapping, and ingest hardening, for the cases where new sources need to be added to the SIEM.
- Manage Splunk license capacity through index-time filtering and routing, eliminating low-value telemetry without compromising detection coverage.
- Build custom dashboards for the SOC integrated with detection workflows.
- Document and peer-review every detection, every shipped detection has a structured wiki page with logic, MITRE mapping, exclusions, known false positives, and changelog.
- Operate against tight delivery deadlines across multiple concurrent workstreams — translate requirements into deployable Splunk content under time pressure, coach Tier 1/2 analysts and Senior detection engineers, and serve as the named escalation point for the hardest cross-domain detection problems.
REQUIREMENTS
- 8+ years in security engineering, SOC/IR, or detection content development, including 5+ years’ operating Splunk Enterprise Security in production.
- Demonstrable mastery of SPL, performance-conscious search design, complex multi-value handling, lookup and KV-store patterns, and REST API introspection.
- Production experience with the full Splunk ES framework set: correlation searches, findings and intermediate findings, adaptive response, the Risk Framework and Risk Factor Editor, Asset & Identity Management, and Threat Intelligence Management.
- Senior-level Risk-Based Alerting practice, you have designed RBA from risk rules through risk notables, calibrated scoring across endpoint, identity, network, and cloud detection portfolios, and tuned aggregate scoring strategies.
- Splunk CIM fluency across the security-relevant data models, including building base searches, diagnosing acceleration drift, and writing custom CIM mappings for non-conforming sources.
- Hands-on detection engineering across all major security domains — identity, endpoint, network, cloud, web, email, SaaS, vulnerability/exposure, and insider/data, with MITRE ATT&CK mapping discipline.
- End-to-end log onboarding capability, TA evaluation, custom extraction and parsing, CIM mapping, and ingest hardening, for the cases where new sources need to be added to the SIEM.
- Custom integration and automation experience, REST APIs, HEC, modular inputs, and SOAR playbook/connector authorship in Python or equivalent.
- Threat intelligence operationalization experience, bringing commercial and open-source IOC feeds into a SIEM detection workflow with proper enrichment and risk-scoring integration.
- Strong scripting/automation in Python (or equivalent) for REST API automation and custom security tool integration.
- At least one current Splunk certification: Power User, Enterprise Security Certified Admin (legacy), Cybersecurity Defense Analyst (SPLK-5001), Cybersecurity Defense Engineer (SPLK-5002), or Enterprise Certified Architect.
- Comfortable working against tight delivery deadlines across multiple concurrent workstreams.
Quzara LLC is an Equal Employment/Affirmative Action employer. We do not discriminate in hiring based on sex, gender identity, sexual orientation, race, color, religious creed, national origin, physical or mental disability, protected Veteran status, or any other characteristic protected by federal, state, or local law.