Splunk Security Engineer

As a Splunk Security Engineer, you will play a critical role in supporting the Security Operations Center (SOC) mission by maintaining, enhancing and expanding the capabilities of the SIEM and other operational tool or platforms. This will include but may not be limited to tasks supporting content management, security orchestration development, signature development, and analytics creation.

As a Splunk Security Engineer, you will work on the Cybersecurity engineering team responsible for facilitating operational efficiency, stakeholder coordination, and mission-aligned cybersecurity initiatives. This position enhances SOC effectiveness by bridging technical operations, mission support, and strategic objectives, ensuring seamless delivery of security services. In this role, a typical day will include:

Lead the development and maintenance of custom dashboards for detections, correlations, and performance metrics.

• Lead the creation of custom automation workflows and playbooks using platforms (e.g., Splunk SOAR, Palo Alto, Cortex, XSOAR) to streamline incident response, threat detection, and remediation processes based on organizational needs.

• Onboard log sources from various systems (Windows, Linux, network appliances, cloud services) to ensure full visibility and compliance

• Continuously monitor, update, and optimize existing automations to adapt to evolving threats, improve efficiency, and reduce false positives, incorporating feedback from SOC teams.

• Produce comprehensive documentation, including playbook designs, integration details, diagrams, and user guides, to support SOC operations and facilitate knowledge transfer.

• Research and adopt emerging automation technologies, threat intelligence, and best practices to enhance IoC detections, signature creation, SOAR capabilities and support proactive threat mitigation.

• Develop, maintain, and execute automated SOAR playbooks that interact across systems and devices

• Analyze log events, correlate data across multiple sources, and enhance threat detection and response workflows

• Using SOAR connectors, design integrations between Splunk SOAR and standard DoD products such as Trellix ePO, Tanium, Cisco (FirePower, ISE, Email Gateways, AMP, switch/routers), Palo Alto Firewalls, Microsoft Active Directory, DNS, Exchange, SharePoint, IIS, SQL, Apache, Tomcat, RSA SecurID, Tenable.SC and Nessus, VMWare vCenter/ESXi, ServiceNow, Azure and AWS, NetApp, Windows and Linux. Connectors may use APIs, tokens, or service accounts, so understanding these options is important

• Configure and manage Splunk Enterprise Security, including maintaining CIM compliance, Risk-Based Alerting (RBA), ticketing, and SIEM integrations

• Update and configure new Enterprise Security Content Updates when released.

• Lead the full lifecycle of automation - from concept through deployment to documentation and tuning

• Build visual dashboards, reports, and context-aware incident response tools

• Identify threat actor tactics, techniques and procedures and develop countermeasures (such as custom signatures and correlation logic) to detect and/or mitigate adversary activity.

• Support operational readiness, compliance, and proactive detection technologies across endpoint, cloud, network, and email infrastructures

• Maintain existing/create new fleet of Development VMs (Windows, Linux) that allow you to test and demonstrate playbook functionality

• Fully test and document playbook execution in the Development environment and be authoritative on presentation of playbook examples to new teams targeted for integration

• Review intelligence reports and provide a daily cyber assessment on the impact to networks.

• Recognize and codify attacker tools, tactics, and procedures (TTPs) in indicators of compromise (IOCs) that can be applied to current and future investigations.

Required:

• Requires an active Top Secret clearance with SCI eligibility
• 5 years with BS/BA; or 4 years of relevant experience in lieu of degree
• 4 years' experience with Splunk Enterprise Security: playbook development, troubleshooting, and integrations
• 4 years' experience with Splunk SOAR/Phantom: playbook development, troubleshooting, and integrations
• Experience with Cisco FirePower IDS/IPS. Cisco Security Products
• Experience with security solutions such C2C, IAM, NDR, EDR/XDR, SIEM
• Hands-on experience in designing and implementing enterprise security solutions, including all related documentation.
• Experience in scripting (e.g., Python, PowerShell), APIs, and security tools.
• Create new fleet of Development VMs (Windows, Linux) that allow you to test and demonstrate playbook functionality
• Fully test and document playbook execution in the Development environment and be authoritative on presentation of playbook examples to new teams targeted for integration
• Deep expertise in Splunk Administration, security event analysis, and Python-based automation
• Strong working knowledge of cross-platform integrations and security tool APIs
• DoD IAT Level III certification required (Security X, CISSP, GCIH, CISA, etc)
• Splunk Enterprise Security Administrator

Desired:

• Splunk SOAR/Phantom Certified Administrator

Peraton is a next-generation national security company that drives missions of consequence spanning the globe and extending to the farthest reaches of the galaxy. As the world's leading mission capability integrator and transformative enterprise IT provider, we deliver trusted, highly differentiated solutions and technologies to protect our nation and allies. Peraton operates at the critical nexus between traditional and nontraditional threats across all domains: land, sea, space, air, and cyberspace. The company serves as a valued partner to essential government agencies and supports every branch of the U.S. armed forces. Each day, our employees do the can't be done by solving the most daunting challenges facing our customers. Visit peraton.com to learn how we're keeping people around the world safe and secure.