Division: Chief Information Security Office (CISO)
As a global critical financial infrastructure, the protection of Euroclear information andassets is fundamental to the company’s business. Information Security is at the core of our services, firmly embedded in the management systems and processes of the company. You will be joining our Chief Information Security Office in charge of putting in place the required controls to adequately and effectively protect our information assets.
Your role
In your role as Threat Detection & Response Engineering Splunk Developer, you are responsible for the development and maintenance of correlation searches and dashboards on the SIEM (Splunk ES) platform.
You will report to the Manager of Detection & Response Engineering and will work jointly with threat intelligence, design, engineering and response teams, to gather and define requirements, specify clear priorities, evaluate technical trade-offs, and build and maintain threat detection capabilities.
The Detection & Response Engineering team is comprised of:
1. Detection/Security Engineers – who implement and maintain threat detections.
2. SOAR Engineers – who develop responses such as playbooks, automations etc.
Your responsibilities & duties
3. Collaborate with key stakeholders (Threat Intelligence, SOC, engineering teams) to gather requirements and translate threat scenarios into actionable detection use cases.
4. Design, develop, tune, and continuously improve Splunk ES correlation searches aligned with MITRE ATT&CK techniques and Euroclear threat models.
5. Validate detections through structured testing, evidence collection, and adversary simulation tooling, refining logic based on test results and behavioral accuracy.
6. Perform false‑positive analysis, baseline creation, and high‑fidelity tuning to maintain actionable and reliable detection signals.
7. Maintain clear, structured documentation for detection logic, testing procedures, ATT&CK mapping, and operational deployment guidelines.
8. Conduct coverage gap assessments, maintain the detection inventory, and contribute to ATT&CK‑based coverage reporting and maturity tracking.
9. Perform peer reviews of detection content to ensure quality, consistency, and adherence to detection engineering standards.
10. Implement and optimize Splunk ES features such as correlation search patterns, notable events, and risk‑based alerting (RBA).
11. Work closely with the log onboarding team to ensure high‑quality telemetry, correct field extractions, CIM compliance, and accurate Data Model mapping.
12. Identify and implement improvements to detection workflows, telemetry quality, and the overall detection engineering lifecycle.
Your qualifications required
13. Proven expertise across the full SIEM detection engineering lifecycle, including hypothesis‑driven detection design, structured testing, validation, false‑positive reduction, operational deployment, and continuous refinement.
14. In‑depth knowledge of key security telemetry sources, including Windows Event Logs, Sysmon, Linux audit logs, firewall and proxy logs, cloud security logs, and EDR telemetry.
15. Advanced SPL proficiency with deep understanding of the Splunk Common Information Model (CIM), Data Models, and performance optimization (search acceleration, summary indexing, Data Model acceleration).
16. Experience applying the MITRE ATT&CK framework for behavior‑based detection design, threat mapping, and coverage analysis.
17. Hands‑on experience with data onboarding quality assurance, including field extraction verification, CIM compliance testing, sample‑based validation, and ensuring schema correctness across log sources.
18. Ability to work with deeply nested JSON telemetry and complex field structures.
19. Strong foundational understanding of network, endpoint, and cloud security concepts relevant to detection engineering.
Will be considered an asset
20. Splunk certifications such as, Splunk Core Certified Power User, Splunk Certified Developer, Splunk Enterprise Certified Admin, Splunk Enterprise Security Certified Admin
21. Any other Security Certifications (GIAC GCDA (Detection & Analysis), GIAC GMON (Monitoring & SIEM), Threat hunting–oriented certifications)
22. Familiarity with Git‑based version control and CI/CD pipelines supporting detection‑as‑code workflows.
23. Experience with adversary simulation and automated detection validation tools (., Atomic Red Team, Splunk Attack Range, MITRE CALDERA, AttackIQ).
24. Exposure to purple teaming, threat hunting, or attack path analysis.
Soft Skills
25. Excellent English communication skills (written and oral), with the ability to clearly articulate complex technical concepts to both technical and non‑technical audiences.
26. Strong analytical and critical‑thinking abilities, capable of breaking down complex problems and identifying systematic, high‑quality solutions under time pressure.
27. Structured problem‑solving approach applied to troubleshooting, validation, and continuous improvement of detection logic.
28. Collaborative and open‑minded mindset, able to work effectively with SOC, Threat Intelligence, engineering, and platform teams.
29. High level of autonomy, with the ability to manage priorities and deliver well‑engineered detections within agreed timelines.
30. Fast and independent learner with a strong drive for self‑improvement and staying current with evolving threats and detection techniques.
31. Strong attention to detail, ensuring accuracy in detection logic, documentation, and validation activities.
32. Solid documentation and workflow discipline, supporting consistent, repeatable, and high‑quality detection engineering processes.
33. Adaptable and pragmatic, comfortable working in fast‑changing environments and handling ambiguity in telemetry or threat scenarios.
ABOUT US
Why Join Us
Embark on your new adventure at Euroclear, and work at the heart of the global capital markets. We connect over 2,000 financial institutions across the globe. As an open and resilient infrastructure, we contribute to the stability of the financial markets. We help clients cut through complexity, lower costs, and mitigate risks of financial transactions. At Euroclear, we have a clear ambition to use our key role to facilitate and accelerate a sustainable global financial system.
What We Offer
34. Work closely with inspiring, supportive, and engaged colleagues from more than 80 different countries
35. Practice your talents in a highly professional international environment
36. Join a learning and development environment with an emphasis on knowledge sharing and training
37. Competitive salary and comprehensive benefits
New Ways of Working
Find your own optimal balance within our hybrid working model, where you can connect at the office and at the same time benefit from remote working.
Great Place to Work for All
We are committed to creating an inclusive culture that celebrates diversity and strives to be a Great Place to Work for All. All qualified applicants will be considered for employment, regardless of any aspect that makes them unique (including race, religion, national origin, gender, sexual orientation, age, marital status, pregnancy, disability,. If you need any specific accommodation due to disability or any other reason, you can let the recruiter know during your application process.
About the team
The Cyber Defence Centre provides continuous identification, monitoring and response to threats to the Euroclear infrastructure, applications and data. It is designed as the last line of defence for the organisation, in the event that actors; both internal and external have penetrated our preventative cyber controls with malicious intent.