Hiring: Detection Engineer – Splunk Enterprise Security | Cyber Threat Detection
Role:
Responsible for the development and maintenance of correlation searches and dashboards on the SIEM (Splunk ES) platform.
Collaborate with the Manager of Detection & Response Engineering and will work jointly with threat intelligence, design, engineering and response teams, to gather and define requirements, specify clear priorities, evaluate technical trade-offs, and build and maintain threat detection capabilities.
The Detection & Response Engineering team is comprised of:
* Detection/Security Engineers – who implement and maintain threat detections.
* SOAR Engineers – who develop responses such as playbooks, automations etc.
Responsibilities and duties:
* Collaborate with key stakeholders (Threat Intelligence, SOC, engineering teams) to gather requirements and translate threat scenarios into actionable detection use cases.
* Design, develop, tune, and continuously improve Splunk ES correlation searches aligned with MITRE ATT&CK techniques and internal threat models, while enhancing detection workflows and telemetry quality as part of the ongoing detection engineering lifecycle.
* Validate and refine detections through structured testing, adversary simulation, evidence collection, peer review, false‑positive analysis, baseline creation, and high‑fidelity tuning to ensure accurate and reliable detection logic
* Maintain clear, structured documentation for detection logic, testing procedures, ATT&CK mapping, and operational deployment guidelines.
* Conduct coverage gap assessments, maintain the detection inventory, and contribute to ATT&CK‑based coverage reporting and maturity tracking.
* Implement and optimize Splunk ES features such as correlation search patterns, notable events, and risk‑based alerting (RBA).
* Work closely with the log onboarding team to ensure high‑quality telemetry, correct field extractions, CIM compliance, and accurate Data Model mapping, including contributing to log parsing, regex-based field extraction validation, and event normalization quality checks.
* Define and maintain the alert schema required for downstream automation (XSOAR)
* Participate in Agile delivery practices, contributing to backlog refinement, sprint planning, and iterative delivery of threat detection capabilities.
Your qualifications required:
* Proven expertise across the full SIEM detection engineering lifecycle, including hypothesis‑driven detection design, structured testing, validation, false‑positive reduction, operational deployment, and continuous refinement.
* In‑depth knowledge of key security telemetry sources, including Windows Event Logs, Sysmon, Linux audit logs, firewall and proxy logs, cloud security logs, and EDR telemetry.
* Advanced SPL proficiency with deep understanding of the Splunk Common Information Model (CIM), Data Models, and performance optimization (search acceleration, summary indexing, Data Model acceleration).
* Experience applying the MITRE ATT&CK framework for behaviour‑based detection design, threat mapping, and coverage analysis.
* Hands‑on experience with data onboarding quality assurance, including field extraction verification, CIM compliance testing, sample‑based validation, and ensuring schema correctness across log sources.
* Ability to work with deeply nested JSON telemetry and complex field structures .
* Proficiency with log parsing and field extraction techniques, including regex, event normalization, and verification of correct field mapping across diverse log sources.
* Experience using Git‑based version control (Azure DevOps), including branching, pull requests, peer reviews, and structured promotion workflows for YAML‑based detection rules
* Strong foundational understanding of network, endpoint, and cloud security concepts relevant to detection engineering.
Will be considered an asset
* Splunk certifications such as, Splunk Core Certified Power User, Splunk Certified Developer, Splunk Enterprise Certified Admin, Splunk Enterprise Security Certified Admin
* Any other Security Certifications (GIAC GCDA (Detection & Analysis), GIAC GMON (Monitoring & SIEM), Threat hunting–oriented certifications)
* Experience with adversary simulation and automated detection validation tools (e.g., Atomic Red Team, Splunk Attack Range, MITRE CALDERA, AttackIQ).
* Familiarity with CI/CD pipelines that support detection‑as‑code workflows, including automated transformation of YAML‑based detection rules into Splunk configuration files.
* Exposure to purple teaming, threat hunting, or attack path analysis .
Soft Skills
* Strong analytical and critical‑thinking abilities, applying a structured problem‑solving approach to detection troubleshooting, validation, and refinement.
* Excellent communication skills and a collaborative, open‑minded approach when working with SOC, Threat Intelligence, engineering, and platform teams.
* High level of autonomy, with a strong drive for continuous learning and curiosity about emerging threats, detection techniques, and attacker behaviours.
* Strong attention to detail and disciplined documentation practices, ensuring consistent, high‑quality detection engineering output.
* Adaptable and pragmatic, comfortable working in fast‑changing environments and handling ambiguity in telemetry or threat scenarios.