Splunk Developer – Banking – Belgium/Hybrid
Daily rate: €600 - €800
Duration: 6 – 12 months
Location: Brussels
Start: Now
Hybrid: 8 days per month in office
My new client is looking for Splunk Developer to join the team on a freelance basis. Be responsible for the development and maintenance of correlation searches and dashboards on the SIEM (Splunk ES) platform. Collaborate with the Manager of Detection & Response Engineering and will work jointly with threat intelligence, design, engineering and response teams, to gather and define requirements, specify clear priorities, evaluate technical trade-offs, and build and maintain threat detection capabilities.
The Detection & Response Engineering team is comprised of:
* Detection/Security Engineers – who implement and maintain threat detections.
* SOAR Engineers – who develop responses such as playbooks, automations etc.
Responsibilities and duties:
* Collaborate with key stakeholders (Threat Intelligence, SOC, engineering teams) to gather requirements and translate threat scenarios into actionable detection use cases.
* Design, develop, tune, and continuously improve Splunk ES correlation searches aligned with MITRE ATT&CK techniques and internal threat models, while enhancing detection workflows and telemetry quality as part of the ongoing detection engineering lifecycle.
* Validate and refine detections through structured testing, adversary simulation, evidence collection, peer review, false‐positive analysis, baseline creation, and high‐fidelity tuning to ensure accurate and reliable detection logic
* Maintain clear, structured documentation for detection logic, testing procedures, ATT&CK mapping, and operational deployment guidelines.
* Conduct coverage gap assessments, maintain the detection inventory, and contribute to ATT&CK‐based coverage reporting and maturity tracking.
* Implement and optimize Splunk ES features such as correlation search patterns, notable events, and risk‐based alerting (RBA).
* Work closely with the log onboarding team to ensure high‐quality telemetry, correct field extractions, CIM compliance, and accurate Data Model mapping, including contributing to log parsing, regex-based field extraction validation, and event normalization quality checks.
* Define and maintain the alert schema required for downstream automation (XSOAR)
* Participate in Agile delivery practices, contributing to backlog refinement, sprint planning, and iterative delivery of threat detection capabilities.
Your qualifications required:
* Proven expertise across the full SIEM detection engineering lifecycle, including hypothesis‐driven detection design, structured testing, validation, false‐positive reduction, operational deployment, and continuous refinement.
* In‐depth knowledge of key security telemetry sources, including Windows Event Logs, Sysmon, Linux audit logs, firewall and proxy logs, cloud security logs, and EDR telemetry.
* Advanced SPL proficiency with deep understanding of the Splunk Common Information Model (CIM), Data Models, and performance optimization (search acceleration, summary indexing, Data Model acceleration).
* Experience applying the MITRE ATT&CK framework for behaviour‐based detection design, threat mapping, and coverage analysis.
* Hands‐on experience with data onboarding quality assurance, including field extraction verification, CIM compliance testing, sample‐based validation, and ensuring schema correctness across log sources.
* Ability to work with deeply nested JSON telemetry and complex field structures.
* Proficiency with log parsing and field extraction techniques, including regex, event normalization, and verification of correct field mapping across diverse log sources.
* Experience using Git‐based version control (Azure DevOps), including branching, pull requests, peer reviews, and structured promotion workflows for YAML‐based detection rules
* Strong foundational understanding of network, endpoint, and cloud security concepts relevant to detection engineering.