Hiring: Detection Engineer – Splunk Enterprise Security | Cyber Threat Detection

Role:

Responsible for the development and maintenance of correlation searches and dashboards on the SIEM (Splunk ES) platform.

Collaborate with the Manager of Detection & Response Engineering and will work jointly with threat intelligence, design, engineering and response teams, to gather and define requirements, specify clear priorities, evaluate technical trade-offs, and build and maintain threat detection capabilities.

The Detection & Response Engineering team is comprised of:

• Detection/Security Engineers – who implement and maintain threat detections.
• SOAR Engineers – who develop responses such as playbooks, automations etc.

Responsibilities and duties:

• Collaborate with key stakeholders (Threat Intelligence, SOC, engineering teams) to gather requirements and translate threat scenarios into actionable detection use cases.
• Design, develop, tune, and continuously improve Splunk ES correlation searches aligned with MITRE ATT&CK techniques and internal threat models, while enhancing detection workflows and telemetry quality as part of the ongoing detection engineering lifecycle.
• Validate and refine detections through structured testing, adversary simulation, evidence collection, peer review, false‑positive analysis, baseline creation, and high‑fidelity tuning to ensure accurate and reliable detection logic
• Maintain clear, structured documentation for detection logic, testing procedures, ATT&CK mapping, and operational deployment guidelines.
• Conduct coverage gap assessments, maintain the detection inventory, and contribute to ATT&CK‑based coverage reporting and maturity tracking.
• Implement and optimize Splunk ES features such as correlation search patterns, notable events, and risk‑based alerting (RBA).
• Work closely with the log onboarding team to ensure high‑quality telemetry, correct field extractions, CIM compliance, and accurate Data Model mapping, including contributing to log parsing, regex-based field extraction validation, and event normalization quality checks.
• Define and maintain the alert schema required for downstream automation (XSOAR)
• Participate in Agile delivery practices, contributing to backlog refinement, sprint planning, and iterative delivery of threat detection capabilities.

Your qualifications required:

• Proven expertise across the full SIEM detection engineering lifecycle, including hypothesis‑driven detection design, structured testing, validation, false‑positive reduction, operational deployment, and continuous refinement.
• In‑depth knowledge of key security telemetry sources, including Windows Event Logs, Sysmon, Linux audit logs, firewall and proxy logs, cloud security logs, and EDR telemetry.
• Advanced SPL proficiency with deep understanding of the Splunk Common Information Model (CIM), Data Models, and performance optimization (search acceleration, summary indexing, Data Model acceleration).
• Experience applying the MITRE ATT&CK framework for behaviour‑based detection design, threat mapping, and coverage analysis.
• Hands‑on experience with data onboarding quality assurance, including field extraction verification, CIM compliance testing, sample‑based validation, and ensuring schema correctness across log sources.
• Ability to work with deeply nested JSON telemetry and complex field structures.
• Proficiency with log parsing and field extraction techniques, including regex, event normalization, and verification of correct field mapping across diverse log sources.
• Experience using Git‑based version control (Azure DevOps), including branching, pull requests, peer reviews, and structured promotion workflows for YAML‑based detection rules
• Strong foundational understanding of network, endpoint, and cloud security concepts relevant to detection engineering.

Will be considered an asset

• Splunk certifications such as, Splunk Core Certified Power User, Splunk Certified Developer, Splunk Enterprise Certified Admin, Splunk Enterprise Security Certified Admin
• Any other Security Certifications (GIAC GCDA (Detection & Analysis), GIAC GMON (Monitoring & SIEM), Threat hunting–oriented certifications)
• Experience with adversary simulation and automated detection validation tools (e.g., Atomic Red Team, Splunk Attack Range, MITRE CALDERA, AttackIQ).
• Familiarity with CI/CD pipelines that support detection‑as‑code workflows, including automated transformation of YAML‑based detection rules into Splunk configuration files.
• Exposure to purple teaming, threat hunting, or attack path analysis.

Soft Skills

• Strong analytical and critical‑thinking abilities, applying a structured problem‑solving approach to detection troubleshooting, validation, and refinement.
• Excellent communication skills and a collaborative, open‑minded approach when working with SOC, Threat Intelligence, engineering, and platform teams.
• High level of autonomy, with a strong drive for continuous learning and curiosity about emerging threats, detection techniques, and attacker behaviours.
• Strong attention to detail and disciplined documentation practices, ensuring consistent, high‑quality detection engineering output.
• Adaptable and pragmatic, comfortable working in fast‑changing environments and handling ambiguity in telemetry or threat scenarios.