We are seeking a highly technical Splunk Enterprise Security (ES) Engineer who possesses strong hands-on expertise in both Splunk Enterprise and Splunk Enterprise Security (ES).
This role is ideal for candidates who have experience managing enterprise-scale Splunk environments and developing SIEM capabilities that support Security Operations Centre (SOC) teams. The successful candidate will act as the technical owner of the Splunk platform, driving platform stability, data quality, detection engineering, and continuous security monitoring improvements.
1.Splunk Enterprise Security Platform Ownership
- Own and manage the Splunk Enterprise Security platform, ensuring availability, performance, and scalability.
-
-
- Configure and maintain ES components including:
- Correlation searches
- Risk‑Based Alerting (RBA)
- Notable events
- Adaptive Response Actions
- Dashboards and KPIs
- Perform regular health checks and optimisation of Splunk ES and core Splunk infrastructure.
-
2. Data Onboarding & Normalisation
- Lead onboarding of security‑relevant data sources (e.g. firewalls, EDR, IAM, servers, cloud platforms, applications).
- Ensure data quality, timestamp accuracy, CIM compliance, and consistent field extractions.
- Troubleshoot ingestion, parsing, and indexing issues in collaboration with infrastructure and application teams.
3. Detection Engineering & Use Case Development
- Develop, customise, and tune detection use cases aligned with SOC requirements, including:
-
- Authentication attacks (brute force, credential abuse)
- Privileged account misuse
- Malware and endpoint threats
- Lateral movement and suspicious network activity
- Data exfiltration and policy violations
- Implement and mature Risk‑Based Alerting to reduce alert fatigue and improve signal‑to‑noise ratio.
- Continuously tune correlation searches based on false positives, analyst feedback, and threat intelligence.
-
4. SOC Enablement & Collaboration
- Work closely with SOC analysts to support:
-
- Alert triage
- Investigations
- Incident response workflows
-
- Translate SOC detection requirements into effective Splunk ES content.
- Provide guidance and training to SOC analysts on using Splunk ES for investigations.
5. Automation & Integrations
- Implement automation and enrichment using:
-
- Splunk ES Adaptive Response
- SOAR or scripting where applicable
-
- Integrate Splunk ES with ITSM / ticketing tools and other security platforms.
- Enable threat intelligence enrichment and contextual data for alerts.
6. Reporting, Metrics & Governance
- Build and maintain dashboards for:
-
- SOC performance metrics (MTTD, MTTR, alert volumes)
- Detection coverage
- Risk scores and trends
-
- Support audit, compliance, and management reporting by providing evidence and documentation.
- Maintain documentation for data sources, use cases, and SOC workflows.
Education/Experience/Skills
Technical Skills
- Strong hands-on experience administering and supporting Splunk Enterprise and Splunk Enterprise Security (ES) in enterprise environments
- Proven expertise in deploying, configuring, maintaining, and troubleshooting Splunk infrastructure, including:
- Search Heads
- Indexers
- Heavy Forwarders
- Universal Forwarders
- Deployment Servers
- Clustered Splunk environment
- Experience performing Splunk platform upgrades, migrations, health checks, performance tuning, and capacity optimization.
- Strong understanding of Splunk core technologies, including:
- SPL (Search Processing Language
- Indexing and search optimization
- Data Models
- Common Information Model (CIM)
- Knowledge Objects (Lookups, Macros, Event Types, Tags, Calculated Fields)
- Hands-on experience with log collection, forwarding, and data onboarding from multiple technology domains, including security, infrastructure, application, cloud, and identity platforms.
- Strong troubleshooting skills across the full data pipeline, including data ingestion, parsing, field extractions, timestamping, normalization, indexing, and search performance issues.
- Experience developing and maintaining Splunk dashboards, reports, visualizations, and operational KPIs.
- Strong hands-on experience with Splunk Enterprise Security components, including:
- Correlation Searches
- Risk-Based Alerting (RBA)
- Notable Events
- Adaptive Response Actions
- Security Content Management
- Dashboards and Security Monitoring
- Experience onboarding and normalizing security data sources to CIM standards.
- Experience designing, developing, tuning, and maintaining SIEM detection use cases aligned to SOC requirements.
- Knowledge of network security, endpoint security, IAM, operating systems, cloud security, and threat detection methodologies.
Experience
- Minimum 3 years of hands-on experience with Splunk Enterprise, including platform administration, deployment, upgrades, troubleshooting, and operational support.
- Minimum 2 years of hands-on experience with Splunk Enterprise Security (ES) supporting enterprise security monitoring and detection engineering activities.
- Proven experience managing and supporting production Splunk environments, ensuring platform availability, performance, scalability, and reliability.
- Demonstrated experience onboarding and integrating security data sources into Splunk and Splunk Enterprise Security, including troubleshooting ingestion, parsing, normalization, and CIM compliance issues.
- Experience developing, customizing, and tuning SIEM detection content, including:
- Correlation Searches
- Risk-Based Alerting (RBA)
- Notable Events
- Threat Detection Use Cases
- Experience implementing detection use cases covering areas such as:
- Authentication attacks
- Privileged account misuse
- Endpoint and malware threats
- Suspicious network activity and lateral movement
- Data exfiltration and policy violations
- Experience working closely with SOC teams to improve threat detection capabilities, reduce false positives, and enhance the overall effectiveness of security monitoring.
- Experience supporting incident detection, investigation, and response activities through effective use of Splunk Enterprise Security.
- Experience conducting platform health checks, performance optimization, and continuous improvement of Splunk and Splunk ES environments.
- Experience collaborating with infrastructure, application, and security teams to resolve technical issues and onboard new log sources.
Nice to Have
• Splunk certifications (e.g. Splunk Core Certified Power User, Enterprise Security Certified Admin).
• Experience with SOAR platforms and security automation.
• Knowledge of MITRE ATT&CK framework and threat modelling.
• Experience operating SIEM in regulated or large enterprise environments.
Personal Attributes
• Strong analytical and problem-solving skills.
• Able to work collaboratively with SOC analysts and cross-functional teams.
• Proactive mindset with a focus on continuous improvement.
• Clear communicator, able to translate technical concepts to non-technical stakeholders.
• Willing to work in Cyberjaya, Selangor and able to travel if needed.
