SIEM Content Developer, VP

About The Position

Requirements

• 6–10 years of progressive experience in information security, with deep focus on SIEM and detection engineering.
• Expert-level experience with Splunk Enterprise and Splunk Enterprise Security.
• Advanced SPL development.
• Correlation searches and alert tuning.
• Dashboards, reports, and data models.
• Detection performance and content optimization.
• Proven experience building advanced threat detection use cases, including insider threat, malware, APTs, and cloud security.
• Strong understanding of security frameworks, adversary tactics, and detection mapping (MITRE ATT&CK, NIST).
• Hands-on experience supporting Splunk administration and data onboarding in a security context.
• Strong analytical, problem‑solving, and communication skills.
• Demonstrated ability to influence stakeholders and manage cross‑functional relationships.
• Proficiency with Microsoft Office tools.

Nice To Haves

• Scripting experience (e.g., Python) for automation, enrichment, or API integrations is a strong plus.
• Splunk certifications (Enterprise Admin, ES Certified Admin) preferred but not required.

Responsibilities

• Lead the design, development, testing, deployment, tuning, and optimization of advanced SIEM content within Splunk Enterprise Security.
• Develop and maintain correlation rules, alerts, dashboards, and reports that proactively identify and prioritize security threats for SOC investigation and response.
• Translate threat intelligence, incident response playbooks, and common attack techniques into robust Splunk ES use cases aligned to frameworks such as MITRE ATT&CK and NIST.
• Identify and remediate false positives, false negatives, logic gaps, data dependencies, and other quality issues in SIEM content.
• Analyze and enhance SPL queries, detection logic, enrichment logic, macros, lookups, and supporting artifacts to improve accuracy, reliability, and maintainability.
• Perform root-cause analysis of detection gaps and alert fidelity issues, assess risk, and implement corrective actions.
• Optimize data onboarding, parsing, normalization, event processing, data models, and data quality to ensure effective security monitoring.
• Support Splunk administration activities (e.g., app configuration, performance tuning) as needed to enable detection engineering objectives.
• Identify opportunities to automate and standardize detection engineering workflows, content lifecycle management, and security controls.
• Review and validate automated testing results, prioritizing remediation based on risk, detection coverage, and operational impact.
• Partner with security operations, engineering, and business stakeholders to deliver secure, scalable detection solutions.
• Assess and manage risk in alignment with regulatory expectations, Citi policies, and ethical standards.
• Escalate and report control issues transparently while safeguarding Citi, its clients, and assets.

Benefits

• medical, dental & vision coverage
• 401(k)
• life, accident, and disability insurance
• wellness programs
• paid time off packages, including planned time off (vacation), unplanned time off (sick leave), and paid holidays