SOAR Engineer

About The Position

Requirements

• 7+ years in security engineering, SOC/IR, or platform engineering, including 4+ years designing and operating Splunk Enterprise and Splunk ES in production.
• 3+ years hands-on with Splunk SOAR (Phantom) and automation of ES notables and ServiceNow IR workflows.
• Strong AWS experience: GuardDuty, CloudTrail, Security Hub, IAM, EC2, S3, VPC Flow Logs; cross-account and multi-region preferred.
• Proven ServiceNow Incident Response integration experience.
• Proficiency in SPL, Python, AWS Boto3, Splunk/Phantom SDKs, REST APIs, and Git-based version control.
• Deep knowledge of CIM, data model accelerations, index/retention strategy, and search performance tuning.
• Strong grasp of MITRE ATT&CK, CVE/CVSS, CISA KEV, and risk-based detection and automation.
• Experience aligning operations with FISMA/NIST RMF, FedRAMP, and CMMC; evidence generation and audit support.
• Must pass pre-employment qualifications of Cherokee Federal.

Nice To Haves

• Splunk certifications (Core Certified Power User/Admin/Architect, ES Admin), AWS certifications, Security+, CySA+, CISSP, GCDA/GCSA.
• Experience with Splunk SHC, DS/Deployer, KVstore management, ES content management at scale, AWS Organizations, and ServiceNow IR customization/change management integrations.

Responsibilities

• Design, deploy, and maintain Splunk Enterprise, indexers, search heads (including SHC), cluster master/CM, deployment server/Deployer, forwarders, and KV stores across on‑prem and AWS.
• Engineer scalable data onboarding pipelines, parsing, and indexing with props/transforms, HEC, UF/HF, and S3/SQS/SNS-based ingestion.
• Enforce RBAC, data retention, index strategy, knowledge object governance, and change control aligned to federal compliance.
• Optimize search performance, data model accelerations, KV store usage, and ES notable event throughput and latency.
• Develop and tune ES correlation searches, risk-based alerting (RBA), and adaptive response actions mapped to MITRE ATT&CK.
• Build dashboards, investigations, and notable event workflows that reduce false positives and drive analyst efficiency.
• Maintain CIM-compliant data models; lead normalization and data quality initiatives across cloud, endpoint, identity, and network sources.
• Measure and report detection and response efficacy (MTTR, precision/recall, RBA risk scores, SLA adherence).
• Engineer Splunk SOAR (Phantom) playbooks and apps with secure, scalable configurations to triage, enrich, and contain threats.
• Integrate ES notables with automated triage and ServiceNow IR for incident creation, enrichment, SLA tracking, approvals, and evidence attachments.
• Build AWS-focused detection and response: GuardDuty, CloudTrail, Security Hub, VPC Flow Logs, IAM, EC2, S3; implement safe actions (e.g., EC2 isolation, S3 access updates, EBS snapshots, IAM key rotation/MFA enforcement, Security Hub updates) with human-in-the-loop approvals and rollback.
• Integrate EDR and identity platforms for host containment, IOC blocking, and remote response via APIs.
• Lead Splunk deployments in AWS including scalability, multi-account/multi-region ingestion, and cross-account automation via Boto3 and native services.
• Standardize reusable Python modules, SDK usage, and CI/CD practices for app/deployment packaging and version control.
• Map controls to FISMA/NIST RMF, FedRAMP, and CMMC; maintain audit-ready evidence through logging, approval trails, and configuration baselines.
• Drive POA&M updates, control validations, and continuous monitoring dashboards.
• Champion secrets management, least privilege, and safe-response guardrails in all platform and automation changes.
• Translate SOC/IR runbooks (phishing, malware, IAM abuse, EC2 compromise) into reliable detections and automations.
• Mentor junior engineers and analysts on SPL, ES content development, CIM, and SOAR playbooks.
• Partner with stakeholders to prioritize use cases and deliver quantifiable outcomes.
• Other duties as assigned.

Benefits

• Medical
• Dental
• Vision
• 401K
• other possible benefits