Design, develop, deploy, and maintain Splunk SOAR (Phantom) playbooks, apps, and integrations with secure, scalable configurations.
Integrate Splunk ES correlation searches and notable events into automated triage, enrichment, containment, and ServiceNow IR workflows using CIM-compliant data pipelines.
Build AWS-focused automations leveraging GuardDuty, CloudTrail, Security Hub, VPC Flow Logs, IAM, EC2, S3, and asset tagging for enrichment and response.
Implement response actions such as EC2 isolation, S3 access controls, EBS snapshots for forensics, IAM key rotation or revocation, MFA enforcement, and Security Hub updates, with human-in-the-loop approvals and rollback procedures.
Orchestrate endpoint and identity response by integrating EDR tools for host containment, IOC blocking, and remote response actions.
Integrate ServiceNow IR to auto-create and manage incidents, enrich tickets with cloud and CI context, track SLAs, manage approvals, and attach playbook evidence.
Optimize SOAR operations by tuning triggers, deduplicating events, reducing latency, standardizing reusable Python modules, and maintaining version control and documentation.
Collaborate with SOC, IR, and cloud teams to translate runbooks (e.g., phishing, malware, IAM abuse, EC2 compromise) into reliable, measurable automations.
Measure and report automation outcomes including MTTR reduction, auto-resolution rates, and SLA performance; support audits with control mapping and POA&M updates.
Maintain governance through RBAC, secrets handling, logging, change control, and safe-response guardrails.
Performs other job-related duties as assigned

Requirements

5+ years in SOC/IR or security engineering, including 3+ years with Splunk SOAR (Phantom) and Splunk ES.
Hands-on AWS automation experience (GuardDuty, CloudTrail, Security Hub, IAM, EC2, S3, VPC Flow Logs).
Proven ServiceNow Incident Response integration experience.
Experience integrating EDR APIs and chaining endpoint, identity, and cloud actions.
Proficiency in Python, AWS Boto3, Splunk/Phantom SDKs, and REST APIs.
Strong knowledge of MITRE ATT&CK, CVE/CVSS, CISA KEV, and risk-based automation.
Experience aligning operations with FISMA/NIST RMF, FedRAMP, and CMMC.
Relevant certifications (Splunk, AWS, Security+, CySA+, CISSP, GCDA/GCSA) preferred.
Experience with AWS Organizations, cross-account automation, and multi-region playbooks preferred.
Knowledge of ServiceNow flows, IR customization, and change management integrations preferred.
Must pass pre-employment qualifications of Cherokee Federal.

Benefits

📊 Check your resume score for this job Improve your chances of getting an interview by checking your resume score before you apply. Check Resume Score

Applicant Tracking System Keywords

Tip: use these terms in your resume and cover letter to boost ATS matches.

Hard Skills & Tools

Splunk SOARSplunk ESAWS automationPythonAWS Boto3REST APIsEDR integrationCIM-compliant data pipelinesincident response automationrisk-based automation

Soft Skills

collaborationcommunicationproblem-solvingdocumentationmeasurable outcomes reporting

Certifications

SplunkAWSSecurity+CySA+CISSPGCDAGCSA