Cherokee Federal

Senior Splunk Engineer

Cherokee Federal

full-time

Posted on:

Location Type: Remote

Location: VirginiaUnited States

Visit company website

Explore more

AI Apply
Apply

Job Level

Senior

Tech Stack

AWSCloudEC2PythonServiceNowSplunk

About the role

  • Design, deploy, and maintain Splunk Enterprise, indexers, search heads (including SHC), cluster master/CM, deployment server/Deployer, forwarders, and KV stores across on‑prem and AWS.
  • Engineer scalable data onboarding pipelines, parsing, and indexing with props/transforms, HEC, UF/HF, and S3/SQS/SNS-based ingestion.
  • Enforce RBAC, data retention, index strategy, knowledge object governance, and change control aligned to federal compliance.
  • Optimize search performance, data model accelerations, KV store usage, and ES notable event throughput and latency.
  • Develop and tune ES correlation searches, risk-based alerting (RBA), and adaptive response actions mapped to MITRE ATT&CK.
  • Build dashboards, investigations, and notable event workflows that reduce false positives and drive analyst efficiency.
  • Maintain CIM-compliant data models; lead normalization and data quality initiatives across cloud, endpoint, identity, and network sources.
  • Measure and report detection and response efficacy (MTTR, precision/recall, RBA risk scores, SLA adherence).
  • Engineer Splunk SOAR (Phantom) playbooks and apps with secure, scalable configurations to triage, enrich, and contain threats.
  • Integrate ES notables with automated triage and ServiceNow IR for incident creation, enrichment, SLA tracking, approvals, and evidence attachments.
  • Build AWS-focused detection and response: GuardDuty, CloudTrail, Security Hub, VPC Flow Logs, IAM, EC2, S3; implement safe actions (e.g., EC2 isolation, S3 access updates, EBS snapshots, IAM key rotation/MFA enforcement, Security Hub updates) with human-in-the-loop approvals and rollback.
  • Integrate EDR and identity platforms for host containment, IOC blocking, and remote response via APIs.
  • Lead Splunk deployments in AWS including scalability, multi-account/multi-region ingestion, and cross-account automation via Boto3 and native services.
  • Standardize reusable Python modules, SDK usage, and CI/CD practices for app/deployment packaging and version control.
  • Map controls to FISMA/NIST RMF, FedRAMP, and CMMC; maintain audit-ready evidence through logging, approval trails, and configuration baselines.
  • Drive POA&M updates, control validations, and continuous monitoring dashboards.
  • Champion secrets management, least privilege, and safe-response guardrails in all platform and automation changes.
  • Translate SOC/IR runbooks (phishing, malware, IAM abuse, EC2 compromise) into reliable detections and automations.
  • Mentor junior engineers and analysts on SPL, ES content development, CIM, and SOAR playbooks.
  • Partner with stakeholders to prioritize use cases and deliver quantifiable outcomes.
  • Other duties as assigned.

Requirements

  • 7+ years in security engineering, SOC/IR, or platform engineering, including 4+ years designing and operating Splunk Enterprise and Splunk ES in production.
  • 3+ years hands-on with Splunk SOAR (Phantom) and automation of ES notables and ServiceNow IR workflows.
  • Strong AWS experience: GuardDuty, CloudTrail, Security Hub, IAM, EC2, S3, VPC Flow Logs; cross-account and multi-region preferred.
  • Proven ServiceNow Incident Response integration experience.
  • Proficiency in SPL, Python, AWS Boto3, Splunk/Phantom SDKs, REST APIs, and Git-based version control.
  • Deep knowledge of CIM, data model accelerations, index/retention strategy, and search performance tuning.
  • Strong grasp of MITRE ATT&CK, CVE/CVSS, CISA KEV, and risk-based detection and automation.
  • Experience aligning operations with FISMA/NIST RMF, FedRAMP, and CMMC; evidence generation and audit support.
  • Preferred: Splunk certifications (Core Certified Power User/Admin/Architect, ES Admin), AWS certifications, Security+, CySA+, CISSP, GCDA/GCSA.
  • Preferred: Experience with Splunk SHC, DS/Deployer, KVstore management, ES content management at scale, AWS Organizations, and ServiceNow IR customization/change management integrations.
  • Must pass pre-employment qualifications of Cherokee Federal.
Benefits
  • Medical
  • Dental
  • Vision
  • 401K
  • Other possible benefits. Benefits may change with or without notice.
Applicant Tracking System Keywords

Tip: use these terms in your resume and cover letter to boost ATS matches.

Hard Skills & Tools
Splunk EnterpriseSplunk ESSplunk SOARSPLPythonAWS Boto3REST APIsGitdata model accelerationsrisk-based detection
Soft Skills
mentoringstakeholder collaborationautomationincident responsechange management
Certifications
Splunk Core Certified Power UserSplunk AdminSplunk ArchitectSplunk ES AdminAWS certificationsSecurity+CySA+CISSPGCDAGCSA