Principal Splunk Threat Detection & Integration Engineer

Principal Splunk Threat Detection & Integration Engineer

FULL TIME Professional Remote, US

Job Title: Principal Splunk-Threat Detection & Integration Engineer

Pay Type: SALARIED EXEMPT

Location: Remote

We are hiring a Principal Splunk Threat Detection & Integration Engineer to own the detection content lifecycle in Splunk. This is a senior individual‑contributor role: you build and review the most complex correlation searches and Risk‑Based Alerting (RBA) logic, run the full Splunk Enterprise Security feature set (findings and intermediate findings, Risk Framework and Risk Factor Editor, Asset & Identity, and Threat Intelligence), and deliver custom integrations and automation across the security stack.

You will create vendor‑agnostic detections that remain effective across EDR, identity, NDR, email, and cloud platforms, mentor junior engineers, raise the bar in peer review, and act as the technical authority for the toughest cross‑domain detection challenges. You will drive programs, not tickets.

• Own the detection content lifecycle in Splunk Enterprise Security — design, SPL prototyping, validation, peer review, production deploy, tuning, and decommission.
• Architect and govern the Risk‑Based Alerting program — risk signals, risk notables, findings and intermediate findings, risk factor design, asset and identity‑aware risk modifiers, throttling and deduplication strategies, and aggregate‑score notable thresholds combining risk score, distinct detection sources, and distinct MITRE ATT&CK techniques.
• Write, review, and optimize complex SPL — performance‑conscious search design across accelerated data models, lookup and KV‑store patterns, and REST‑based content introspection.
• Engineer the Splunk CIM normalization layer across the security‑relevant data models — building base searches, calculated fields, and custom CIM mappings for non‑standard log sources.
• Design and operate the Asset & Identity framework — multiple authoritative data sources merged with priority‑based logic, hostname normalization, time‑bound IP‑to‑host resolution, and enrichment macros injected into every detection.
• Operationalize the Threat Intelligence Framework — consolidating IOC feeds into the native ES intel KV‑store collections, configuring TAXII/STIX ingestion, integrating vulnerability intelligence and CVE data, and operationalizing IOC matching into the RBA model rather than as standalone notables.
• Develop custom integrations and automation across the security stack — bidirectional sync via REST APIs and HEC, custom Python connectors, modular inputs, and SOAR playbook authorship where automation is genuinely needed.
• Build cross‑domain detection coverage — identity, endpoint, network, cloud, web, email, SaaS, vulnerability/exposure, and insider/data — mapped to MITRE ATT&CK techniques and sub‑techniques.
• Onboard new log sources end‑to‑end when required — TA evaluation, custom extraction and parsing, CIM mapping, and ingest hardening — for the cases where new sources need to be added to the SIEM.
• Manage Splunk license capacity through index‑time filtering and routing, eliminating low‑value telemetry without compromising detection coverage.
• Build custom dashboards for the SOC integrated with detection workflows.
• Document and peer‑review every detection — every shipped detection has a structured wiki page with logic, MITRE mapping, exclusions, known false positives, and changelog.
• Operate against tight delivery deadlines across multiple concurrent work streams — translate requirements into deployable Splunk content under time pressure, coach Tier 1/2 analysts and Senior detection engineers, and serve as the named escalation point for the hardest cross‑domain detection problems.

• Other duties as assigned

This is a full‑time position. Standard business hours are Monday through Friday 8:30 AM to 5:30 PM. Additional time outside of these hours may be needed to complete the essential functions of the job.

• 8+ years in security engineering, SOC/IR, or detection content development, including…