IEM Engineer Expert - Splunk engineer for UC migration (QRadar)
Posted on Nov 20, 2021 by Base 3
This role is inside IR35 for UK applicants!
- In depth experience in development and maintenance of SIEM use cases
- Knowledge about how correlation rules in QRadar are built
- Fluent in Splunk's search processing language (SPL)
- Excellent knowledge of Splunk Enterprise and Splunk Enterprise Security
- Splunk Certified Power User (essential)
- Splunk Enterprise Certified Admin (essential)
- Sound knowledge about Splunk Common Information Model (CIM) and log normalization using Data Models
- Excellent English communication skills (written and oral)
- Splunk Enterprise Security Certified Admin (nice to have)
- QRadar Certified (nice to have)
- Any other Security Certifications (eg CEH, GIAC, CISSP, OSCP )
You join SOC as an Expert in SIEM (Security Information and Event Management) engineering.
In your role as subject matter expert you are responsible for helping the company's SIEM transformation from QRadar to Splunk ecosystem. You will be responsible for develop ing and tun ing correlation searches in Splunk that generate the alerts monitored by the SOC T ier 1 function, as well as the runbooks being used by the T ier 1.
Additionally you might guide and coach your junior team members and guard the use case development and maintenance framework, this includes adhering to standards and keep documentation up to date.
Your primary duties will be:
- Analyse existing use case catalogue and correlation rules implemented in QRadar.
- Prepare correlation rules migration from QRadar to Splunk ecosystem.
- Cooperate with CTI team, SOC team and CIRT team in correlation searches development and testing in Splunk.
- Create Splunk Knowledge Objects to address stakeholders needs in context of using Splunk as security tool.
- Prepare correlation search test, conduct test and document evidence from test that shows correlation search addresses scenario described in use case.
- Interact with stakeholders to gather requirements about use cases in context of log sources and external feeds.
- Cooperate with log source onboarding project to assure correct log source onboarding and log mapping to data models according to Splunk best practices.
- Responsible for the creation of procedures, runbooks, high-level/low-level documentation, implementation of processes and development of staff in relation to SIEM detection logic
- Coach a team (from a technical perspective); review work outputs and provide quality assurance.
- Analyses and identifies areas of improvement with existing processes, procedures and documentation.
- Demonstrates how to use SIEM & Enterprise Security products to both technical/non-technical personnel.
- Provides expert technical advice and counsel in the design, monitoring and improvement of SIEM security systems.