SIEM Engineer Expert (Qradar/Splunk)
Posted on Jan 12, 2022 by Base 3
You join SOC as an Expert in SIEM (Security Information and Event Management) engineering.
In your role as subject matter expert you are responsible for helping the company in SIEM transformation from QRadar to Splunk ecosystem. You will be responsible for developing and tuning correlation searches in Splunk that generate the alerts monitored by the SOC T ier 1 function, as well as the runbooks being used by the Tier 1.
Additionally you might guide and coach your junior team members and guard the use case development and maintenance framework, this includes adhering to standards and keep documentation up to date.
Your primary duties will be:
- Analyse existing use case catalogue and correlation rules implemented in QRadar.
- Prepare correlation rules migration from QRadar to Splunk ecosystem.
- Cooperate with CTI team, SOC team and CIRT team in correlation searches development and testing in Splunk.
- Create Splunk Knowledge Objects to address stakeholders needs in context of using Splunk as security tool.
- Prepare correlation search test, conduct test and document evidence from test that shows correlation search addresses scenario described in use case.
- Interact with stakeholders to gather requirements about use cases in context of log sources and external feeds.
- Cooperate with log source onboarding project to assure correct log source onboarding and log mapping to data models according to Splunk best practices.
- Responsible for the creation of procedures, runbooks, high-level/low-level documentation, implementation of processes and development of staff in relation to SIEM detection logic
- Coach a team (from a technical perspective); review work outputs and provide quality assurance.
- Analyses and identifies areas of improvement with existing processes, procedures and documentation.
- Demonstrates how to use SIEM & Enterprise Security products to both technical/non-technical personnel.
- Provides expert technical advice and counsel in the design, monitoring and improvement of SIEM security systems.
Required Technical skills
- In depth experience in development and maintenance of SIEM use cases
- Knowledge about how correlation rules in QRadar are built
- Fluent in Splunk's search processing language (SPL)
- Excellent knowledge of Splunk Enterprise and Splunk Enterprise Security
- Sound knowledge about Splunk Common Information Model (CIM) and log normalization using Data Models
- Excellent English communication skills (written and oral)
Remark: This role has been assessed as Inside IR35 which only affect UK resident applicants.