JOB OVERVIEWThe SIEM Detection Engineer is responsible for developing, tuning, and maintaining the detection content that identifies security threats within government agencies. This role owns correlation searches, alerts, and security use cases built in Splunk, aligning detections to frameworks such as MITRE ATT&CK and incorporating threat intelligence. The Detection Engineer works closely with security analysts, threat intelligence teams, and the Data and Platform Engineers to ensure threats are detected accurately and with minimal noise.
Essential Functions:- Detection Development
- Develop and optimize search queries, correlation searches, and alerts in SPL to proactively detect security threats, anomalies, and suspicious behavior.
- Configure alerts to trigger automated responses or notifications based on predefined criteria.
- Use Case Development
- Design and implement security use cases mapped to MITRE ATT&CK and driven by threat intelligence and agency risk priorities.
- Translate threat scenarios and requirements into actionable, testable detection logic.
- Alert Tuning and Optimization
- Tune detections to reduce false positives and alert fatigue while maintaining coverage.
- Continuously review and refine detection performance against evolving threats.
- Dashboards and Visualization
- Design and build dashboards and visualizations that support SOC triage, investigation, and decision-making.
- Present detection results and metrics in a clear, actionable manner.
- Threat Detection and Response Support
- Monitor and analyze security-related events to detect and help respond to potential threats.
- Support incident response by providing detection context and refining content based on findings.
- Detection Testing and Validation
- Test and validate detections against known attack techniques and sample data before deployment.
- Document detection logic, coverage, and expected outcomes.
- Collaboration and Documentation
- Collaborate with security analysts and threat intelligence teams to align detections with operational needs.
- Maintain documentation and runbooks for detection content and response guidance.
Qualifications:- Detection development in SPL: correlation searches, scheduled searches, alerts, and thresholds
- Security use case design mapped to MITRE ATT&CK
- Alert tuning and false-positive reduction while maintaining coverage
- Threat intelligence application and IOC/behavioral detection logic
- Dashboard and visualization development for SOC triage and investigation
- Detection testing and validation against known attack techniques and sample data
- Working knowledge of Splunk Enterprise Security (ES): notable events, risk-based alerting (RBA), and data models
- Understanding of the incident response lifecycle and SOC workflows
- Familiarity with adversary tactics, techniques, and common attack patterns across endpoint, network, and cloud
PHYSICAL REQUIREMENTS & ENVIRONMENTAL CONDITIONS- Inside office environment.
- Working on a computer for long periods of time.
- May involve long period of sitting at a desk.
- The work environment is fast-paced and sometimes involves extreme deadline pressures.
OTHER DUTIESThis job description is not designed to cover or contain a comprehensive listing of activities, duties or responsibilities that are required of the employee for this job. Duties, responsibilities, and activities may change at any time with or without notice.