Must Have Technical/Functional Skills
Technical Expertise
• 5+ years working with SIEM platforms (Splunk preferred).
• Advanced experience with CIM, ECS, or equivalent log normalization schemas.
• Strong understanding of:
o JSON logging
o Syslog/NXLog
o Cloud logging architectures (AWS/GCP/Azure)
o Application security telemetry
o OSQuery / EDR / DNS / WAF logs
• Proven ability to write:
o Source type definitions
o Field extraction rules
o Correlation logic
o Detection playbooks
Cybersecurity Knowledge & Competency
• Familiarity with MITRE ATT&CK, SIGMA rules, NIST 800-53 frameworks.
• Experience supporting SOC, IR, SIEM, Detection Engineering, or Threat Ops teams.
• Understanding modern attack techniques, identity abuse patterns, and cloud threats.
Roles & Responsibilities
• Engage and coordinate with Application Owners, Product Teams, DevOps, and Engineering.
• Validate log types, formats, schemas, and logging methods (syslog, API, CloudTrail, JSON, custom formats).
• Define onboarding requirements including event types, fields, timestamps, user identity, error codes,
• and security-critical attributes.
• Evaluate logs for completeness, reliability, and compliance with industry standard schemas.
• Map log sources to Splunks Common Information Model (CIM) or equivalent normalization frameworks.
• Log parsing, field extraction, enrichment, and timestamp normalization.
• Development of CIM-compliant extractions for all new log sources.
• Documentation of field dictionaries, mappings, and SIEM source type definitions.
• Validation of proper taxonomy alignment across categories such as:
o Authentication
o Authorization
o Application activity
o Network activity
o Security events
o Error/failure conditions
o Administrative and privileged actions
• Mapping application behaviors to relevant attack techniques (MITRE ATT&CK).
• Identifying and documenting detection opportunities.
• Authoring and implementing:
o Correlation searches
o Behavioral detections
o Anomaly models
o High-fidelity alert logic
• Ensuring each detection has:
o Defined data dependencies
o Operational owner
o Severity/priority rating
o Triage response play
• Operationalizing detections into Security Operations Runbooks, including:
o Preconditions
• Indicators & patterns
o Triage steps
o Containment actions
o Escalation paths
o Evidence checklist
Salary Range: $64,000 - $125000 a year
#LI-CM2