Lead SOC Engineer (SIEM)

Overview:

The Lead Engineer – SOC (SIEM) is a critical role responsible for delivering SIEM management services, particularly focusing on Splunk SIEM and Splunk UEBA, within the Security Operations Center (SOC). Working closely with the SOC Team this role encompasses onboarding new log sources, enhancing and optimizing telemetry, ensuring system updates, resolving issues, and maintaining SIEM performance, designing SIEM Architecture and deployments based on customized business requirements.

Responsibilities:

Key Responsibilities

• Deliver and Lead Splunk SIEM management services within the SOC environment.
• Architect scalable and resilient Splunk-based SIEM solutions.
• Define data ingestion strategies, parsing logic, and correlation rules.
• Collaborate with the asset owner, client stakeholder, and SOC, in onboarding new log sources to the SIEM platform.
• Maintain and govern SOC critical log sources, ensuring their proper functionality and integration with Splunk SIEM.
• Detect log source issues, coordinate with customers to diagnose and resolve them in a timely manner.
• Enhance and optimize telemetry within the Splunk environment to improve data collection, correlation, and reporting.
• Collaborate with SOC and threat intelligence teams to develop detection use cases.
• Implement dashboards, alerts, and reports for proactive threat monitoring.
• Perform regular system updates to ensure Splunk functionality and security are up to date.
• Resolve Splunk-related issues promptly and efficiently.
• Proficiency in field extractions, data normalization, and CIM (Common Information Model) compliance.
• Maintain the performance of the Splunk SIEM according to established best practices.
• Participate in continuous process improvements to increase SOC efficiency and effectiveness.
• Provide regular and accurate reports on Splunk services and SOC operations to relevant stakeholders.
• Contribute to SOC architecture strategy and implementation initiatives related to Splunk in the pre-sales phase when required.
• Plan and execute Splunk version upgrades and feature rollouts.
• Evaluate and deploy new Splunk apps and add-ons.

Characterstics

• Profound knowledge and hands-on experience with Splunk SIEM and other related technologies like CRIBL.
• Understanding of SOC workflows, MITRE ATT&CK framework, and threat detection methodologies.
• Ability to correlate data across multiple sources to identify patterns and anomalies.
• Strong understanding of cloud and network technologies, essential for efficient log source onboarding.
• Proven technical capabilities in a complex, fast-paced SOC environment.
• Ability to diagnose and troubleshoot log source issues related to cloud and network infrastructures.
• Strong understanding of SOC operations, cybersecurity principles, and best practices.
• Excellent problem-solving skills and the ability to make decisions under pressure.
• Ability to collaborate effectively with a variety of team members, including interfacing with customers to resolve issues.
• High proficiency in written and verbal communication

Qualifications:

Skills & Certificates

• Splunk Certified Architect or Splunk Certified Administrator.
• Mastery of SPL (Search Processing Language) for complex queries, dashboards, and reports.
• Scripting skills (Python, Bash, PowerShell)
• Cloud-related certifications like AWS Certified Solutions Architect, Google Professional Cloud Architect, or Microsoft Certified: Azure Solutions Architect Expert.
• Certified Information Systems Security Professional (CISSP), GIAC is preferred.
• Excellent communication and documentation skills
• Ability to lead technical initiatives and work independently

Education

Bachelor’s degree in computer science, Information Technology, Cybersecurity, or a related field.

Minimum Work Exp

A minimum of 8 years of experience in SOC operations, with significant experience in Splunk SIEM management

Prior experience in a technical role within a SOC or similar cybersecurity environment.