Splunk Enterprise Security (ES) Consultant - remote

• Develop custom detection content: correlation searches, notable events, alerts, reports, and visualizations to surface threat activity
• Build and maintain Splunk Apps and Technology Add-ons (TAs)
• Onboard new data sources and normalize them to the Common Information Model (CIM)
• Optimize data flow and ingestion using aggregation, filtering, and pipeline tuning
• Configure notable event actions, action menus, and Adaptive Responses
• Tune detections to cut noise and surface what matters, including risk-based alerting where applicable
• Build dashboards that highlight anomalies, trends, and security and operational metrics
• Support and optimize large distributed clustered Splunk environments (search heads, indexers, forwarders, deployment servers)
• Partner with the client''s security and SOC teams, debug complex integration and configuration issues
• Document processes, procedures, and key engineering decisions

• Several years of hands-on Splunk experience, with real ES implementation, content development, and tuning
• Strong SPL and regular expressions
• Scripting in Python, Perl, or Bash
• Solid grasp of CIM and data onboarding and normalization at scale
• Experience supporting clustered Splunk environments in SOC or NOC settings
• SIEM data modeling experience on a platform at scale
• Proficiency in Linux, including editing and maintaining Splunk config files and apps
• Comfortable working consultatively with client teams and explaining the why behind the work
• Splunk certifications (Core Certified Consultant, ES Certified Admin, Architect) are a plus but not required
• Demonstrated ES delivery experience carries more weight than paper

Ref: #856-Baltimore-S1