Senior Splunk Engineer

This position requires an active Public Trust clearance to be considered.

A government contract requires that this position be restricted to U.S. citizens or legal permanent residents.  You must provide documentation that you are a U.S. citizen or legal permanent resident to qualify.

We are seeking a Senior Splunk Engineer to architect, build, and operate Splunk Enterprise and Enterprise Security (ES) across hybrid environments with a strong emphasis on AWS. You will own the Splunk platform end to end—ingest, CIM mapping, ES content, search and dashboard performance, SOAR automations, and ServiceNow IR integrations. You will drive detection, response, and reporting outcomes that meet FISMA/NIST RMF, FedRAMP, and CMMC requirements. You will implement robust governance, RBAC, change control, and audit-ready evidence. You will partner with SOC, IR, cloud, and platform teams to deliver measurable risk reduction and operational efficiency.

Compensation & Benefits: 

Estimated starting salary range: $150,000- $165,000. Pay commensurate with experience. 

Full-time benefits include Medical, Dental, Vision, 401K, and other possible benefits. Benefits may change with or without notice.

Senior Splunk Engineer Responsibilities Include: 

• Design, deploy, and maintain Splunk Enterprise, indexers, search heads (including SHC), cluster master/CM, deployment server/Deployer, forwarders, and KV stores across on‑prem and AWS.

• Engineer scalable data onboarding pipelines, parsing, and indexing with props/transforms, HEC, UF/HF, and S3/SQS/SNS-based ingestion.

• Enforce RBAC, data retention, index strategy, knowledge object governance, and change control aligned to federal compliance.

• Optimize search performance, data model accelerations, KV store usage, and ES notable event throughput and latency.

• Develop and tune ES correlation searches, risk-based alerting (RBA), and adaptive response actions mapped to MITRE ATT&CK.

• Build dashboards, investigations, and notable event workflows that reduce false positives and drive analyst efficiency.

• Maintain CIM-compliant data models; lead normalization and data quality initiatives across cloud, endpoint, identity, and network sources.

• Measure and report detection and response efficacy (MTTR, precision/recall, RBA risk scores, SLA adherence).

• Engineer Splunk SOAR (Phantom) playbooks and apps with secure, scalable configurations to triage, enrich, and contain threats.

• Integrate ES notables with automated triage and ServiceNow IR for incident creation, enrichment, SLA tracking, approvals, and evidence attachments.

• Build AWS-focused detection and response: GuardDuty, CloudTrail, Security Hub, VPC Flow Logs, IAM, EC2, S3; implement safe actions (e.g., EC2 isolation, S3 access updates, EBS snapshots, IAM key rotation/MFA enforcement, Security Hub updates) with human-in-the-loop approvals and rollback.

• Integrate EDR and identity platforms for host containment, IOC blocking, and remote response via APIs.

• Lead Splunk deployments in AWS including scalability, multi-account/multi-region ingestion, and cross-account automation via Boto3 and native services.

• Standardize reusable Python modules, SDK usage, and CI/CD practices for app/deployment packaging and version control.

• Map controls to FISMA/NIST RMF, FedRAMP, and CMMC; maintain audit-ready evidence through logging, approval trails, and configuration baselines.

• Drive POA&M updates, control validations, and continuous monitoring dashboards.

• Champion secrets management, least privilege, and safe-response guardrails in all platform and automation changes.

• Translate SOC/IR runbooks (phishing, malware, IAM abuse, EC2 compromise) into reliable detections and automations.

• Mentor junior engineers and analysts on SPL, ES content development, CIM, and SOAR playbooks.

• Partner with stakeholders to prioritize use cases and deliver quantifiable outcomes.

• Other duties as assigned.

Experience, Education, Skills, Abilities 

• 7+ years in security engineering, SOC/IR, or platform engineering, including 4+ years designing and operating Splunk Enterprise and Splunk ES in production. 

• 3+ years hands-on with Splunk SOAR (Phantom) and automation of ES notables and ServiceNow IR workflows. 

• Strong AWS experience: GuardDuty, CloudTrail, Security Hub, IAM, EC2, S3, VPC Flow Logs; cross-account and multi-region preferred. 

• Proven ServiceNow Incident Response integration experience. 

• Proficiency in SPL, Python, AWS Boto3, Splunk/Phantom SDKs, REST APIs, and Git-based version control. 

• Deep knowledge of CIM, data model accelerations, index/retention strategy, and search performance tuning. 

• Strong grasp of MITRE ATT&CK, CVE/CVSS, CISA KEV, and risk-based detection and automation. 

• Experience aligning operations with FISMA/NIST RMF, FedRAMP, and CMMC; evidence generation and audit support. 

• Preferred: Splunk certifications (Core Certified Power User/Admin/Architect, ES Admin), AWS certifications, Security+, CySA+, CISSP, GCDA/GCSA. 

• Preferred: Experience with Splunk SHC, DS/Deployer, KVstore management, ES content management at scale, AWS Organizations, and ServiceNow IR customization/change management integrations. 

• Must pass pre-employment qualifications of Cherokee Federal.

Company Information 

Criterion is a part of Cherokee Federal – the division of tribally owned federal contracting companies owned by Cherokee Nation Businesses. As a trusted partner for more than 60 federal clients, Cherokee Federal LLCs are focused on building a brighter future, solving complex challenges, and serving the government’s mission with compassion and heart. To learn more about Criterion, visit cherokee-federal.com.

Cherokee Federal is a military friendly employer. Veterans and active military transitioning to civilian status are encouraged to apply.

#LI-SM2 #Appc

Similar Searchable Job Titles 

• Senior Splunk Engineer 

• Splunk ES Engineer 

• Senior Security Analytics Engineer 

• Security Automation Engineer 

• Security Orchestration Engineer

Keywords 

• Splunk Enterprise

• Splunk ES

•  Splunk SOAR

• AWS

•  Security Analytics

• Incident Response,

• ServiceNow IR

•  CIM

• RBA

• Automation

Legal Disclaimer: All qualified applicants will receive consideration for employment without regard to protected veteran status, disability or any other status protected under applicable federal, state or local law.