We use cookies. Find out more about it here. By continuing to browse this site you are agreeing to our use of cookies.
I agree and accept cookies
Main menu
Post a Job
Request a Demo
Yes
No
Both
Advanced search
#alert
Back to search results / More jobs like this
Back to search results
New
Cherokee Federal jobs

Sr Splunk Engineer

Cherokee Federal
401(k)
United States, Oklahoma, Tulsa
2 West 2nd Street (Show on map)
Mar 03, 2026

Senior Splunk Engineer

This position requires an active Public Trust clearance to be considered.

A government contract requires that this position be restricted to U.S. citizens or legal permanent residents. You must provide documentation that you are a U.S. citizen or legal permanent resident to qualify.

We are seeking a Senior Splunk Engineer to architect, build, and operate Splunk Enterprise and Enterprise Security (ES) across hybrid environments with a strong emphasis on AWS. You will own the Splunk platform end to end-ingest, CIM mapping, ES content, search and dashboard performance, SOAR automations, and ServiceNow IR integrations. You will drive detection, response, and reporting outcomes that meet FISMA/NIST RMF, FedRAMP, and CMMC requirements. You will implement robust governance, RBAC, change control, and audit-ready evidence. You will partner with SOC, IR, cloud, and platform teams to deliver measurable risk reduction and operational efficiency.

Compensation & Benefits:

Estimated starting salary range: $150,000- $165,000. Pay commensurate with experience.

Full-time benefits include Medical, Dental, Vision, 401K, and other possible benefits. Benefits may change with or without notice.

Senior Splunk Engineer Responsibilities Include:

  • Design, deploy, and maintain Splunk Enterprise, indexers, search heads (including SHC), cluster master/CM, deployment server/Deployer, forwarders, and KV stores across on prem and AWS.

  • Engineer scalable data onboarding pipelines, parsing, and indexing with props/transforms, HEC, UF/HF, and S3/SQS/SNS-based ingestion.

  • Enforce RBAC, data retention, index strategy, knowledge object governance, and change control aligned to federal compliance.

  • Optimize search performance, data model accelerations, KV store usage, and ES notable event throughput and latency.

  • Develop and tune ES correlation searches, risk-based alerting (RBA), and adaptive response actions mapped to MITRE ATT&CK.

  • Build dashboards, investigations, and notable event workflows that reduce false positives and drive analyst efficiency.

  • Maintain CIM-compliant data models; lead normalization and data quality initiatives across cloud, endpoint, identity, and network sources.

  • Measure and report detection and response efficacy (MTTR, precision/recall, RBA risk scores, SLA adherence).

  • Engineer Splunk SOAR (Phantom) playbooks and apps with secure, scalable configurations to triage, enrich, and contain threats.

  • Integrate ES notables with automated triage and ServiceNow IR for incident creation, enrichment, SLA tracking, approvals, and evidence attachments.

  • Build AWS-focused detection and response: GuardDuty, CloudTrail, Security Hub, VPC Flow Logs, IAM, EC2, S3; implement safe actions (e.g., EC2 isolation, S3 access updates, EBS snapshots, IAM key rotation/MFA enforcement, Security Hub updates) with human-in-the-loop approvals and rollback.

  • Integrate EDR and identity platforms for host containment, IOC blocking, and remote response via APIs.

  • Lead Splunk deployments in AWS including scalability, multi-account/multi-region ingestion, and cross-account automation via Boto3 and native services.

  • Standardize reusable Python modules, SDK usage, and CI/CD practices for app/deployment packaging and version control.

  • Map controls to FISMA/NIST RMF, FedRAMP, and CMMC; maintain audit-ready evidence through logging, approval trails, and configuration baselines.

  • Drive POA&M updates, control validations, and continuous monitoring dashboards.

  • Champion secrets management, least privilege, and safe-response guardrails in all platform and automation changes.

  • Translate SOC/IR runbooks (phishing, malware, IAM abuse, EC2 compromise) into reliable detections and automations.

  • Mentor junior engineers and analysts on SPL, ES content development, CIM, and SOAR playbooks.

  • Partner with stakeholders to prioritize use cases and deliver quantifiable outcomes.

  • Other duties as assigned.

Experience, Education, Skills, Abilities

  • 7+ years in security engineering, SOC/IR, or platform engineering, including 4+ years designing and operating Splunk Enterprise and Splunk ES in production.

  • 3+ years hands-on with Splunk SOAR (Phantom) and automation of ES notables and ServiceNow IR workflows.

  • Strong AWS experience: GuardDuty, CloudTrail, Security Hub, IAM, EC2, S3, VPC Flow Logs; cross-account and multi-region preferred.

  • Proven ServiceNow Incident Response integration experience.

  • Proficiency in SPL, Python, AWS Boto3, Splunk/Phantom SDKs, REST APIs, and Git-based version control.

  • Deep knowledge of CIM, data model accelerations, index/retention strategy, and search performance tuning.

  • Strong grasp of MITRE ATT&CK, CVE/CVSS, CISA KEV, and risk-based detection and automation.

  • Experience aligning operations with FISMA/NIST RMF, FedRAMP, and CMMC; evidence generation and audit support.

  • Preferred: Splunk certifications (Core Certified Power User/Admin/Architect, ES Admin), AWS certifications, Security+, CySA+, CISSP, GCDA/GCSA.

  • Preferred: Experience with Splunk SHC, DS/Deployer, KVstore management, ES content management at scale, AWS Organizations, and ServiceNow IR customization/change management integrations.

  • Must pass pre-employment qualifications of Cherokee Federal.

Company Information

Criterion is a part of Cherokee Federal - the division of tribally owned federal contracting companies owned by Cherokee Nation Businesses. As a trusted partner for more than 60 federal clients, Cherokee Federal LLCs are focused on building a brighter future, solving complex challenges, and serving the government's mission with compassion and heart. To learn more about Criterion, visit cherokee-federal.com.

Cherokee Federal is a military friendly employer. Veterans and active military transitioning to civilian status are encouraged to apply.

#LI-SM2 #Appc

Similar Searchable Job Titles

  • Senior Splunk Engineer

  • Splunk ES Engineer

  • Senior Security Analytics Engineer

  • Security Automation Engineer

  • Security Orchestration Engineer

Keywords

  • Splunk Enterprise

  • Splunk ES

  • Splunk SOAR

  • AWS

  • Security Analytics

  • Incident Response,

  • ServiceNow IR

  • CIM

  • RBA

  • Automation

Legal Disclaimer: All qualified applicants will receive consideration for employment without regard to protected veteran status, disability or any other status protected under applicable federal, state or local law.

Applied = 0
MORE JOBS LIKE THIS

(web-6bcf49d48d-kx4md)