*senior (ctm - threat detection & response)*key capabilities*:- experience in working with splunk enterprise, splunk enterprise security & splunk ueba- minimum of splunk power user certification- good knowledge in programming or scripting languages such as python (preferred), javascript (preferred), bash, powershell, bash, etc.- perform remote and on-site gap assessment of the siem solution.
- define evaluation criteria & approach based on the client requirement & scope factoring industry best practices & regulations- conduct interview with stakeholders, review documents (sops, architecture diagrams etc.)- evaluate siem based on the defined criteria and prepare audit reports- good experience in providing consulting to customers during the testing, evaluation, pilot, production and training phases to ensure a successful deployment.
- understand customer requirements and recommend best practices for siem solutions.
- offer consultative advice in security principles and best practices related to siem operations- design and document a siem solution to meet the customer needs- experience in onboarding data into splunk from various sources including unsupported (in-house built) by creating custom parsers- verification of data of log sources in the siem, following the common information model (cim)- experience in parsing and masking of data prior to ingestion in siem- provide support for the data collection, processing, analysis and operational reporting systems including planning, installation, configuration, testing, troubleshooting and problem resolution- assist clients to fully optimize the siem system capabilities as well as the audit and logging features of the event log sources- assist client with technical guidance to configure end log sources (in-scope) to be integrated to the siem- experience in handling big data integration via splunk- expertise in siem content development which includes developing process for automated security event monitoring and alerting along with corresponding event response plans for systems- hands-on experience in development and customization of splunk apps & add-ons- builds advanced visualizations (interactive drilldown, glass tables etc.)- build and integrate contextual data into notable events- experience in creating use cases under cyber kill chain and mitre attack framework- experience in installation, configuration and usage of premium splunk apps and add-ons such as es app, ueba, itsi etc- sound knowledge in configuration of alerts and reports.
- good exposure in automatic lookup, data models and creating complex spl queries.
- create, modify and tune the siem rules to adjust the specifications of alerts and incidents to meet client requirement- work with the client spoc to for correlation rule tuning (as per use case management life cycle), incident classification and prioritization recommendations- experience in creating custom commands, custom alert action, adaptive response actions etc.
*qualification & experience*:- minimum of 5 to 11 years' experience with a depth of network architecture knowledge that will translate over to deploying and integrating a complicated security intelligence solution into global enterprise environments.
- strong oral, written and listening skills are an essential component to effective consulting.
- strong background in network administration.ability to work at all layers of the osi models, including being able to explain communication at any level is necessary.
- must have knowledge of vulnerability management, windows and linux basics including installations, windows domains, trusts, gpos, server roles, windows security policies, user administration, linux security and troubleshooting.
- good to have below mentioned experience with designing and implementation of splunk with a focus on it operations, application analytics, user experience, application performance and security management- multiple cluster deployments & management experience as per vendor guidelines and industry best practices- certification in any one of the siem solution such as ibm qradar, exabeam, securonix will be an added advantage- certifications in a core security related discipline will be an added advantage.