Splunk Administrator

Job Description

Splunk SOAR Engineer

This position requires an active Public Trust clearance to be considered.

A government contract requires that this position be restricted to U.S. citizens or legal permanent residents.You must provide documentation that you are a U.S. citizen or legal permanent resident to qualify.

We are seeking a Splunk SOAR Engineer to design, build, and operate Splunk Phantom/SOAR automations that accelerate detection and response across hybrid environments, with a strong emphasis on AWS. This role integrates Splunk ES notable events with automated playbooks for triage, enrichment, containment, and ServiceNow Incident Response. The engineer will enforce safe automation through RBAC, approvals, confidence thresholds, secrets management, rollback paths, and audit-ready evidence, aligning operations with FISMA/NIST RMF, FedRAMP, and CMMC requirements.

Compensation & Benefits

Estimated Starting Salary Range for Splunk SOAR Engineer: $145K – $150K

Pay commensurate with experience.

Full time benefits include Medical, Dental, Vision, 401K, and other possible benefits as provided.Benefits are subject to change with or without notice.

Splunk SOAR Engineer Responsibilities Include

• Design, develop, deploy, and maintain Splunk SOAR (Phantom) playbooks, apps, and integrations with secure, scalable configurations.
• Integrate Splunk ES correlation searches and notable events into automated triage, enrichment, containment, and ServiceNow IR workflows using CIM-compliant data pipelines.
• Build AWS-focused automations leveraging GuardDuty, CloudTrail, Security Hub, VPC Flow Logs, IAM, EC2, S3, and asset tagging for enrichment and response.
• Implement response actions such as EC2 isolation, S3 access controls, EBS snapshots for forensics, IAM key rotation or revocation, MFA enforcement, and Security Hub updates, with human-in-the-loop approvals and rollback procedures.
• Orchestrate endpoint and identity response by integrating EDR tools for host containment, IOC blocking, and remote response actions.
• Integrate ServiceNow IR to auto-create and manage incidents, enrich tickets with cloud and CI context, track SLAs, manage approvals, and attach playbook evidence.
• Optimize SOAR operations by tuning triggers, deduplicating events, reducing latency, standardizing reusable Python modules, and maintaining version control and documentation.
• Collaborate with SOC, IR, and cloud teams to translate runbooks (e.g., phishing, malware, IAM abuse, EC2 compromise) into reliable, measurable automations.
• Measure and report automation outcomes including MTTR reduction, auto-resolution rates, and SLA performance; support audits with control mapping and POA&M updates.
• Maintain governance through RBAC, secrets handling, logging, change control, and safe-response guardrails.
• Performs other job-related duties as assigned
  
  

Splunk SOAR Engineer Experience, Education, Skills, Abilities Requested

• 5 years in SOC/IR or security engineering, including 3 years with Splunk SOAR (Phantom) and Splunk ES.
• Hands-on AWS automation experience (GuardDuty, CloudTrail, Security Hub, IAM, EC2, S3, VPC Flow Logs).
• Proven ServiceNow Incident Response integration experience.
• Experience integrating EDR APIs and chaining endpoint, identity, and cloud actions.
• Proficiency in Python, AWS Boto3, Splunk/Phantom SDKs, and REST APIs.
• Strong knowledge of MITRE ATT&CK, CVE/CVSS, CISA KEV, and risk-based automation.
• Experience aligning operations with FISMA/NIST RMF, FedRAMP, and CMMC.
• Relevant certifications (Splunk, AWS, Security , CySA , CISSP, GCDA/GCSA) preferred.
• Experience with AWS Organizations, cross-account automation, and multi-region playbooks preferred.
• Knowledge of ServiceNow flows, IR customization, and change management integrations preferred.
• Must pass pre-employment qualifications of Cherokee Federal
  
  

Company Information

Criterion is a part of Cherokee Federal – the division of tribally owned federal contracting companies owned by Cherokee Nation Businesses. As a trusted partner for more than 60 federal clients, Cherokee Federal LLCs are focused on building a brighter future, solving complex challenges, and serving the government’s mission with compassion and heart. To learn more about Criterion, visit cherokee-federal.com.

#CherokeeFederal

Cherokee Federal is a military friendly employer. Veterans and active military transitioning to civilian status are encouraged to apply.

Similar Searchable Job Titles

• Security Automation Engineer
• SOAR Engineer
• Cloud Security Automation Engineer
• SOC Automation Engineer
• Security Orchestration Engineer
  
  

Keywords

• Splunk SOAR
• AWS Security
• Incident Response
• ServiceNow IR
• Security Automation
  
  

Legal Disclaimer: All qualified applicants will receive consideration for employment without regard to protected veteran status, disability or any other status protected under applicable federal, state or local law.

Many of our job openings require access to government buildings or military installations.