Cherokee Federal · 1 day ago
Splunk Administrator
Alexandria, VA
Full-time
Onsite
Senior Level
$145K/yr - $150K/yr
5+ years expCherokee Federal is a division of tribally owned federal contracting companies focused on serving the government’s mission. They are seeking a Splunk SOAR Engineer to design, build, and operate Splunk Phantom/SOAR automations that enhance detection and response capabilities across hybrid environments, particularly emphasizing AWS integration.
GovernmentNon ProfitProfessional ServicesPublic Relations
No H1B
Security Clearance RequiredU.S. Citizen Only
Responsibilities
Design, develop, deploy, and maintain Splunk SOAR (Phantom) playbooks, apps, and integrations with secure, scalable configurations
Integrate Splunk ES correlation searches and notable events into automated triage, enrichment, containment, and ServiceNow IR workflows using CIM-compliant data pipelines
Build AWS-focused automations leveraging GuardDuty, CloudTrail, Security Hub, VPC Flow Logs, IAM, EC2, S3, and asset tagging for enrichment and response
Implement response actions such as EC2 isolation, S3 access controls, EBS snapshots for forensics, IAM key rotation or revocation, MFA enforcement, and Security Hub updates, with human-in-the-loop approvals and rollback procedures
Orchestrate endpoint and identity response by integrating EDR tools for host containment, IOC blocking, and remote response actions
Integrate ServiceNow IR to auto-create and manage incidents, enrich tickets with cloud and CI context, track SLAs, manage approvals, and attach playbook evidence
Optimize SOAR operations by tuning triggers, deduplicating events, reducing latency, standardizing reusable Python modules, and maintaining version control and documentation
Collaborate with SOC, IR, and cloud teams to translate runbooks (e.g., phishing, malware, IAM abuse, EC2 compromise) into reliable, measurable automations
Measure and report automation outcomes including MTTR reduction, auto-resolution rates, and SLA performance; support audits with control mapping and POA&M updates
Maintain governance through RBAC, secrets handling, logging, change control, and safe-response guardrails
Performs other job-related duties as assigned
Qualification
Required
Active Public Trust clearance
U.S. citizenship or legal permanent residency
5+ years in SOC/IR or security engineering
3+ years with Splunk SOAR (Phantom) and Splunk ES
Hands-on AWS automation experience (GuardDuty, CloudTrail, Security Hub, IAM, EC2, S3, VPC Flow Logs)
Proven ServiceNow Incident Response integration experience
Experience integrating EDR APIs and chaining endpoint, identity, and cloud actions
Proficiency in Python, AWS Boto3, Splunk/Phantom SDKs, and REST APIs
Strong knowledge of MITRE ATT&CK, CVE/CVSS, CISA KEV, and risk-based automation
Experience aligning operations with FISMA/NIST RMF, FedRAMP, and CMMC
Must pass pre-employment qualifications of Cherokee Federal
Preferred
Relevant certifications (Splunk, AWS, Security+, CySA+, CISSP, GCDA/GCSA)
Experience with AWS Organizations, cross-account automation, and multi-region playbooks
Knowledge of ServiceNow flows, IR customization, and change management integrations
Benefits
Medical
Dental
Vision
401K
And other possible benefits as provided
Company
Cherokee Federal
Cherokee Federal, a division of Cherokee Nation Businesses, is a trusted team of government contracting professionals who can rapidly build innovative solutions.
5001-10000 employees
Funding
Current Stage
Late StageLeadership Team
Clint Bickett
Chief Operating Officer
Charity Mackenzie
Executive Staff Coordinator to VP of HR and CIO
Recent News
2025-11-18
2025-09-02
Company data provided by crunchbase