Development developer

Splunk Developer – Banking – Belgium/Hybrid

Daily rate: €600 - €800

Duration: 6 – 12 months

Location: Brussels

Start: Now

Hybrid: 8 days per month in office

My new client is looking for Splunk Developer to join the team on a freelance basis. Be responsible for the development and maintenance of correlation searches and dashboards on the SIEM (Splunk ES) platform. Collaborate with the Manager of Detection & Response Engineering and will work jointly with threat intelligence, design, engineering and response teams, to gather and define requirements, specify clear priorities, evaluate technical trade-offs, and build and maintain threat detection capabilities.

The Detection & Response Engineering team is comprised of:

• Detection/Security Engineers – who implement and maintain threat detections.
• SOAR Engineers – who develop responses such as playbooks, automations etc.

Responsibilities and duties:

• Collaborate with key stakeholders (Threat Intelligence, SOC, engineering teams) to gather requirements and translate threat scenarios into actionable detection use cases.
• Design, develop, tune, and continuously improve Splunk ES correlation searches aligned with MITRE ATT&CK techniques and internal threat models, while enhancing detection workflows and telemetry quality as part of the ongoing detection engineering lifecycle.
• Validate and refine detections through structured testing, adversary simulation, evidence collection, peer review, false‑positive analysis, baseline creation, and high‑fidelity tuning to ensure accurate and reliable detection logic
• Maintain clear, structured documentation for detection logic, testing procedures, ATT&CK mapping, and operational deployment guidelines.
• Conduct coverage gap assessments, maintain the detection inventory, and contribute to ATT&CK‑based coverage reporting and maturity tracking.
• Implement and optimize Splunk ES features such as correlation search patterns, notable events, and risk‑based alerting (RBA).
• Work closely with the log onboarding team to ensure high‑quality telemetry, correct field extractions, CIM compliance, and accurate Data Model mapping, including contributing to log parsing, regex-based field extraction validation, and event normalization quality checks.
• Define and maintain the alert schema required for downstream automation (XSOAR)
• Participate in Agile delivery practices, contributing to backlog refinement, sprint planning, and iterative delivery of threat detection capabilities.

Your qualifications required:

• Proven expertise across the full SIEM detection engineering lifecycle, including hypothesis‑driven detection design, structured testing, validation, false‑positive reduction, operational deployment, and continuous refinement.
• In‑depth knowledge of key security telemetry sources, including Windows Event Logs, Sysmon, Linux audit logs, firewall and proxy logs, cloud security logs, and EDR telemetry.
• Advanced SPL proficiency with deep understanding of the Splunk Common Information Model (CIM), Data Models, and performance optimization (search acceleration, summary indexing, Data Model acceleration).
• Experience applying the MITRE ATT&CK framework for behaviour‑based detection design, threat mapping, and coverage analysis.
• Hands‑on experience with data onboarding quality assurance, including field extraction verification, CIM compliance testing, sample‑based validation, and ensuring schema correctness across log sources.
• Ability to work with deeply nested JSON telemetry and complex field structures.
• Proficiency with log parsing and field extraction techniques, including regex, event normalization, and verification of correct field mapping across diverse log sources.
• Experience using Git‑based version control (Azure DevOps), including branching, pull requests, peer reviews, and structured promotion workflows for YAML‑based detection rules
• Strong foundational understanding of network, endpoint, and cloud security concepts relevant to detection engineering.