Security Observability Engineer
Job Overview
We are seeking an experienced Security Observability Engineer to lead the migration, optimization, and secure operation of our log ingestion and observability pipelines.
Key Responsibilities
End-to-End SIEM Pipeline Management & Optimization
Lead the migration of log sources from Splunk ingestion to Cribl Stream/Edge pipelines, ensuring load-balanced, fault-tolerant delivery and processing of security and IT logs.
Architect and manage scalable, resilient pipelines—including design, implementation, and operation of load balancing solutions (e.g., Cribl worker groups, external load balancers, or syslog load distribution) for high ingest volumes.
Analyze, tune and securely onboard all log sources (firewalls, EDR, cloud, authentication, proxies, etc.)—covering parsing, filtering, and data reduction techniques to minimize Splunk ingest/storage costs without sacrificing security coverage.
Develop and maintain Cribl and Splunk configurations, including advanced transformations, field normalization, masking, and enrichment for security analytics.
Ensure optimal distribution of logging workload across Cribl worker nodes and Splunk indexers to prevent bottlenecks, data loss, or single points of failure.
Security Event Visibility and SOC Enablement
Collaborate with SOC, IR, and threat detection teams to ensure all security logs reach the SIEM efficiently and reliably, and logs are tuned for actionable detection.
Actively monitor, test, and remediate pipeline balancing and ingestion health to maximize uptime and forensic visibility.
Respond to and resolve SIEM and pipeline issues that impact security, detection, or compliance visibility.
Governance, Compliance & Documentation
Apply and document security policies for log routing, load balancing, event retention, and integrity—ensuring pipeline architecture meets audit, legal, and privacy requirements.
Track and report ingest reduction, Splunk cost savings, pipeline health, and event loss/drop rates across the load-balanced infrastructure.
Maintain clear, up-to-date documentation of log flows, pipeline topology, load balancing strategies, and operational procedures.
Required Skills & Qualifications
Extensive hands-on experience with Splunk SIEM engineering (indexers, search heads, clustering, forwarders, CIM, performance/load optimization).
2+ years with Cribl Stream/Edge, including deployment and tuning of distributed, load-balanced pipelines.
Deep understanding of machine data transport (syslog, HEC, TCP, UDP), log balancing strategies (syslog balancers, DNS round-robin, Cribl worker groups, etc.), and high-availability logging environments.
Proven expertise onboarding, parsing, and tuning security log sources (firewalls, cloud, EDR/XDR, IAM, authentication, and networking) for best possible coverage and SOC/IR support.
Advanced Splunk SPL, data model, event parsing, and alert tuning skills; practical SIEM optimization experience.
Scripting/automation ability (Python, shell/CLI, or similar) for pipeline management and validation.
Strong troubleshooting, monitoring, and operational dashboard skills for both pipeline and SIEM health.
Preferred Qualifications
Hands-on experience designing and operating clustered/HA Cribl and Splunk deployments (worker groups, clustered indexers, resilient data forwarders, etc.).
Splunk ES or Cribl certifications.
Key Success Metrics
- No loss of security data or alert coverage during/after pipeline migration and optimization.
- Documented, measurable reductions in Splunk ingest volume and operational/storage cost.
- Consistently balanced log throughput and minimal risk of bottlenecks or overloads—pipeline health and reliability metrics maintained above SLA.
- Well-documented, adaptable pipeline and load balancing architecture.
About the Role
Grow your career with a rapidly growing company that invests in its people and their ability to drive real progress.
Qualifications
- Equal Opportunity Employer
- First Class Training and Development Opportunities