Join us as we pursue our disruptive new vision to make machine data accessible, usable and valuable to everyone. We are a company filled with people who are passionate about our product and seek to deliver the best experience for our customers. At Splunk, we’re committed to our work, customers, having fun and most meaningfully to each other’s success. Learn more about Splunk careers and how you can become a part of our journey!
The Digital Forensics Incident Response (DFIR) Engineer works within the Splunk Critical Incident Response Team in our fast-growing Splunk Global Security organization. You will have a highly visible role with the responsibility for briefing leadership on the outcomes of your investigations. This role focuses on:Developing tooling and capabilities to scale forensic investigations across cloud, enterprise, and endpoint environments Leading technical investigations relating to various host and infrastructure intrusions Researching and remaining current on various attacker methodologies Performing forensics remotely and in cloud environments.
This role is not a traditional black box digital forensics role. This role requires broad technical capabilities across multiple disciplines supporting incident response ranging from the ability to build and automate tooling, performing packet analysis, analyzing custom logs, understanding OS internals, and integrating technical incident response into a multi-cloud environment. .
Critical thinking and strong analytical report writing are vital for this role, as you will be need to convey highly technical evidence and fact-based conclusions to leadership.
ResponsibilitiesYou will independently lead technical investigation and perform digital forensics involving a broad range of adversarial activity in cloud environments. Produce workflows for automated data collection and processing of forensic artifacts and images. Help identify and develop ways to improve the team's production and efficiency by accelerating on our existing tools and processes Develop tools and infrastructure to scale digital forensics/incident response across cloud environments. Actively participate in Red/Blue activities Perform root cause analysis and attack reconstruction Lead forensic investigations for all of Splunk. Foster team growth and mentorship. We believe in growing operators through ownership and leadership opportunities. We also believe mentors help both sides of the equation. Provide processes and procedures for triage level forensic collection and analysis to the IR team.
Requirements5+ years professional IT or IT Security experience; or 3 years and a Master’s degree 3 years experience leading technical investigations Deep understanding of attacker methodologies Hands on experience with forensics and investigating intrusions in AWS, GCP, and Azure and other cloud environments. Experience using various tools supporting DFIR including GRR, Rekall, SIFT, Volatility, X-Ways, Encase, Wireshark, TCPDump, OSQuery, SIEM, Splunk, CrowdStrike, and other open source and commercially available tools 3+years tooling experience across multiple scripting languages including GoLang, Python, PowerShell, SQL, SPL, etc. Expert knowledge system internals knowledge of Windows, MacOS, and Linux. Efficient report writing skills for varied audiences including both management and technical
We value diversity at our company. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, or any other applicable legally protected characteristics in the location in which the candidate is applying.
For job positions in San Francisco, CA, and other locations where required, we will consider for employment qualified applicants with arrest and conviction records.
Thank you for your interest in Splunk!