Splunk Administration

SIEM Infrastructure administration

Perform SIEM health check

Monitor SIEM Server Storage, CPU and Memory Usage and perform necessary action.

Perform SIEM version upgrade

Update splunk configurations based on security advisory

SIEM Infra Tuning and Performance Optimization

o Monitor SIEM data sources proactively to identify issues in the environment (ex: Index Cluster / Search head cluster issues / etc)

SIEM Data onboarding

Data Onboarding (Including first level assessment, UAT Testing before live)

o Integration numerous logs sources including servers (Windows & Linux), devices and security tools like NAC, PAM, NBAD, IPS DAM, DLP, AV etc.

Data Parser and CIM Mapping Configuration

SIEM Use Case Development

Finetuning existing use cases

Build new use cases

SIEM Troubleshooting and Splunk servers reconciliation

Troubleshoot, investigate and remediate identified SIEM issues

Monitor and troubleshoot the servers that have stopped reporting

Troubleshooting issues with search scheduler management

Search head tuning and optimization, for missed searches, failed jobs and scheduling searches etc.

Liaise with IT support groups & service providers to resolve outstanding issues such log onboarding (e.g. HF related issue Core team, source related issue Cyber team to coordinate)

Reconcile Splunk servers periodically

SIEM Documentation

Prepare/update SIEM tool SOPs

Update Splunk built documents, whenever there are changes to Splunk deployment architecture

Prepare/update Splunk guide for agent installations