SOC Engineer - Splunk | Cribl - SC Cleared at Layer7, London, 6 Months, £550 per day

Location: London (Hybrid - 2 days per week onsite)

Work Pattern: Hybrid - 2 days per week onsite in London

Duration: 6 months initially

Rate: £550 per day

IR35 Status: Outside IR35

Clearance: Active SC Clearance

Overview

This is an Outside IR35 contract - a genuinely attractive opportunity offering strong take-home pay for a specialist SOC Engineer with deep Splunk and Cribl expertise. We are seeking an SOC Engineer to design, build and optimise the security data pipeline underpinning a UK public sector Security Operations Centre. This is a hands-on engineering role centred on Cribl Stream and Splunk Enterprise Security: you will own end-to-end log onboarding, shape and route telemetry through Cribl, and ensure high-quality, normalised data lands in Splunk to drive reliable detection. Working alongside SOC analysts and wider engineering teams, you will improve detection coverage, control ingest cost, and support secure-by-design delivery within a complex, regulated government environment. This is a hybrid contract based in London, with 2 days per week onsite, for an initial 6 months.

Key Responsibilities

• Design, build and administer Cribl Stream pipelines, routes, packs and worker groups to filter, enrich, route and redact security telemetry before ingestion
• Own end-to-end log onboarding across cloud (AWS, Azure, M365) and on-premises sources, including parsing, normalisation and Splunk Common Information Model (CIM) mapping
• Optimise Splunk ingest volume and licence cost by strategically filtering, sampling and summarising data within Cribl
• Administer and tune Splunk Enterprise Security (ES) in a distributed deployment, including index-time processing, props/transforms and search performance
• Develop and maintain correlation searches, notable events, Risk-Based Alerting (RBA) and dashboards to improve detection coverage
• Work with SOC analysts to translate detection requirements into reliable data sources, use cases and tuned alerts
• Build and maintain data onboarding as code, applying GitOps and CI/CD practices for repeatable, controlled change
• Troubleshoot data quality, latency and pipeline issues across the Cribl and Splunk estate
• Document data flows, onboarding standards and engineering runbooks
• Contribute to secure-by-design delivery and to outcomes under the NCSC Cyber Assessment Framework (CAF)

Essential Skills

• Strong commercial experience as a SOC/Security Engineer building and operating SIEM data pipelines
• Hands-on Cribl Stream experience - designing and managing routes, pipelines, packs and worker groups for log routing, enrichment and reduction
• Deep Splunk experience, including Enterprise Security (ES) administration in distributed environments
• Strong SPL, data models, dashboards and search optimisation skills
• Expertise in data onboarding, parsing, index-time processing, normalisation and CIM mapping (props/transforms)
• Experience reducing Splunk ingest volume and licence cost through telemetry pipeline optimisation
• Log onboarding from cloud (AWS, Azure, M365) and on-premises systems
• Scripting in Python or PowerShell for data manipulation and API interaction
• Working knowledge of Linux (RHEL) and Windows administration
• Active SC Clearance

Nice To Have

• Cribl certification, or experience with Cribl Edge and Cribl Search
• Splunk certifications (eg Splunk Enterprise Security Certified Admin)
• Experience with GitOps and CI/CD tooling for detection and onboarding as code
• Exposure to detection engineering and MITRE ATT&CK-aligned content development
• Experience operating within NCSC CAF/GovAssure or similarly regulated public sector environments