Splunk (now part of Cisco) hires across SIEM, SOAR, observability and security research. Interviews probe SPL depth, detection engineering and customer-outcome storytelling.
Write an SPL search to detect a brute-force then a successful login from the same source within 1 hour.
`| tstats summariesonly=t count from datamodel=Authentication where Authentication.action=failure by Authentication.src _time span=1h | where count > 20 | join Authentication.src [ search index=auth action=success earliest=-1h | stats count by src ]` — refine with appropriate data model + time bucketing.
A customer says ES alerts are too noisy. How do you help?
Audit notable-event volume per correlation rule, tune thresholds, apply risk-based alerting (RBA), introduce risk objects + risk modifiers, retire low-value rules, build adaptive-response actions, measure with MTTD / true-positive rate.
Pitch Splunk vs Microsoft Sentinel to a hybrid customer.
Splunk: best-in-class search, mature ES content, vendor-neutral data ingestion, Cisco XDR integration, federated search to S3 / ADX. Sentinel: tight M365 / Azure integration, KQL, Defender XDR. Choose by data gravity + ecosystem alignment.
Explain risk-based alerting and why it matters.
Each event creates a risk modifier on a risk object (user / host); notables fire when accumulated risk crosses a threshold within a time window. Outcome: fewer noisy individual alerts, higher-fidelity correlated notables, better analyst leverage.
Why Splunk?
Detection-as-code maturity, Cisco-scale data + research, customer impact at FS / Gov / CNI scale.
No. Splunk's hiring still operates independently for most roles.
Very, for technical roles. Practice `tstats`, `stats`, `eval`, `mvexpand`, `transaction`, accelerated data models.
Premium members get the full round structure, signals, and AI-graded practice.