Senior Data Platform SIEM Engineer

Job Description

We help the world run better
At SAP, we keep it simple: you bring your best to us, and we'll bring out the best in you. We're builders touching over 20 industries and 80% of global commerce, and we need your unique talents to help shape what's next. The work is challenging – but it matters. You'll find a place where you can be yourself, prioritize your wellbeing, and truly belong. What's in it for you? Constant learning, skill growth, great benefits, and a team that wants you to grow and succeed.

Job Description:

At SAP, we are seeking a Senior Data Platform SIEM Engineer to own and evolve our SIEM platforms and to design secure Model Context Protocol (MCP) integrations that let SOC-facing AI assistants safely leverage SIEM context and actions. You will engineer high-quality telemetry pipelines with Cribl, build and maintain infrastructure as code with robust CI/CD, and implement MCP servers/tools/resources that expose controlled SIEM capabilities to LLM clients without compromising security, privacy, or compliance.

What you’ll build:

• SIEM Platform
• Splunk Enterprise/ES administration: search head, indexer clustering, deployment server, cluster manager, HEC, UF/HF, CIM mapping, datamodel acceleration, ES notable events, risk-based alerting, performance tuning, licensing, and upgrades.
• Microsoft Sentinel administration: workspace design, data connectors, ASIM/entity mapping, analytics rules, hunting queries, automation (Logic Apps/playbooks), workbooks, watchlists, health and cost/retention management.
• Telemetry ingestion and normalization
• Standardize and normalize telemetry across Splunk CIM and Sentinel ASIM for dependable detection and investigation.
• Integrate diverse sources: Windows event logs/Sysmon, Linux auditd, M365/Entra ID, Defender suite, network/firewall/proxy, EDR, SaaS apps, and cloud audit logs (Azure/AWS/GCP/Alibaba/IBM/Kubernetes).
• Cribl Stream/Edge engineering
• Design and maintain Cribl packs and pipelines to parse, enrich, redact, normalize, and route telemetry to Splunk/Sentinel, Data Lake and archival storage (S3/Blob).
• Optimize ingest and cost with deduplication, sampling, suppression, field pruning, dynamic routing/fan-out; operate worker groups at scale, HA, Replay, and observability dashboards.
• MCP (Model Context Protocol) integration
• Design and implement MCP servers with tools/resources that safely wrap Splunk and Sentinel APIs for read-mostly use cases (e.g., search, incident lookup, notable event triage, dashboard/resource retrieval) and tightly controlled actions (e.g., case updates, watchlist changes).
• Enforce strict guardrails: RBAC and entitlements, schema-validated inputs, allow-listed SPL/KQL macros, scoped queries, rate limiting/throttling, output sanitization/PII redaction, structured responses, and detailed audit trails.
• Integrate MCP with SOC co-pilots/chatops to enable retrieval-augmented workflows (RAG) using curated detection documentation, playbooks, and MITRE mappings; ensure ephemeral credentials, JIT access, secrets management (Key Vault/Vault), and full observability of MCP usage.
• Partner with security architecture and privacy teams to align MCP capabilities with policy, regulatory requirements, and safe model interaction patterns.
• CI/CD and IaC
• Maintain version-controlled repositories for SPL/KQL, Splunk apps/TAs, Sentinel analytics/playbooks/workbooks, and MCP server code.
• Automate validation and deployment via GitHub Actions/Jenkins; use Splunk AppInspect and content linters; implement environment promotion and rollback.
• Use Infrastructure-as-Code (Terraform) for Sentinel resources/connectors/analytics/Logic Apps; manage Splunk configuration as code for reproducible deployments.
• Reliability, observability, and cost management
• Define SLOs/SLAs for ingestion timeliness, data quality, SIEM uptime, and MCP availability; monitor via Splunk Monitoring Console, Sentinel health, Cribl observability, and MCP telemetry.
• Optimize platform and ingestion cost (Splunk GB/day; Sentinel ingestion/retention/Content Hub) via pipeline tuning, tiering, and storage strategies; forecast capacity and manage upgrades, scaling, DR.
• Security operations enablement
• Partner with SOC, IR, and red teams to improve alert fidelity, investigations, and automation; develop playbooks/runbooks and integrate SIEM/MCP with case management (ServiceNow), SOAR (Splunk SOAR/Phantom, Logic Apps).
• Mentor peers; document standards and patterns; lead design reviews and incident retrospectives focused on detection and telemetry improvements.
• Governance, privacy, and compliance
• Enforce least privilege, JIT access, segregation of duties across SIEM, Cribl, and MCP.
• Implement data minimization, PII redaction/tokenization, retention policies, and controls that support ISO 27001, SOC 2, GDPR and Kritis.

What you bring:

• 4–8+ years administering and engineering SIEM platforms; 3+ years hands-on Splunk Enterprise/ES at scale; 2+ years hands-on Microsoft Sentinel.
• Expert-level SPL and KQL; strong knowledge of Splunk CIM and Sentinel ASIM mapping.
• Proven experience designing and operating Cribl Stream/Edge packs/pipelines for large, diverse telemetry sets.
• Hands-on experience building secure MCP integrations: developing MCP servers, defining tools/resources, implementing RBAC/guardrails, schema validation, rate limiting, streaming results, auditing, and secrets management.
• Strong CI/CD background: Git, GitHub/Jenkins, YAML pipelines; IaC with Terraform; app packaging, automated testing, controlled promotion across environments.
• Proficiency in Python and one of TypeScript/Node.js or Go for SDK/API integrations (Splunk REST, Microsoft Graph, Azure Monitor) and MCP server development.
• Solid understanding of enterprise and cloud logging: Windows, Linux audit, network/firewall/proxy, EDR, identity providers, cloud audit logs (Azure/AWS/GCP/Alibaba/IBM/Kubernetes).
• Knowledge of security frameworks and detection methodologies (MITRE ATT&CK, NIST/CIS).
• Excellent communication, documentation, stakeholder management, and mentoring skills.

Preferred Qualifications:

• Certifications: Splunk Certified Admin/Architect/ES Analyst, Microsoft SC-200/AZ-500, Cribl Certified Admin, GIAC GCDA/GCIA, CISSP.
• Experience with Splunk ES, datamodel acceleration tuning, SmartStore; Sentinel Content Hub, entity modeling, Threat Intelligence integration.
• Experience with SOAR platforms (Splunk SOAR/Phantom, Azure Logic Apps) and case management (ServiceNow).
• Experience building MCP servers using common libraries/frameworks (TypeScript/Node.js or Python), integrating with LLM clients, and implementing safe RAG patterns (e.g., Azure Cognitive Search, Elasticsearch/pgvector/Redis).
• Exposure to Kafka/Event Hubs, Kinesis, or Logstash/Fluentd for log transport.

Bring out your best
SAP innovations help more than four hundred thousand customers worldwide work together more efficiently and use business insight more effectively. Originally known for leadership in enterprise resource planning (ERP) software, SAP has evolved to become a market leader in end-to-end business application software and related services for database, analytics, intelligent technologies, and experience management. As a cloud company with two hundred million users and more than one hundred thousand employees worldwide, we are purpose-driven and future-focused, with a highly collaborative team ethic and commitment to personal development. Whether connecting global industries, people, or platforms, we help ensure every challenge gets the solution it deserves. At SAP, you can bring out your best.

We win with inclusion
SAP’s culture of inclusion, focus on health and well-being, and flexible working models help ensure that everyone – regardless of background – feels included and can run at their best. At SAP, we believe we are made stronger by the unique capabilities and qualities that each person brings to our company, and we invest in our employees to inspire confidence and help everyone realize their full potential. We ultimately believe in unleashing all talent and creating a better world.

SAP is committed to the values of Equal Employment Opportunity and provides accessibility accommodations to applicants with physical and/or mental disabilities. If you are interested in applying for employment with SAP and are in need of accommodation or special assistance to navigate our website or to complete your application, please send an e-mail with your request to Recruiting Operations Team: Careers@sap.com.

For SAP employees: Only permanent roles are eligible for the SAP Employee Referral Program, according to the eligibility rules set in the SAP Referral Policy. Specific conditions may apply for roles in Vocational Training.

Qualified applicants will receive consideration for employment without regard to their age, race, religion, national origin, ethnicity, age, gender (including pregnancy, childbirth, et al), sexual orientation, gender identity or expression, protected veteran status, or disability.

Compensation Range Transparency: SAP believes the value of pay transparency contributes towards an honest and supportive culture and is a significant step toward demonstrating SAP’s commitment to pay equity. SAP provides the annualized compensation range inclusive of base salary and variable incentive target for the career level applicable to the posted role. The targeted combined range for this position is 131000 - 222700(USD) USD. The actual amount to be offered to the successful candidate will be within that range, dependent upon the key aspects of each case which may include education, skills, experience, scope of the role, location, etc. as determined through the selection process. Any SAP variable incentive includes a targeted dollar amount and any actual payout amount is dependent on company and personal performance. Please reference this link for a summary of SAP benefits and eligibility requirements: SAP North America Benefits.

AI Usage in the Recruitment Process

For information on the responsible use of AI in our recruitment process, please refer to our Guidelines for Ethical Usage of AI in the Recruiting Process.

Please note that any violation of these guidelines may result in disqualification from the hiring process.

Requisition ID: 448422 | Work Area: Information Technology | Expected Travel: 0 - 10% | Career Status: Professional | Employment Type: Regular Full Time | Additional Locations: #LI-Hybrid