Emmanuel Esotu

• Directed the successful end-to-end deployment of Cortex XSIAM for over 10 enterprise clients within a 12-month period, delivering advanced security analytics and automation capabilities.
• Engineered and implemented 180+ custom correlation rules across diverse client environments (e.g., financial services, healthcare, critical infrastructure), ensuring precise detection of anomalous activities, data integrity violations, and insider threats.
• Functioned as a Principal Professional Services Consultant, guiding strategic migrations from legacy SIEM platforms (e.g., Splunk, Dynatrace, Exabeam) to the Palo Alto Networks XSIAM/XSOAR unified security operations platform, minimizing disruption and maximizing operational efficiency.
• Developed and customized robust XSIAM dashboards and widgets to enhance operational visibility, including real-time ingestion monitoring, role-based access control change tracking, and optimized incident queue management, directly improving SOC team response times.
• Designed complex XQL queries and provided advanced training to client security teams on best practices for query writing and data exploration within XSIAM/XSOAR, significantly enhancing their threat hunting and investigative capabilities.
• Configured and optimized 40+ diverse syslog sources, including critical infrastructure logs (e.g., Cisco ASA, Palo Alto Networks NGFW, Fortinet FortiGate), endpoint security (e.g., CrowdStrike Falcon, Microsoft Defender), and cloud platform logs (e.g., AWS CloudTrail, Azure Activity Logs), developing custom parsers to ensure accurate field extraction and timestamp normalization.
• Implemented parsing logic for challenging log formats, achieving complete data fidelity and normalized schema for previously unstructured data, critical for effective correlation and analysis.
• Orchestrated comprehensive log source onboarding strategies, overseeing the successful ingestion of high-volume data streams (e.g., DHCP, DNS, Windows Event Logs, Linux Audit) into XSIAM, ensuring compliance and robust detection coverage.
• Provided expert-level consultation on detection engineering, aligning XSIAM capabilities with client-specific threat models and regulatory requirements (e.g., HIPAA, PCI DSS, GDPR).
• Reduced false positive rates by an average of 20% through continuous fine-tuning of correlation rules and anomaly detection algorithms, directly improving analyst efficiency and focus on genuine threats.
• Provided critical consultative guidance to clients facing ingestion limits, advising on strategies to optimize data volume and reduce daily ingestion rates by up to 30%, resulting in significant cost savings and improved platform efficiency.
• Engineered and deployed custom drop rules within XSIAM to precisely manage log ingestion, ensuring the exclusion of non-essential data streams (e.g., low-priority debug logs, verbose application events) while maintaining full visibility over security-critical information.
• Led the rapid and successful conversion of over 70+ complex Splunk SPL alerts into optimized Palo Alto XSIAM XQL queries for a major Federal client, completing the migration within a demanding two-week timeframe and ensuring seamless continuity of threat detection capabilities.
• Developed standardized data models within XSIAM for clients with custom field parsing requirements, enabling consistent data normalization and facilitating robust correlation and reporting across diverse and uniquely formatted log sources.
• Pioneered the creation of comprehensive XSIAM data schema for applications and niche security tools, ensuring accurate field extraction and facilitating advanced analytics where off-the-shelf parsers were insufficient.
• Collaborated directly with client engineering teams to identify and prioritize log sources, establishing an ingestion strategy that balanced security efficacy with operational costs and compliance needs.

• Principle Engineer responsible for ensuring Splunk architecture is intact, working closely within QUAL and PROD environments conducting daily health checks, routine maintenance activities, and applying OS patches and upgrades to maintain system integrity.
• Implement Ansible automation to orchestrate Splunk upgrades on more than 15,000 forwarders, and Yum update patching, resulting in a substantial improvement in overall work efficiency.
• Utilize KVstore for efficient collection management, executing CRUD operations via Splunk REST API to optimize data processing workflows.
• Led the migration project to Splunk Cloud, integrating AWS and On-Prem clustered environments, and establishing a new search head cluster for streamlined operations.
• Designed and implemented an Exploitable Vulnerabilities dashboard, detecting vulnerabilities across all operating systems within the firm. Configured the dashboard to display detailed metrics such as Total Exploits, OS, PluginID, CVE, Remediation priority, Days since detection, Actions removed, and Pending Exploit Remediation.
• Configure Splunk services under systemd, harnessing workload management capabilities through cgroups for enhanced operational performance.
• Developed a Log4J remediation script, fortifying the Splunk environment against Log4J vulnerabilities, and ensuring robust security measures.
• Design and customize complex search queries for dashboards by executing SPL commands that include eval, iplocation, geostats, metadata, tstats, spath, chart, timechart, dedup, top, revert, sort, rename, etc: which results in improved run-time performances.
• Optimizing the use of Regex to set up filters within the Syslog server and ingest data from network devices.
• Serve as the Lead Splunk Engineer for Creating Custom Splunk TAs/Apps as per requirements and onboarding new data sources via various methods including Splunk Universal Forwarder, HTTP Event Collector (HEC), Splunk DB Connect, and Syslog. As well as configuring appropriate roles for groups, indexes allowed, search disk quotas, etc.
• Automate manual platform management processes using advanced scripting tools/languages such as Python, Regex, SQL, PowerShell, Bash, Java, SPL, GitHub, Gitlab, Ansible, and AWX.
• Ensure log ingest processes are CIM compliant; facilitating Data Model Acceleration to accelerate queries, dashboards, and correlation searches for efficient log management.
• Utilizing Cribl to route data to necessary servers, and aggregate logs into metrics for reduction at scale and performing system improvement by removing null values and duplicate events using the Cribl platform.
• Regularly perform search time field value extractions to efficiently work with incoming data.
• Optimizing dashboard performance with the creation of base searches for panels running similar queries as well as referencing saved searches, using text inputs with tokens using set or unset, and preload drill-downs.
• Set up and provision new virtual machines to act as Splunk Search head to abide by RHEL capabilities.
• Improve detection capabilities by building and enhancing alert rules, reducing noisy and false positive alerts within the firm by 30%.

• Day- to-day tasks consisted of monitoring, measuring, and maintaining the availability and health of Splunk services and platforms. Provided ongoing support for Splunk platforms and AWS Cloud services as required e.g., problem and incident management and taking part in troubleshooting for service recovery.
• Successfully designed a Firewall troubleshooting dashboard, tracking traffic flows through firewalls to identify IP or Port blockages between sites in different regions, which allowed for engineers to act promptly to remediate any issues.
• Engineered an In-House SNOW Plugin Integration for AWS Splunk, Splunk On-Prem, and Splunk Enterprise Security
• Performed integration activities to connect with 3rd party software APIs, enhancing overall system capabilities.
• Crafted a Python script for the successful reassignment of over 20,000 knowledge objects and role mappings via AWX.
• Developed a master script for building all Cortex components in a single build as part of AMI updates.
• Implemented Telegraf observability throughout the Splunk platform via AWX, mitigating potentialresource outages and supporting expansion needs. Developed a Telegraf upgrade script for seamless updates.
• Performed DNS entry changes on Deployer, Cluster Master, Indexers, and other Splunk instances within UAT and Production environments.
• Responsible for configuring AWS resources, including S3 buckets, Load Balancers, Security Groups, and IAM Roles and policies.
• Led the scaling of Splunk Indexer cluster and Search Head Cluster, conducting server resizing to meet operational demands.
• Conducted a thorough review and set up of new Props.conf and Transforms.conf configurations for all data sources within the Splunk platform, enhancing data enrichment and processing efficiency.
• Managed SSL certificates for secure communications, ensuring the confidentiality of data.
• Develop, create, and manage custom Splunk Knowledge objects, including alerts, macros, eventtypes,

field aliases, and dashboards, etc.

• Designed an E-mail flow troubleshooting dashboard, monitoring e-mail flows, and addressing blocks from external senders to internal recipients.
• Acted as a single point of contact for Splunk technical questions, software issues, and for management escalations, granting approvals and denials for infrastructure and platform change requests.
• Performed data integration via HTTP Event Collector (HEC) in order to efficiently send data to Splunk Enterprise and Splunk Cloud.
• Configured a multi-site cluster for disaster recovery planning; Set up DR validation scripts that carried out DR tests on new infrastructure.

• Decommissioned Splunk components and migrated indexers in preparation for the new IDX Cluster.
• Refactored OSS monitoring Terraform to enable simultaneous upgrades of all components, streamlining the upgrade process.
• Developed a non-intrusive alert capable of triggering upon any production change. This alert effectively displays the results of the change and ensures minimal noise, resulting in effective quarterly auditing processes.
• Worked closely with data owners to fulfill their expectations regarding the final look of their data,ensuring effective data parsing and transforming utilizing props and transforms.conf.
• Troubleshooted error/warn messages, skipped jobs, skipped searches, and addressed missing or delayed logs within the Splunk platform.
• Created local Ansible automation for regenerating and replacing old PEM files, enhancing security measures.
• Implemented index creation and custom app automation for the Splunk Enterprise Security team,optimizing operational workflows.
• Onboarded applications in Splunk that involved log ingestion, database queries, and development of transaction stitching by adding key field extractions, lookups, macros, and saved searches
• Scaled environments to optimize pipeline queues and ensure efficient resource utilization.
• Configured the manager node with indexer discovery along with universal forwarders; added additionalcode strings within server.conf and outputs.conf.
• Monitored the whole infrastructure for capacity planning and optimization, also supported Splunk on both Linux and Windows platforms.
• Developed CICD workflows on Microsoft Azure for project deployments.
• Coded and enhanced dashboards with advanced HTML, CSS, and XML.
• Configured serverclasses to map newly created Universal Forwarders with Deployment Server and dedicated apps and onboarded data into Splunk via HEC, Syslog, and Splunk DB Connect, etc.