Requirement: Support in SIEM (Splunk) Software Administration and Log Collection
Location: Mons, BELGIUM
Full Time On-Site: Yes
Time On-Site: 100%
Not to Exceed: Base 2026: 14,337 EUR/ month
2027 and 2028 yearly Options
Period of Performance: 2026 BASE: 4 May 2026
Required Security Clearance: NATO SECRET
Please do NOT apply for any NATO contract positions unless you meet ALL the following criteria:
- Current National or NATO SECRET clearance
- Nationality of one of the NATO member countries
- Current work visa for the specific location if applying for an in-country position
Purpose:
- The purpose of this Statement of Work (SoW) is to describe the services for CSDE (Cyber Security Data
Engineering) Cell in SHAPE, Mons, Belgium. - The NCI Agency (further referred to as "Purchaser") is seeking a qualified Contractor to provide continuous support, in accordance with Cyber Security Data Engineering (CSDE) cell operational standards, for the management of the NCSC SIEM (Splunk-based) environment deployed across the entire NATO environment, as well as all other related activities and/or systems required by the SEC007 (Detection and Monitoring) service. These activities must be performed on site at the SHAPE facilities in Mons, Belgium.
- CSDE is responsible for collecting security-related data sources from the whole NATO's IT infrastructure and centralizing them in a dedicated data management and analytic toolset (Splunk). This ensures the data is stored, searchable, and readily available for Cyber Security Defenders enabling security incident detection and investigation. Additionally, the team ensures the tool maintenance, keeping it highly functional, resilient, and with high uptime. They also collaborate actively with the Cyber Security Defenders to implement necessary improvements and address evolving needs related to security incident detection and analysis.
- The objective of this service is to enhance user satisfaction and continuously improve the overall quality and reliability of the platform. This includes improving log collection quality, data ingestion and analysis capabilities, and the quality of analytical features, while minimizing service downtime. The service also aims to ensure timely and efficient responses to internal and external requests, to continuously improve the operating environment, and to introduce new features and capabilities as required.
- During performance of the contract, the Contractor will act as part of the Purchaser's CSDE Cell fulfilling on-site SIEM management and log collection functions that are critical for the functioning of the SEC007 service.
The principle deliverable of this SoW is the provision and on-going delivery of SIEM and SEC007 services (referred to as the Service hereafter). The Service comprises typical support tasks, at a minimum the following (non-comprehensive) list:
SIEM Infrastructure and Software Management:
- Management of Splunk components deployed within 50+ T3 enclaves across high-side and low-side networks.
- Operation and maintenance of a T2 SIEM environment composed of 80+ Linux servers (virtual and physical).
- Administration of the full Splunk software stack, including:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk SOAR
- Splunk UBA
- Management of Splunk deployments across more than 350 servers spanning T2 and T3 environments.
- Implementation and operation of fully automated deployment and configuration mechanisms based on Ansible and Git.
- Collection of logs from more than 20,000 endpoints, appliances, and cloud-based solutions.
- Ensuring end-to-end log lifecycle management, including:
- Data collection and ingestion
- Parsing and normalization
- Storage and retention
- Categorization and enrichment
- Monitoring of data flows and data quality
- Support and integration of new data sources into the T2 Splunk environment, including:
- Project-driven onboarding
- Continuous log collection improvements
- Customer-driven requests
- Coordination with customers for the deployment and configuration of devices hosting log sources, including:
- Acting as the technical point of contact for log collection setup
- Supporting customers during the configuration of endpoints, appliances, and other log sources
- Ensuring proper follow-up with customers until log sources are correctly configured and successfully integrated into the Splunk platform
- Clarifying that endpoints, appliances, and other log sources are configured by the customer, with technical guidance and support provided by the SIEM engineer
- Configuration and management of Splunk components hosted on Linux servers within T2 and T3 environments.
- Execution of system-level activities requiring privileged access, including but not limited to:
- Syslog server configuration
- SELinux configuration
- Other OS-level configurations necessary for proper Splunk operation
- Coordination with the entity responsible for Linux operating system management where responsibilities overlap.
- Ensuring that Splunk Enterprise Security is properly configured, operational, and functioning as intended.
- Verification that correlation rules are correctly deployed and operate reliably.
- Ensuring the overall quality, stability, and reliability of SIEM services delivered to security analysts.
- Continuous monitoring of platform health and service performance.
- Ongoing maintenance and optimization of SIEM and log collection services.
- Support for continuous improvements in log coverage, data quality, and platform efficiency.
- Technical support related to SIEM platform usage and data ingestion (excluding security, analysis and rule creation).
- Definition, maintenance, and continuous improvement of operational processes related to SIEM and log collection services.
- Development and upkeep of technical and operational documentation covering:
- Platform architecture and deployment models
- Configuration standards and automation workflows
- Log collection, onboarding, and data management procedures
- Operational runbooks and troubleshooting guides
- Ensuring documentation remains accurate, up to date, and aligned with the actual state of the environments.
- Support to process formalization and knowledge transfer activities in coordination with relevant stakeholders.
- Complying with all applicable internal processes, including but not limited to Change Requests (CRs), administrative tasks, and technical and operational workflows.
- Management of user access to the Splunk platform, including the creation, modification, and removal of user accounts and roles, in accordance with defined access control policies.
- Administration of permissions and role-based access controls within Splunk to ensure appropriate and secure access to data and platform features.
- Support to users for issues related to their use of the Splunk platform, including:
- Access and authentication issues
- Platform usage and functional questions
- Troubleshooting of Splunk-related user issues
- Coordination with relevant stakeholders to resolve user-reported issues, where required.
- The Contractor shall manage and be responsible for all provided personnel.
- The Contractor's personnel shall be knowledgeable and experienced in the nature of the, tasks and activities of the Service.
- The Contractor's personnel shall possess valid Personal Security Clearances for the duration of the Contract performance.
- The Contractor's personnel shall be courteous and professional in dealing with NATO and Purchaser's staff.
- The Contractor's personnel shall have sufficient knowledge in English language to allow smooth verbal and written communication.
- The Contractor's shall strive to lower the rotation of personnel and maintain the same staff working under this SoW.
- The Contractor shall seek Purchaser's approval prior to appointing new personnel to work under this Statement of Work.
- The Purchaser will support the Contractor's personnel with access to the IT systems as required. The Contractor shall submit requests for change of Contractor's personnel at least 45 days in advance.
- The Contractor shall handle the Purchaser's furnished equipment (PFE) with due care.
- The Contractor shall install and operate the equipment following the manufacturer's requirements.
- The Contractor shall minimize the impact to the end users during the execution of the work.
- The Contractor shall bring immediately to the attention of the Purchaser Point of Contact on-site any issues preventing the execution of the work.
- The Contractor's personnel will report to and receive guidance from Purchaser Point of Contact on-site, Team Head and Service Delivery Manager.
- The Contractor's personnel shall follow local procedures to obtain physical unescorted access to the SHAPE facilities and logical access to the networks and systems in scope.
- The Contractor's personnel shall liaise with other Purchasers' support teams as necessary.
- The Contractor's personnel shall use the Purchaser Information Technology Service Management (ITSM) and Cyber Operations Management System (COMS) ticketing systems following the Purchaser's procedures.
Hours of Operation:
The Service shall be operated during Purchasers' business hours - Monday to Thursday from 08h30 until 17h30 and Friday from 08h30 until 15h30.
Days of Operation:
The Service shall be operated on all days except weekends and Purchaser's site-specific official holidays. The list of official holidays can be provided on request.
Place of Performance:
The Service will be delivered in Mons, Belgium in a typical office environment.in designated as Class I Security Area
Travel Requirements:
Travel may be required to other Purchasers' locations on exceptional basis.
Travel costs are out of scope and will be borne by the NCI Agency separately in accordance to the provisions of the AAS+ Framework Contract and NCIA Travel Directive.
