Splunk for Security Analysts
Great analysts understand how to manipulate data to find what they’re looking for.
Whether you’re a SOC analyst trying to prove an alert is a false positive, a responder looking for indications of lateral movement, a threat intel analyst tryiing to identify patterns among attacker behavior, or a threat hunter looking for something your intrusion detection tools missed… you have to understand how to use your tools effectively to achieve your goal. That’s where Splunk comes in.
Splunk is a data analysis platform that allows security practitioners to centralize data, search through it, correlate events, and create security analytics and dashboards.
It’s also the most popular commercial SIEM used by security teams to perform investigations and threat hunting.
But, learning to use Splunk effectively is challenging. It’s a complex tool with a lot of features and multiple paths to achieve similar goals. Not only that, but the documentation is written for a more general audience without satisfying many of the use cases common to cyber security.
I always thought there needed to be a way to help security analysts learn to use Splunk effectively from the ground up and get answers to the most common questions they’ll encounter. Now, I’m excited to offer a no-nonsense online course that does just that and is built for security analysts who want to learn Splunk… by security analysts who use Splunk every day.
Splunk for Security Analysts will teach you how to use Splunk to onboard data, extract meaningful fields, and search through it using real security data to conduct security research and investigations. This course goes beyond the documentation to provide a diverse set of real-world security data that you’ll use to gain confidence with Splunk’s extensive capabilities.
The Splunk Data Pipeline
- The components of a Splunk environment
- How data travels through Splunk
- Locations of Splunk configuration files, what they do, and their precedence
- Where to find and install apps
- Creating indexes for storing data
- Installing and configuring Universal Forwarders to ship logs to Splunk
- Onboarding security evidence sources such as Windows Event Logs, Linux OS logs, Apache Web Server logs, CSV files, and more
- Techniques for reliably onboarding custom data sources
- How to extract important fields from data streams
Finding and Exploring Data
- Understand different search modes for data matching
- Organize search results with the FIELDS, TABLE, and SORT commands
- Find uncommon values with the TOP and RARE commands
- Create new fields using the EVAL and REX commands
- Create calculations using the STATS, EVENTSTATS, and STREAMSTATS commands
- Display results in graphs with the CHART and TIMECHART commands
- Optimize Splunk queries for maximum performance
Enrichment and Advanced Filtering
- Enrich data with lookups from internal and external sources
- Perform searches within searches (subsearches)
Sharing, Scheduling, and Alerting
- Save searches and share results with other analysts
- Create ad-hoc and scheduled reports from queries
- Create alerts from queries
Visualization and Dashboards
- Build static dashboards to display query results and charts
- Build dynamic dashboards with options for changing the search time range and inputs
- Create custom drilldowns for pivoting from search results
- Explore Dashboard Studio to quickly create new dashboards visually
Throughout the course, you’ll also work through real-world security scenarios, including:
- Identifying look-a-like domains used for phishing
- Finding the first time a user logged into each system on the network
- Identifying password guessing attempts with failed logons
- Finding HTTP Connections to a web server’s IP addresses rather than its domain name
- Identifying high network bandwidth consumption from a baseline
- Searching multiple data sources for common indicators
- … and many more!
For each of these concepts, I’ll describe how the Splunk feature works and demonstrate it using data you’re likely to encounter in security operation centers and incident response scenarios. As the course moves forward, we’ll build on each of the techniques I demonstrate so that you can practice what you’re learning and retain it. You’ll be able to apply these skills to your own environment immediately.
If you want to learn how to use Splunk to centralize security data, find answers to investigative questions, correlate security events, and hunt down threats…Splunk for Security Analysts is the course you’re looking for.
Splunk for Security Analysts Includes:
Over 15 hours of demonstration videos. These videos will break down the concepts and skills you need to become adept at using Splunk to onboard and search through diverse data types.
Hands-on labs to help you develop and test your skills. You’ll complete lab exercises by ingesting security-relevant data, following along with class demonstrations, and working through lab exercises. We’ll be with you along the way to provide guidance and feedback on your work.
Participation in our student charitable profit-sharing program. A few times a year we designate a portion of our proceeds for charitable causes. AND students get to take part in nominating charities that are important to them to receive these donations.
Frequently Asked Questions
Is this course live?
This is NOT a live course. It’s an online video course you can take at your own pace. You’ll interact with the instructor asynchronous through the course exercises.
How long do I have access to the course material?
You have access to the course for six months following your purchase date. If you need more time, you can extend your access for a small monthly fee.
Are there any prerequisites or lab requirements for this course?
This course is designed for all security practitioner skill levels and assumes no prior Splunk experience. You should have some level of comfort using Linux and setting up virtual machines if you wish to follow along with the lab exercises.
To build the Splunk lab, you’ll setup the following systems (these can be virtual or cloud-based):
- Splunk Enterprise
- 8 GB RAM, 4 CPU cores (more recommended), 100 GB of disk space
- Windows Forwarder
- 2 GB RAM (more recommended), 2 CPU cores, 50 GB of disk space
- Linux Forwarder
- 1 GB RAM, 2 CPU cores, 50 GB of disk space
How much time does it take to do this course?
Given the amount of lab exercises, it takes people varying times to complete the course. In total, you can plan for around 15 hours of lecture and demonstration lessons and 5-10 hours for lab exercises on your own. We recommend spreading your time in the course out over at least a few weeks to benefit from the effects of spaced learning. .
How many CPEs/CMUs is this course worth?
Organizations calculate continuing education credits in different ways, but they are often based on the length of the training. This course averages 20 hours of video+lab work.
Do you offer discounts for groups from the same organization?
Yes. To inquire about discounts or group invoices please contact us at firstname.lastname@example.org.
Meet the Course Author – Thomas Fellinger
Thomas Fellinger is a SOC tech lead for an Austrian MSSP. He has worked with many different security-technologies in multiple roles over his 20 year career, frequently focusing on supporting the design, deployment, and use of Splunk. He is a Splunk Core Certified Consultant and enjoys learning as much as teaching, especially for the area between Cyber Security and Data Analytics. You can find Thomas on LinkedIn or as @reg0bs on Twitter.