Security & the Enterprise
Much secured. So patch!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Asking for advice: Things I wish I knew when I was entering Splunk SOC Teams

kingsmill
Explorer
‎08-15-2021 03:31 AM

Hello all, I am looking for advice I am starting a new job soon.I have a bit of experience in the IT field around 3 years now.

I have been told they are using Splunk a lot ( SOC analyst ) as I don't have a lot of experience with Splunk.

I would like to prepare myself a little bit, could you give me any advice?
I created a Splunk environment, add data, watching some YT videos and Pluralsight courses, reading a book James D. Miller - Mastering Splunk 8

1) If you are using Splunk a lot in your SOC team, what are typical duties & responsibilities?

2) Do you have any queries (if you can share) and they are good to have in the SOC environment?

3) What do you think what should I do in my labs?

4) I am looking for examples of data, where I can do  Threat Hunting with Splunk. 

many thanks for your help!

feel free Pm me, cheers!

 

Labels (5)
0 Karma

securitypaul
Explorer
‎06-14-2022 05:01 AM

What devices do you have on your network you could use as log sources?

You could buy a used FortiGate, Cisco firewall etc and setup an Syslog-NG server. Put a Universal Forwarder on that and set those devices to log via syslog to gather logs about blocked sessions or threats (usually UTM features need  a license).

 

Can you access your antivirus logs? Ingest those and download Eicar test files.

https://www.eicar.org/download-anti-malware-testfile/

 

You could setup a **bleep** Vulnerable Web Application, ingest the logs, see if you can run exploits against it.

https://github.com/digininja/DVWA

 

Have a play with Splunk Attack Range or the local version of it.

https://www.splunk.com/en_us/blog/security/introducing-splunk-attack-range-v1-0.html

https://github.com/splunk/attack_range_local/

 

I'd be interested to hear how you get on if you try any of these.

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust
‎08-15-2021 08:06 AM

Hi @kingsmill,

did you started with Splunk Training?

there are some free courses (e.g. https://www.splunk.com/en_us/training/courses/splunk-fundamentals-1.html), and many interesting not free courses.

Did you know SPL?

if not follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchTutorial/WelcometotheSearchTutorial).

About searches used in a SOC, you could see videos about Splunk Enterprise Security (The Splunk SIEM used in SOC) and some security App (e.g. https://splunkbase.splunk.com/app/4240/).

At least, the most important thing in Splunk is a deep knowledge of the systems to monitor and the security threats, the way to use splunk is the minor problem.

Ciao.

Giuseppe

kingsmill
Explorer
‎08-16-2021 01:32 AM

thank you so much! I will check them out! 

0 Karma

gcusello
SplunkTrust
SplunkTrust
‎08-16-2021 01:41 AM

Hi @kingsmill,

if this answer solves your need, please accept it for the other people of Community, otherwise, tell me how can I help you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...