Security & the Enterprise
Much secured. So patch!

Asking for advice: Things I wish I knew when I was entering Splunk SOC Teams

kingsmill
Explorer

Hello all, I am looking for advice I am starting a new job soon.I have a bit of experience in the IT field around 3 years now.

I have been told they are using Splunk a lot ( SOC analyst ) as I don't have a lot of experience with Splunk.

I would like to prepare myself a little bit, could you give me any advice?
I created a Splunk environment, add data, watching some YT videos and Pluralsight courses, reading a book James D. Miller - Mastering Splunk 8

1) If you are using Splunk a lot in your SOC team, what are typical duties & responsibilities?

2) Do you have any queries (if you can share) and they are good to have in the SOC environment?

3) What do you think what should I do in my labs?

4) I am looking for examples of data, where I can do  Threat Hunting with Splunk. 

many thanks for your help!

feel free Pm me, cheers!

 

Labels (5)
0 Karma

securitypaul
Explorer

What devices do you have on your network you could use as log sources?

You could buy a used FortiGate, Cisco firewall etc and setup an Syslog-NG server. Put a Universal Forwarder on that and set those devices to log via syslog to gather logs about blocked sessions or threats (usually UTM features need  a license).

 

Can you access your antivirus logs? Ingest those and download Eicar test files.

https://www.eicar.org/download-anti-malware-testfile/

 

You could setup a **bleep** Vulnerable Web Application, ingest the logs, see if you can run exploits against it.

https://github.com/digininja/DVWA

 

Have a play with Splunk Attack Range or the local version of it.

https://www.splunk.com/en_us/blog/security/introducing-splunk-attack-range-v1-0.html

https://github.com/splunk/attack_range_local/

 

I'd be interested to hear how you get on if you try any of these.

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @kingsmill,

did you started with Splunk Training?

there are some free courses (e.g. https://www.splunk.com/en_us/training/courses/splunk-fundamentals-1.html), and many interesting not free courses.

Did you know SPL?

if not follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchTutorial/WelcometotheSearchTutorial).

About searches used in a SOC, you could see videos about Splunk Enterprise Security (The Splunk SIEM used in SOC) and some security App (e.g. https://splunkbase.splunk.com/app/4240/).

At least, the most important thing in Splunk is a deep knowledge of the systems to monitor and the security threats, the way to use splunk is the minor problem.

Ciao.

Giuseppe

kingsmill
Explorer

thank you so much! I will check them out! 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @kingsmill,

if this answer solves your need, please accept it for the other people of Community, otherwise, tell me how can I help you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Get Updates on the Splunk Community!

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...

Splunk With AppDynamics - Meet the New IT (And Engineering) Couple

Wednesday, November 20, 2024  |  10AM PT / 1PM ET Register Now Join us in this session to learn all about ...