Security & the Enterprise
Much secured. So patch!
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Asking for advice: Things I wish I knew when I was entering Splunk SOC Teams

kingsmill
Explorer
‎08-15-2021 03:31 AM

Hello all, I am looking for advice I am starting a new job soon.I have a bit of experience in the IT field around 3 years now.

I have been told they are using Splunk a lot ( SOC analyst ) as I don't have a lot of experience with Splunk.

I would like to prepare myself a little bit, could you give me any advice?
I created a Splunk environment, add data, watching some YT videos and Pluralsight courses, reading a book James D. Miller - Mastering Splunk 8

1) If you are using Splunk a lot in your SOC team, what are typical duties & responsibilities?

2) Do you have any queries (if you can share) and they are good to have in the SOC environment?

3) What do you think what should I do in my labs?

4) I am looking for examples of data, where I can do  Threat Hunting with Splunk. 

many thanks for your help!

feel free Pm me, cheers!

 

Labels (5)
0 Karma

securitypaul
Explorer
‎06-14-2022 05:01 AM

What devices do you have on your network you could use as log sources?

You could buy a used FortiGate, Cisco firewall etc and setup an Syslog-NG server. Put a Universal Forwarder on that and set those devices to log via syslog to gather logs about blocked sessions or threats (usually UTM features need  a license).

 

Can you access your antivirus logs? Ingest those and download Eicar test files.

https://www.eicar.org/download-anti-malware-testfile/

 

You could setup a **bleep** Vulnerable Web Application, ingest the logs, see if you can run exploits against it.

https://github.com/digininja/DVWA

 

Have a play with Splunk Attack Range or the local version of it.

https://www.splunk.com/en_us/blog/security/introducing-splunk-attack-range-v1-0.html

https://github.com/splunk/attack_range_local/

 

I'd be interested to hear how you get on if you try any of these.

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust
‎08-15-2021 08:06 AM

Hi @kingsmill,

did you started with Splunk Training?

there are some free courses (e.g. https://www.splunk.com/en_us/training/courses/splunk-fundamentals-1.html), and many interesting not free courses.

Did you know SPL?

if not follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchTutorial/WelcometotheSearchTutorial).

About searches used in a SOC, you could see videos about Splunk Enterprise Security (The Splunk SIEM used in SOC) and some security App (e.g. https://splunkbase.splunk.com/app/4240/).

At least, the most important thing in Splunk is a deep knowledge of the systems to monitor and the security threats, the way to use splunk is the minor problem.

Ciao.

Giuseppe

kingsmill
Explorer
‎08-16-2021 01:32 AM

thank you so much! I will check them out! 

0 Karma

gcusello
SplunkTrust
SplunkTrust
‎08-16-2021 01:41 AM

Hi @kingsmill,

if this answer solves your need, please accept it for the other people of Community, otherwise, tell me how can I help you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...