Security & the Enterprise
Much secured. So patch!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Asking for advice: Things I wish I knew when I was entering Splunk SOC Teams

kingsmill
Explorer
‎08-15-2021 03:31 AM

Hello all, I am looking for advice I am starting a new job soon.I have a bit of experience in the IT field around 3 years now.

I have been told they are using Splunk a lot ( SOC analyst ) as I don't have a lot of experience with Splunk.

I would like to prepare myself a little bit, could you give me any advice?
I created a Splunk environment, add data, watching some YT videos and Pluralsight courses, reading a book James D. Miller - Mastering Splunk 8

1) If you are using Splunk a lot in your SOC team, what are typical duties & responsibilities?

2) Do you have any queries (if you can share) and they are good to have in the SOC environment?

3) What do you think what should I do in my labs?

4) I am looking for examples of data, where I can do  Threat Hunting with Splunk. 

many thanks for your help!

feel free Pm me, cheers!

 

Labels (5)
0 Karma

securitypaul
Explorer
‎06-14-2022 05:01 AM

What devices do you have on your network you could use as log sources?

You could buy a used FortiGate, Cisco firewall etc and setup an Syslog-NG server. Put a Universal Forwarder on that and set those devices to log via syslog to gather logs about blocked sessions or threats (usually UTM features need  a license).

 

Can you access your antivirus logs? Ingest those and download Eicar test files.

https://www.eicar.org/download-anti-malware-testfile/

 

You could setup a **bleep** Vulnerable Web Application, ingest the logs, see if you can run exploits against it.

https://github.com/digininja/DVWA

 

Have a play with Splunk Attack Range or the local version of it.

https://www.splunk.com/en_us/blog/security/introducing-splunk-attack-range-v1-0.html

https://github.com/splunk/attack_range_local/

 

I'd be interested to hear how you get on if you try any of these.

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust
‎08-15-2021 08:06 AM

Hi @kingsmill,

did you started with Splunk Training?

there are some free courses (e.g. https://www.splunk.com/en_us/training/courses/splunk-fundamentals-1.html), and many interesting not free courses.

Did you know SPL?

if not follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchTutorial/WelcometotheSearchTutorial).

About searches used in a SOC, you could see videos about Splunk Enterprise Security (The Splunk SIEM used in SOC) and some security App (e.g. https://splunkbase.splunk.com/app/4240/).

At least, the most important thing in Splunk is a deep knowledge of the systems to monitor and the security threats, the way to use splunk is the minor problem.

Ciao.

Giuseppe

kingsmill
Explorer
‎08-16-2021 01:32 AM

thank you so much! I will check them out! 

0 Karma

gcusello
SplunkTrust
SplunkTrust
‎08-16-2021 01:41 AM

Hi @kingsmill,

if this answer solves your need, please accept it for the other people of Community, otherwise, tell me how can I help you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...