Security & the Enterprise
Much secured. So patch!

Asking for advice: Things I wish I knew when I was entering Splunk SOC Teams

kingsmill
Explorer

Hello all, I am looking for advice I am starting a new job soon.I have a bit of experience in the IT field around 3 years now.

I have been told they are using Splunk a lot ( SOC analyst ) as I don't have a lot of experience with Splunk.

I would like to prepare myself a little bit, could you give me any advice?
I created a Splunk environment, add data, watching some YT videos and Pluralsight courses, reading a book James D. Miller - Mastering Splunk 8

1) If you are using Splunk a lot in your SOC team, what are typical duties & responsibilities?

2) Do you have any queries (if you can share) and they are good to have in the SOC environment?

3) What do you think what should I do in my labs?

4) I am looking for examples of data, where I can do  Threat Hunting with Splunk. 

many thanks for your help!

feel free Pm me, cheers!

 

Labels (5)
0 Karma

securitypaul
Explorer

What devices do you have on your network you could use as log sources?

You could buy a used FortiGate, Cisco firewall etc and setup an Syslog-NG server. Put a Universal Forwarder on that and set those devices to log via syslog to gather logs about blocked sessions or threats (usually UTM features need  a license).

 

Can you access your antivirus logs? Ingest those and download Eicar test files.

https://www.eicar.org/download-anti-malware-testfile/

 

You could setup a **bleep** Vulnerable Web Application, ingest the logs, see if you can run exploits against it.

https://github.com/digininja/DVWA

 

Have a play with Splunk Attack Range or the local version of it.

https://www.splunk.com/en_us/blog/security/introducing-splunk-attack-range-v1-0.html

https://github.com/splunk/attack_range_local/

 

I'd be interested to hear how you get on if you try any of these.

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @kingsmill,

did you started with Splunk Training?

there are some free courses (e.g. https://www.splunk.com/en_us/training/courses/splunk-fundamentals-1.html), and many interesting not free courses.

Did you know SPL?

if not follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchTutorial/WelcometotheSearchTutorial).

About searches used in a SOC, you could see videos about Splunk Enterprise Security (The Splunk SIEM used in SOC) and some security App (e.g. https://splunkbase.splunk.com/app/4240/).

At least, the most important thing in Splunk is a deep knowledge of the systems to monitor and the security threats, the way to use splunk is the minor problem.

Ciao.

Giuseppe

kingsmill
Explorer

thank you so much! I will check them out! 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @kingsmill,

if this answer solves your need, please accept it for the other people of Community, otherwise, tell me how can I help you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...