Hello all, I am looking for advice I am starting a new job soon.I have a bit of experience in the IT field around 3 years now.
I have been told they are using Splunk a lot ( SOC analyst ) as I don't have a lot of experience with Splunk.
I would like to prepare myself a little bit, could you give me any advice?
I created a Splunk environment, add data, watching some YT videos and Pluralsight courses, reading a book James D. Miller - Mastering Splunk 8
1) If you are using Splunk a lot in your SOC team, what are typical duties & responsibilities?
2) Do you have any queries (if you can share) and they are good to have in the SOC environment?
3) What do you think what should I do in my labs?
4) I am looking for examples of data, where I can do Threat Hunting with Splunk.
many thanks for your help!
feel free Pm me, cheers!
What devices do you have on your network you could use as log sources?
You could buy a used FortiGate, Cisco firewall etc and setup an Syslog-NG server. Put a Universal Forwarder on that and set those devices to log via syslog to gather logs about blocked sessions or threats (usually UTM features need a license).
Can you access your antivirus logs? Ingest those and download Eicar test files.
https://www.eicar.org/download-anti-malware-testfile/
You could setup a **bleep** Vulnerable Web Application, ingest the logs, see if you can run exploits against it.
https://github.com/digininja/DVWA
Have a play with Splunk Attack Range or the local version of it.
https://www.splunk.com/en_us/blog/security/introducing-splunk-attack-range-v1-0.html
https://github.com/splunk/attack_range_local/
I'd be interested to hear how you get on if you try any of these.
Hi @kingsmill,
did you started with Splunk Training?
there are some free courses (e.g. https://www.splunk.com/en_us/training/courses/splunk-fundamentals-1.html), and many interesting not free courses.
Did you know SPL?
if not follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchTutorial/WelcometotheSearchTutorial).
About searches used in a SOC, you could see videos about Splunk Enterprise Security (The Splunk SIEM used in SOC) and some security App (e.g. https://splunkbase.splunk.com/app/4240/).
At least, the most important thing in Splunk is a deep knowledge of the systems to monitor and the security threats, the way to use splunk is the minor problem.
Ciao.
Giuseppe
thank you so much! I will check them out!
Hi @kingsmill,
if this answer solves your need, please accept it for the other people of Community, otherwise, tell me how can I help you.
Ciao and happy splunking.
Giuseppe
P.S.: Karma Points are appreciated 😉