SOC Cybersecurity Threat Hunting with Splunk

Name: SOC Cybersecurity Threat Hunting with Splunk
Rating: 4.5 (191 reviews)

Threat Hunting with Splunk SIEM for Cybersecurity Analysis and SOC Analysts

Created byMohammad Mirasadollahi

Last updated 4/2024

English

What you'll learn

Threat Hunting with Splunk Knowledge
APT Analysis
Integrating Different Software with Splunk
Find 0-Day Cyber Threats with Data Science and Splunk

Course content

12 sections • 68 lectures • 2h 33m total length

Introduction - Welcome3:47
Learn threat hunting with Splunk and SPL across infrastructure and networks, detecting Windows, Active Directory, and lateral movement threats through labs, data science, and threat intelligence integrations.

Splunk installation from scratch3:28
Splunk bulk Apps and Addons Installation1:58
Learn to bulk install apps and add-ons by downloading from Splunkbase, extracting .tgz files, transferring them to the Splunk apps directory with FileZilla, and restarting Splunk.
Splunk Boss of The SOC (BOTS) Installation3:25
Install bots datasets in Splunk by downloading add-ons, transferring the dataset to /opt, and using splunk install app, then search index=bots version one, repeat for versions two and three.
Import Lab Attacks Data to Splunk2:49
Import attack logs into Splunk by installing the Sysmon and Windows add-ons, then upload Sysmon and Windows event logs with correct source types, verify with index=main searches.

Windows Process Analysis1:19
Basic Malicious Process Hunting with Splunk2:53
Parent and Child Process Tree analysis with Splunk3:32
Hunting Malicious Windows Process CommandLine1:51
Fake Windows Processes Hunting2:48
Process Injection Hunting0:58
What is LSASS Process0:29
Create Remote Thread Into LSASS3:46
Access LSASS Memory for Dump Creation2:46
Credential Dumping through LSASS Access3:20
What is Mimikatz0:24
Explore mimikatz, an open-source tool that extracts passwords and credentials from memory to enable unauthorized access, privilege escalation, and lateral movement; learn to detect mimikatz activity with Splunk.
Hunting Mimikatz Using Sysmon and Splunk1:23
Windows Mimikatz Binary Execution Hunting with Splunk2:11
Hunting Mimikatz with Powershell and Splunk1:30

What is Kerberos Protocol2:02
Kerberoasting Attack Hunting - Part 010:55
Kerberoasting Attack Hunting - Part 021:44
DCSync Attack Detection1:00
Overpass-the-Hash Attack Detection1:00
Pass-the-Ticket Attack Detection1:27
What is NTLM Protocol1:16
NTLM authentication works on Windows networks, including domain username, password hash, a 16-byte challenge, and a response verified by the domain controller, with Kerberos as a fallback.
Pass-the-Hash Attack Detection1:45

Data Science and Splunk1:07
Standard Deviation3:39
Normal Distribution or Gaussian Distribution4:24
Explore normal distribution, gaussian distribution, standard deviation, and the empirical rule, and learn how Splunk uses these concepts to narrow search ranges, address outliers, and the limits of single-method analysis.
Empirical or 68–95–99.7 rule3:55
ICMP Tunnel Outlier Detection3:31
Detect ICMP tunnel outliers with data science and Splunk by calculating average and standard deviation of ICMP packet counts, bounding with two standard deviations, and flagging outliers.
Windows Process CommandLine outlier Detection2:37
SMB Traffic Anomaly Detection1:51
Detect SMB anomalies in Splunk by calculating per source and per destination connection counts, applying seven standard deviation bounds on 139 and 445 traffic to flag outliers.
What is Splunk Machine Learning Toolkit1:07
DNS Outlier Detection with Splunk MLTK2:43

Malware Detection with Cyber Threat Intelligence2:55
Malware Info Enrichment1:44
Learn to enrich Splunk logs with a malware lookup by joining the domain field to malware.csv, adding reasons and references to Sysmon event data, and displaying results in a table.
MISP integration with Splunk - Part 013:22
Learn how to integrate MISP with Splunk to transfer IOCs and threats using the MISP 42 app and API key for enhanced threat hunting.
MISP integration with Splunk - Part 024:55
AlienVault OTX Integration with Splunk1:31
VirusTotal Integration with Splunk1:51

What is Real Intelligence Threat Analytics (RITA)0:48
RITA analyzes Zeek logs and PCAPs to detect malicious activity through statistical analysis, offering beacon detection, DNS tunneling detection, long connections, user-agent viewing, and blacklist checks.
RITA + Zeek + MongoDB Installation and Configuration3:41
Install Rita on Ubuntu 20.04, make install.sh executable with chmod 755, run with sudo to import Zeek logs and parse into a 48-hour dataset; view beacons via Rita show dash.
Splunk Integration with RITA3:04
Beaconing Detection with RITA and Splunk1:33
DNS Tunneling Detection with RITA and Splunk1:01

Requirements

Basic Knowledge of Network and Cybersecurity
Basic Knowledge of Splunk Search Processing Language (SPL)
Basic Knowledge of Splunk

Description

The SOC Cybersecurity Threat Hunting with Splunk training course has been developed and edited by Mohammad Mirasadollahi in an online format, consisting of 68 instructional videos on Splunk, along with practical course files. The course covers Threat hunting with Splunk from beginner to advanced levels, based on the latest Cybersecurity standard educational topics in the world. It has been published as a practical course on Udemy under the title "SOC Cybersecurity Threat Hunting with Splunk."

With SOC Cybersecurity Threat Hunting with Splunk course, you will be able to easily identify cyber-attacks using Splunk in any SOC. Learning Threat Hunting with Splunk in SOC is one of the most important skills required by organizations in the field of information security.

The complexity of Cybersecurity attacks in recent years has rendered traditional methods ineffective in detecting advanced Cybersecurity attacks and APT groups. As a result, relying solely on traditional approaches such as firewalls, antivirus software, and EDR is no longer sufficient, and we need cybersecurity experts in the field of threat detection and identification.

Currently, cybersecurity analysts in Security Operations Centers (SOCs) can detect various attacks by analyzing and dissecting events received from different infrastructure and software, relying on their knowledge and various tools.

Cybersecurity experts and analysts require technology for continuous log analysis, which involves aggregating logs in a central system called SIEM (Security Information and Event Management). With the capabilities provided by SIEM, they can detect cyber threats.

SIEMs are referred to as the beating heart of every SOC. Currently, one of the most powerful SIEMs available worldwide, with many followers, is Splunk software.

Splunk is a software used for data storage, search, investigation, and analysis. Cybersecurity experts can use Splunk Enterprise to examine and analyze data, identify patterns, and establish logical connections between data to detect complex Cybersecurity attacks.

Therefore, many organizations are striving to migrate from traditional methods to modern ones for better Cybersecurity attack detection. Due to the importance of cybersecurity experts in data analysis, log and event analysis, and the popularity of Splunk SIEM software, the SOC Cybersecurity Threat Hunting with Splunk training course will cover the techniques of threat hunting, investigation, analysis, and detection of Cybersecurity attacks using Splunk.

Who this course is for:

Security Operations Center (SOC) analysts
Cybersecurity Threat Hunters
Splunk Engineers
Threat Intelligence Analysts
DFIRs

SOC Cybersecurity Threat Hunting with Splunk

What you'll learn

Explore related topics

Course content

Introduction - Welcome1 lecture • 4min

Threat Hunting Lab Setup with Splunk4 lectures • 12min

Base Knowledge for Splunk and Threat Hunting3 lectures • 17min

Basic Attacks Hunting with Splunk5 lectures • 7min

Windows Attacks Detection with Splunk14 lectures • 29min

Active Directory Domain Controller Attack Detection with Splunk8 lectures • 11min

Anomaly Activity Hunting with Data Science and Splunk9 lectures • 25min

Splunk Integration for Cyber Threat Intelligence6 lectures • 16min

Threat Hunting with ChatGPT and Splunk3 lectures • 6min

Malicious Activity Hunting with Splunk and RITA5 lectures • 10min

Requirements

Description

Who this course is for: