RQP3 Training Guide Splunk
2y ago
97 Views
2 Downloads
402.99 KB
26 Pages
Report/dmca
Download PDF

Transcription

TRAIN I N G G U I D ESPLUNK

TABLE OF CONTENTSSplunk . 2Introduction/Agenda.2Architecture Overview .3Navigating ES .4Intro to SPL .5Sourcetypes & Indexes .6Efficient Searching .7Table Command .8Stats Command .9Rename Command. 10Eval Command . 11Alerting/Lab . 12Course Wrap-Up. 13Hands-On Lab. 14A day in the life of an RQ Analyst.14Splunk Advanced.17Introduction/Agenda. 17IR Investigation . 18Rule Tuning . 19Threat Management . 20Course Wrap-up . 21Advanced Lab Scenario Answers . 22IR Investigation Scenario: PSExec Pivoting .22Rule Tuning Scenario: Port Scan .22Threat Management Scenario: Suspicious File Downloaded from High Risk Categorized Site .23RELIAQUEST UNIVERSITY

Splunk - 9am -12pmSegment TitleStart TimeEnd TimeSegment LengthIntroduction/Agenda9:00am9:10am10 minutesArchitecture9:15am9:20am10 minutesNavigating ES9:20am9:30am10 minutesIntro to SPL9:30am9:45am15 minutesSourcetypes & Indexes9:45am9:55am10 minutesEfficient Searching9:55am10:05am10 minutesTable Command10:05am10:15am10 minutesStats Command10:15am10:25am10 minutesRename Command10:25am10:35am10 minutesEval Command10:35am10:45am10 minutesAlerting/Labs10:45am11:30am55 minutesCourse End11:30am12:00pm30 minutesSegment TitleStart TimeEnd TimeSegment LengthIntroduction/Agenda1:00pm1:10pm10 minutesIR Investigation1:10pm2:00pm50 minutesRule Tuning2:00pm2:50pm50 minutesThreat Management2:50pm3:40pm50 minutesCourse End3:40pm4:00pm20 minutesSplunk Advanced - 1pm - 4pmRELIAQUEST UNIVERSITY

SplunkIntroductions/AgendaObjectivesTopic: Introductions Participants will be introduced to the course and trainer/mentors.Start Time: 9:00 AM Participants will learn the focus of the course.End Time: 9:10 AM Participants will be encouraged to ask questions throughout the course.Length: 10 minutes#SlideObjectiveRQ Demo1Welcome the participants to the course andintroduce the mentors and explain thateach mentor will be managing sections ofthe room.History of each person that isin the room and how itimportant it is for RQ and ourpartners to learn together.2This is the time when the participantsshould login to the Splunk instance.Mentors should be supporting this toensure successful logins.Add any humor you have hereif needed, we all know thatlogging in can be a process.3Briefly cover the topics and the aim of the course.Explain that the hands-on labs will reinforce the skillslearned throughout the course. Also explain that theseportions of this course are guided click-thrus, so besure to invite the participants to join you as you clickthrough the sections.If needed, use yourjudgement.In-Class Participant Questions What are the different types of roles joining us today? Does everyone know that we have an rqBAR that can be leveragedfor more information and in-depth Q/A for anything not covered?RELIAQUEST UNIVERSITY

SplunkArchitecture OverviewObjectivesTopic: Architecture Participants will gain an understanding of the components.Start Time: 9:10 AM Participants will gain an understanding of the data pipeline.End Time: 9:20 AM Participants will engage in a discussion around the importanceof a properly setup environment.Length: 10 minutes#SlideObjectiveRQ Demo4Cover in this section the Data Pipelinesequence at a high-level. Review Parsingand Inputs and how Splunk differs fromother SIEM technologies.Share a story on how itwas for you to learn thearchitecture of the Splunk.5Cover how the data flows within a Splunkenvironment and the importance ofunderstanding the flow of data.As needed.6Explain the linking of the Splunkcomponents and how informationpasses through each throughoutthe data pipeline.As needed.In-Class Participant Questions How does Splunk Differ from SIEMs like QRadar and LogRhythm? What is a capability difference between a Heavy Forwarder and Universal Forwarder? In what order does the data flow within the pipeline?RELIAQUEST UNIVERSITY

SplunkNavigating ESObjectivesTopic: Navigation Participants will gain an understanding of the tool’s GUI layout.Start Time: 9:20 AM Participants will gain an understanding of ES’ options to narrow down searches.End Time: 9:30 AM Participants will gain an understanding of the search results Splunk displays.Length: 10 minutes#SlideObjectiveRQ Demo7This slide is used to transition theclass into the topic of navigatingEnterprise Security.As needed.8Cover the use of the search bar, timeframe and the mode they can use tochoose which types of time framesand modes.As needed.9Cover the events, statistics, andvisualization and the ways in whichthey should be used.Share how different roles canleverage this page.Cover and explain the breakdown of thesearch results page.Share which parts ofthis results page is mostbeneficial to you and why.103In-Class Participant Questions How many people have the ES add-on? How does this Splunk’s search results page differ from other SIEM tools? Which part of the results page is most beneficial to you and why?RELIAQUEST UNIVERSITY

SplunkIntro to SPLObjectivesTopic: Intro to SPL Participants will gain an understanding of SPL and its uses.Start Time: 9:30 AM Participants will learn about indexes and sourcetypes.End Time: 9:45 AM Participants will gain an understanding of the SPL commandstructure and syntax.Length: 15 minutes#SlideObjectiveRQ Demo11Use this slide to introduce SPL, how it canused effectively and how a team canleverage SPL to shorten search time.Explain some of yourstruggles getting use to SPL.12Explain the difference between indexesand sourcetypes and the importance ofunderstanding the how to leverage each.Share from your experiencewhy understanding thedifference helped you learnthe tool.13Explain the structure/syntax of SPL.Share a story on how youadjusted to the syntax ofthe Splunk.In-Class Participant Questions What other programming language does Splunk mimic? What are some of the benefits of learning strings instead of point and click features? How difficult is it for you and your team to learn the language?RELIAQUEST UNIVERSITY

SplunkSourcetypes & IndexesObjectivesTopic: Indexes & Sourcetypes Participants will practice using the SPL to retrieve data on Sourcetypesand indexes.Start Time: 9:45 AM Participants will gain an understanding of the CAM methodology.Length: 10 minutesEnd Time: 9:55 AM Participants will demonstrate searching and navigating the tool.#SlideObjectiveRQ Demo14This slide should be used to discuss thetransition of the class focus to usingSPL to engage sourcetypes.Share a story theshowcases theimportance ofsourcetypes.15Have the class practice theSPL command and explainthe purpose of it.As needed.16This slide should be used to discuss thetransition of the class focus to usingSPL to engage indexes.Share a story the showcasesthe importance of indexes.Humor helps17Have the class practice the SPL commandand explain the purpose of it.As needed.Have the class practice the SPL commandand explain the purpose of it.As needed.318In-Class Participant Questions What type of data is held in sourcetypes? What is the difference between sourcetypes and indexes? How should we leverage these 2 sets of data?RELIAQUEST UNIVERSITY

SplunkEfficient SearchingObjectivesTopic: Efficient Searching Participants will gain an understanding of the tool’s GUI layout.Start Time: 9:55 AM Participants will practice using the search capability.End Time: 10:05 AM Participants will gain an understanding of the CAM methodology.Length: 10 minutes Participants will demonstrate searching and navigating the tool.#SlideRQ DemoObjective19This slide should be used to discussthe transition of the class focus tounderstanding the syntax nuancesof Splunk. (i.e. keywords, fields,wildcards, etc.)Share of story of inefficientsearching and the impact.20Cover how keywords and phrasescan affect the SPL commandsuses engage.Add in an example.21Cover how Fields and Wildcardscan affect the SPL commandsuses engage.Add in an example.22Cover how comparisons and booleans canaffect the SPL commands uses engage.Add in an example.3In-Class Participant Questions What other tricks have you all found while using Splunk when it comes to searching? Which of these tips do you currently use most frequently? What mistakes have you made while searching? What was the outcome and solution?RELIAQUEST UNIVERSITY

SplunkTable CommandObjectivesTopic: Table Command Participants will gain an understanding of the Table Commandstructure and syntax.Start Time: 10:05 AM Participants will gain an understanding of the pros/cons.Length: 10 minutesEnd Time: 10:15 AM Participants will demonstrate using the table command.#SlideObjectiveRQ Demo23This slide should be used to discuss thetransition of the class focus to using SPLto create Table Commands.Share a story of using theTable command.24Explain the syntax and structure of tablecommand query and the benefits anddisadvantages of this command.Share a story of how thiswas used effectively andthe outcome.25Have the participants practice intheir own environments the tablecommand in the slide.Explain your experienceusing this type ofcommand.In-Class Participant Questions Who here leverages the table command on a frequent basis? Why? What are some of the benefits of this command? Name some disadvantages when using the table command?RELIAQUEST UNIVERSITY

SplunkStats CommandObjectivesTopic: Stats Command Participants will gain an understanding of the Stats Commandstructure and syntax.Start Time: 10:15 AM Participants will gain an understanding of the pros/cons.End Time: 10:25 AMLength: 10 minutes Participants will demonstrate using the stats command.#SlideObjectiveRQ Demo26This slide should be used to discuss thetransition of the class focus to usingSPL to create Stats Commands.Share a story of using theStats command.27Explain the syntax and structure of statscommand query and the benefits anddisadvantages of this command.Share a story of how thiswas used effectively andthe outcome.28Have the participants practice intheir own environments the tablecommand in the slide.Explain your experience usingthis type of command.In-Class Participant Questions How has this command helped you within your team? What are some pros/cons of this command? Share an experience of when this command helped you and/or the team.RELIAQUEST UNIVERSITY

SplunkRename CommandObjectivesTopic: Renaame Command Participants will gain an understanding of the Rename Commandstructure and syntax.Start Time: 10:25 AM Participants will gain an understanding of the pros/cons.Length: 20 minutesEnd Time: 10:35 AM Participants will demonstrate using the rename command.#SlideObjectiveRQ Demo29This slide should be used to discuss thetransition of the class focus to usingSPL to create Rename Commands.Share a story of using th

Splunk - 9am -12pm Segment Title Introduction/Agenda 9:00am 9:10am 10 minutes Architecture 9:15am 9:20am 10 minutes Navigating ES 9:20am 9:30am 10 minutes Intro to SPL 9:30am 9:45am 15 minutes Sourcetypes & Indexes 9:45am 9:55am 10 minutes Efficient Searching 9:55am 10:05am 10 minutes Table Command 10:05am 10:15am 10 minutes

Related Books

Splunk Training and Certification - Developer & Admin .

Splunk Training and Certification - Developer & Admin .

Splunk Developer & Admin Certification Training

Splunk Developer & Admin Certification Training

Splunk Quick Reference Guide

Splunk Quick Reference Guide

Eventtypes Quick Reference Guide - Dive into Splunk: or .

Eventtypes Quick Reference Guide - Dive into Splunk: or .

WatchGuard and Splunk Integration Guide

WatchGuard and Splunk Integration Guide

DEPLOYMENT GUIDE Fortinet FortiGate and Splunk

DEPLOYMENT GUIDE Fortinet FortiGate and Splunk

ICON STYLE GUIDE - Splunk

ICON STYLE GUIDE - Splunk

Advanced Splunk Searching for Security Hunting and Alerting

Advanced Splunk Searching for Security Hunting and Alerting

Splunk User Manual

Splunk User Manual

Splunk - Tutorialspoint

Splunk - Tutorialspoint

Using the SplunkMachine Learning . - .conf21 Splunk

Using the SplunkMachine Learning . - .conf21 Splunk

Security use cases using splunk - Infosec

Security use cases using splunk - Infosec

PopularTags

Recent Views