{"id":77237,"date":"2026-06-26T10:01:35","date_gmt":"2026-06-26T10:01:35","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=77237"},"modified":"2026-06-26T10:01:37","modified_gmt":"2026-06-26T10:01:37","slug":"5-day-program-splunk-for-email-security-siem-endpoint-security","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/5-day-program-splunk-for-email-security-siem-endpoint-security\/","title":{"rendered":"5-Day Program: Splunk for Email Security, SIEM &amp; Endpoint Security"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Program Title<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Splunk Security Operations Masterclass: Email Security, SIEM &amp; Endpoint Detection<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Duration<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>5 Days<\/strong><br>Recommended format: <strong>6\u20137 hours per day<\/strong><br>Mode: Instructor-led + hands-on labs + final SOC investigation project<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Target Audience<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This program is suitable for:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Audience<\/th><th>Benefit<\/th><\/tr><\/thead><tbody><tr><td>SOC Analysts<\/td><td>Learn investigation and detection workflows<\/td><\/tr><tr><td>Security Engineers<\/td><td>Build searches, alerts, dashboards, and correlation logic<\/td><\/tr><tr><td>DevSecOps Engineers<\/td><td>Understand logging, endpoint telemetry, and SIEM integration<\/td><\/tr><tr><td>Splunk Beginners<\/td><td>Learn SPL, security data onboarding, and dashboards<\/td><\/tr><tr><td>Blue Team Learners<\/td><td>Practice phishing, endpoint, and SIEM use cases<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Prerequisites<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Participants should have basic knowledge of:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Area<\/th><th>Expected Knowledge<\/th><\/tr><\/thead><tbody><tr><td>Linux\/Windows<\/td><td>Basic commands, files, processes, services<\/td><\/tr><tr><td>Security<\/td><td>Malware, phishing, brute force, privilege escalation<\/td><\/tr><tr><td>Networking<\/td><td>IP, DNS, HTTP, SMTP, firewall logs<\/td><\/tr><tr><td>Splunk<\/td><td>Helpful but not mandatory<\/td><\/tr><tr><td>SIEM<\/td><td>Helpful but not mandatory<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Lab Environment<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Recommended lab setup:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Component<\/th><th>Purpose<\/th><\/tr><\/thead><tbody><tr><td>Splunk Enterprise or Splunk Cloud Trial<\/td><td>Core log search and analysis<\/td><\/tr><tr><td>Splunk Enterprise Security, if available<\/td><td>SIEM, notable events, risk-based alerting<\/td><\/tr><tr><td>Splunk Security Essentials, if ES is not available<\/td><td>Detection use-case learning<\/td><\/tr><tr><td>Splunk CIM Add-on<\/td><td>Data normalization<\/td><\/tr><tr><td>Windows Event Logs \/ Sysmon Logs<\/td><td>Endpoint security labs<\/td><\/tr><tr><td>Linux auth\/audit logs<\/td><td>Linux endpoint investigation<\/td><\/tr><tr><td>Email gateway logs or sample phishing logs<\/td><td>Email security labs<\/td><\/tr><tr><td>Sample firewall\/proxy\/DNS logs<\/td><td>Threat correlation<\/td><\/tr><tr><td>Optional Splunk SOAR<\/td><td>Automation and response<\/td><\/tr><tr><td>Optional Splunk Attack Analyzer<\/td><td>Email\/phishing\/malware analysis<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Important note: <strong>Splunk is not itself a replacement for a full EDR tool like CrowdStrike, Microsoft Defender for Endpoint, SentinelOne, or Carbon Black.<\/strong> In this program, \u201cEndpoint Security with Splunk\u201d means collecting endpoint telemetry, normalizing it, detecting suspicious behavior, correlating with SIEM events, and supporting investigation\/response.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Day 1 \u2014 Splunk Security Foundation &amp; SOC Data Onboarding<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Theme<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Build the Splunk foundation required for SIEM, email security, and endpoint monitoring.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Learning Objectives<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">By the end of Day 1, students will understand:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Objective<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td>Splunk architecture<\/td><td>Indexers, search heads, forwarders, apps, add-ons<\/td><\/tr><tr><td>Security data onboarding<\/td><td>How logs enter Splunk<\/td><\/tr><tr><td>Indexing and sourcetypes<\/td><td>Why correct sourcetypes matter<\/td><\/tr><tr><td>SPL basics<\/td><td>Searching, filtering, transforming, reporting<\/td><\/tr><tr><td>CIM basics<\/td><td>Why normalized fields are important for SIEM use cases<\/td><\/tr><tr><td>SOC data sources<\/td><td>Email, endpoint, firewall, proxy, DNS, identity logs<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Morning Session: Concepts<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1. What is Splunk in Security?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Topics:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Splunk as a security analytics platform<\/li>\n\n\n\n<li>Difference between log management, SIEM, SOAR, UEBA, and XDR<\/li>\n\n\n\n<li>Where Splunk Enterprise Security fits<\/li>\n\n\n\n<li>SOC workflow: collect \u2192 normalize \u2192 detect \u2192 investigate \u2192 respond \u2192 report<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2. Splunk Architecture for Security<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Topics:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Splunk Enterprise<\/li>\n\n\n\n<li>Splunk Cloud<\/li>\n\n\n\n<li>Universal Forwarder<\/li>\n\n\n\n<li>Heavy Forwarder<\/li>\n\n\n\n<li>Indexer<\/li>\n\n\n\n<li>Search Head<\/li>\n\n\n\n<li>Deployment Server<\/li>\n\n\n\n<li>Apps and Add-ons<\/li>\n\n\n\n<li>Splunk Enterprise Security<\/li>\n\n\n\n<li>Splunk SOAR<\/li>\n\n\n\n<li>Splunk Attack Analyzer<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3. Security Log Sources<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Important data sources:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Category<\/th><th>Example Logs<\/th><\/tr><\/thead><tbody><tr><td>Identity<\/td><td>AD, Okta, Azure AD, LDAP<\/td><\/tr><tr><td>Endpoint<\/td><td>Windows Event Logs, Sysmon, Linux auditd, EDR<\/td><\/tr><tr><td>Email<\/td><td>M365, Google Workspace, Proofpoint, Mimecast, Exchange<\/td><\/tr><tr><td>Network<\/td><td>Firewall, VPN, DNS, proxy<\/td><\/tr><tr><td>Cloud<\/td><td>AWS CloudTrail, Azure Activity Logs, GCP Audit Logs<\/td><\/tr><tr><td>Application<\/td><td>Web, API, authentication, transaction logs<\/td><\/tr><tr><td>Threat Intel<\/td><td>IOC feeds, reputation lists, malware hashes<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">4. SPL Basics for Security<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Core SPL commands:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">index=* earliest=-24h\n<\/code><\/span><\/pre>\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">index=security sourcetype=windows:security EventCode=4625\n<\/code><\/span><\/pre>\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">index=email action=blocked\n| stats count by sender, recipient, subject\n<\/code><\/span><\/pre>\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">index=endpoint process_name=powershell.exe\n| table _time host user process_name command_line\n<\/code><\/span><\/pre>\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">index=* \n| stats count by sourcetype\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Afternoon Hands-On Labs<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Lab 1.1 \u2014 Explore Splunk Search<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Tasks:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Login to Splunk.<\/li>\n\n\n\n<li>Open Search &amp; Reporting.<\/li>\n\n\n\n<li>Search all available indexes.<\/li>\n\n\n\n<li>Identify available sourcetypes.<\/li>\n\n\n\n<li>Find top hosts sending logs.<\/li>\n\n\n\n<li>Create a basic table of events.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Example SPL:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">index=*\n| stats count by index, sourcetype, host\n| sort -count\n<\/code><\/span><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Lab 1.2 \u2014 Create Security Indexes<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Create sample indexes:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Index<\/th><th>Purpose<\/th><\/tr><\/thead><tbody><tr><td><code>email_security<\/code><\/td><td>Email gateway and phishing logs<\/td><\/tr><tr><td><code>endpoint_security<\/code><\/td><td>Endpoint logs<\/td><\/tr><tr><td><code>siem_security<\/code><\/td><td>General SIEM events<\/td><\/tr><tr><td><code>threat_intel<\/code><\/td><td>IOC and reputation data<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Lab 1.3 \u2014 Upload Sample Security Logs<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Upload or ingest:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Sample email logs<\/li>\n\n\n\n<li>Sample Windows security logs<\/li>\n\n\n\n<li>Sample Sysmon logs<\/li>\n\n\n\n<li>Sample DNS\/proxy\/firewall logs<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Lab 1.4 \u2014 Basic Dashboard<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Create a dashboard with:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Panel<\/th><th>Purpose<\/th><\/tr><\/thead><tbody><tr><td>Event count by sourcetype<\/td><td>Data inventory<\/td><\/tr><tr><td>Failed logins by user<\/td><td>Identity security<\/td><\/tr><tr><td>Top suspicious email senders<\/td><td>Email security<\/td><\/tr><tr><td>Top endpoint processes<\/td><td>Endpoint visibility<\/td><\/tr><tr><td>Top blocked destinations<\/td><td>Network security<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Day 1 Deliverables<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Students should produce:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Data source inventory<\/li>\n\n\n\n<li>Basic Splunk searches<\/li>\n\n\n\n<li>Security indexes<\/li>\n\n\n\n<li>First SOC visibility dashboard<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Day 2 \u2014 Splunk SIEM with Enterprise Security Concepts<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Theme<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Learn how Splunk works as a SIEM: correlation, notable events, dashboards, risk-based alerting, and investigations.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Splunk Enterprise Security uses correlation searches and risk-based alerting concepts to help SOC teams reduce alert noise and prioritize higher-risk activity. (<a href=\"https:\/\/help.splunk.com\/en\/splunk-enterprise-security-7\/risk-based-alerting?utm_source=chatgpt.com\">Splunk Docs<\/a>)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Learning Objectives<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">By the end of Day 2, students will understand:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Objective<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td>SIEM workflow<\/td><td>Detection, triage, investigation, response<\/td><\/tr><tr><td>Correlation searches<\/td><td>How SIEM detections are built<\/td><\/tr><tr><td>Notable events<\/td><td>How alerts become investigation items<\/td><\/tr><tr><td>Risk-based alerting<\/td><td>How multiple weak signals become stronger detections<\/td><\/tr><tr><td>Threat intelligence<\/td><td>IOC enrichment<\/td><\/tr><tr><td>MITRE ATT&amp;CK mapping<\/td><td>Mapping detections to adversary behavior<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Morning Session: Concepts<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1. What is SIEM?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">SIEM stands for <strong>Security Information and Event Management<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Core SIEM capabilities:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Capability<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td>Log collection<\/td><td>Gather security logs from many systems<\/td><\/tr><tr><td>Normalization<\/td><td>Convert different logs into common fields<\/td><\/tr><tr><td>Correlation<\/td><td>Connect related events<\/td><\/tr><tr><td>Detection<\/td><td>Identify suspicious activity<\/td><\/tr><tr><td>Alerting<\/td><td>Notify analysts<\/td><\/tr><tr><td>Investigation<\/td><td>Search and pivot across evidence<\/td><\/tr><tr><td>Reporting<\/td><td>Compliance and executive visibility<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">2. Splunk Enterprise Security Overview<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Topics:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Security posture dashboards<\/li>\n\n\n\n<li>Incident Review<\/li>\n\n\n\n<li>Notable events<\/li>\n\n\n\n<li>Correlation searches<\/li>\n\n\n\n<li>Asset and identity framework<\/li>\n\n\n\n<li>Threat intelligence framework<\/li>\n\n\n\n<li>Risk-based alerting<\/li>\n\n\n\n<li>Investigation workflow<\/li>\n\n\n\n<li>Security domains<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3. SIEM Detection Engineering<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Detection design structure:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Element<\/th><th>Example<\/th><\/tr><\/thead><tbody><tr><td>Threat<\/td><td>Brute-force login<\/td><\/tr><tr><td>Data source<\/td><td>Windows Security Logs<\/td><\/tr><tr><td>Fields<\/td><td>user, src_ip, dest, action<\/td><\/tr><tr><td>Detection logic<\/td><td>10 failed logins in 5 minutes<\/td><\/tr><tr><td>Severity<\/td><td>Medium\/High<\/td><\/tr><tr><td>MITRE mapping<\/td><td>Credential Access<\/td><\/tr><tr><td>Response<\/td><td>Disable account, investigate host<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">4. Risk-Based Alerting<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Traditional alerting:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">One rule fires = one alert\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Risk-based alerting:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Multiple suspicious events + same user\/host = higher risk score\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Example:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Event<\/th><th>Risk Score<\/th><\/tr><\/thead><tbody><tr><td>Suspicious email clicked<\/td><td>25<\/td><\/tr><tr><td>PowerShell encoded command<\/td><td>40<\/td><\/tr><tr><td>Login from unusual country<\/td><td>35<\/td><\/tr><tr><td>Total risk for user<\/td><td>100<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Afternoon Hands-On Labs<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Lab 2.1 \u2014 Failed Login Detection<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Use failed authentication events.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Example SPL:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">index=endpoint_security EventCode=4625\n| stats count by user, src_ip\n| where count &gt; 5\n| sort -count\n<\/code><\/span><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Lab 2.2 \u2014 Brute Force Followed by Success<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-1\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">index=endpoint_security (EventCode=<span class=\"hljs-number\">4625<\/span> OR EventCode=<span class=\"hljs-number\">4624<\/span>)\n| stats \n    count(<span class=\"hljs-built_in\">eval<\/span>(EventCode=<span class=\"hljs-number\">4625<\/span>)) <span class=\"hljs-keyword\">as<\/span> failed_logins\n    count(<span class=\"hljs-built_in\">eval<\/span>(EventCode=<span class=\"hljs-number\">4624<\/span>)) <span class=\"hljs-keyword\">as<\/span> successful_logins\n    values(src_ip) <span class=\"hljs-keyword\">as<\/span> src_ip\n    by user\n| where failed_logins &gt;= <span class=\"hljs-number\">5<\/span> AND successful_logins &gt;= <span class=\"hljs-number\">1<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-1\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Lab 2.3 \u2014 Create a Correlation Search<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Detection name:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Multiple Failed Logins Followed by Success\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Severity:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">High\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">MITRE mapping:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Credential Access \/ Brute Force\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Action:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Create notable event or alert\n<\/code><\/span><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Lab 2.4 \u2014 Threat Intel IOC Matching<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Sample IOC lookup:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-2\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">ioc<\/span>,<span class=\"hljs-selector-tag\">type<\/span>,<span class=\"hljs-selector-tag\">severity<\/span>\n<span class=\"hljs-selector-tag\">malicious-domain<\/span><span class=\"hljs-selector-class\">.com<\/span>,<span class=\"hljs-selector-tag\">domain<\/span>,<span class=\"hljs-selector-tag\">high<\/span>\n185<span class=\"hljs-selector-class\">.10<\/span><span class=\"hljs-selector-class\">.20<\/span><span class=\"hljs-selector-class\">.30<\/span>,<span class=\"hljs-selector-tag\">ip<\/span>,<span class=\"hljs-selector-tag\">critical<\/span>\n<span class=\"hljs-selector-tag\">badfilehash123<\/span>,<span class=\"hljs-selector-tag\">hash<\/span>,<span class=\"hljs-selector-tag\">high<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-2\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Example SPL:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-3\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">index=proxy OR index=dns\n| lookup threat_ioc_lookup ioc <span class=\"hljs-keyword\">as<\/span> query OUTPUT severity type\n| where isnotnull(severity)\n| table _time host user query type severity\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-3\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Lab 2.5 \u2014 SIEM Dashboard<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Create panels:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Panel<\/th><th>Purpose<\/th><\/tr><\/thead><tbody><tr><td>High severity alerts<\/td><td>SOC triage<\/td><\/tr><tr><td>Top risky users<\/td><td>Risk-based investigation<\/td><\/tr><tr><td>Top risky hosts<\/td><td>Endpoint priority<\/td><\/tr><tr><td>Threat intel matches<\/td><td>IOC visibility<\/td><\/tr><tr><td>Failed login trends<\/td><td>Identity attack tracking<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Day 2 Deliverables<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Students should produce:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SIEM detection search<\/li>\n\n\n\n<li>Correlation search design<\/li>\n\n\n\n<li>Threat intelligence lookup<\/li>\n\n\n\n<li>SOC triage dashboard<\/li>\n\n\n\n<li>Basic investigation workflow<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Day 3 \u2014 Splunk for Email Security &amp; Phishing Investigation<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Theme<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Detect and investigate phishing, malicious attachments, suspicious links, spoofing, and compromised mailboxes.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Splunk Attack Analyzer can automate analysis of phishing and malware threats, including suspicious emails, URLs, files, and attack chains. Splunk documentation also describes phishing investigation workflows inside Splunk Enterprise Security powered by Attack Analyzer. (<a href=\"https:\/\/lantern.splunk.com\/Security_Use_Cases\/Threat_Investigation\/Automating_complex_threat_analysis_with_Splunk_Attack_Analyzer?utm_source=chatgpt.com\">Splunk Lantern<\/a>)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Learning Objectives<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">By the end of Day 3, students will understand:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Objective<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td>Email attack types<\/td><td>Phishing, spoofing, BEC, malware, spam<\/td><\/tr><tr><td>Email security logs<\/td><td>Sender, recipient, subject, URL, attachment, verdict<\/td><\/tr><tr><td>Email CIM mapping<\/td><td>Normalize email logs<\/td><\/tr><tr><td>Phishing investigation<\/td><td>Analyze sender, URL, attachment, recipients<\/td><\/tr><tr><td>Attack Analyzer<\/td><td>Automated phishing\/malware analysis<\/td><\/tr><tr><td>SOAR workflow<\/td><td>Automate investigation and response<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Morning Session: Concepts<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1. Email Security Fundamentals<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Common email threats:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Threat<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td>Phishing<\/td><td>Fake email designed to steal credentials<\/td><\/tr><tr><td>Spear phishing<\/td><td>Targeted phishing<\/td><\/tr><tr><td>Business Email Compromise<\/td><td>Fraud using trusted identity<\/td><\/tr><tr><td>Malware attachment<\/td><td>File-based compromise<\/td><\/tr><tr><td>Malicious URL<\/td><td>Link to phishing or malware site<\/td><\/tr><tr><td>Spoofing<\/td><td>Forged sender identity<\/td><\/tr><tr><td>Account takeover<\/td><td>Real mailbox used maliciously<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">2. Important Email Security Fields<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Field<\/th><th>Example<\/th><\/tr><\/thead><tbody><tr><td>sender<\/td><td><a href=\"mailto:attacker@example.com\">attacker@example.com<\/a><\/td><\/tr><tr><td>recipient<\/td><td><a href=\"mailto:user@company.com\">user@company.com<\/a><\/td><\/tr><tr><td>subject<\/td><td>Password Expiry Notice<\/td><\/tr><tr><td>src_ip<\/td><td>Sender IP<\/td><\/tr><tr><td>attachment_name<\/td><td>invoice.exe<\/td><\/tr><tr><td>url<\/td><td>hxxp:\/\/fake-login.example<\/td><\/tr><tr><td>verdict<\/td><td>malicious\/suspicious\/clean<\/td><\/tr><tr><td>action<\/td><td>delivered\/blocked\/quarantined<\/td><\/tr><tr><td>message_id<\/td><td>Unique email ID<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">3. Email Authentication Concepts<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Students should understand:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Control<\/th><th>Purpose<\/th><\/tr><\/thead><tbody><tr><td>SPF<\/td><td>Checks allowed sending servers<\/td><\/tr><tr><td>DKIM<\/td><td>Verifies message signing<\/td><\/tr><tr><td>DMARC<\/td><td>Defines domain policy for SPF\/DKIM failures<\/td><\/tr><tr><td>URL rewriting<\/td><td>Tracks and protects clicked links<\/td><\/tr><tr><td>Sandboxing<\/td><td>Executes suspicious file safely<\/td><\/tr><tr><td>Quarantine<\/td><td>Holds suspicious email<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">4. Phishing Investigation Workflow<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Recommended workflow:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Suspicious Email Alert\n        \u2193\nCheck Sender Reputation\n        \u2193\nAnalyze Subject and Body\n        \u2193\nExtract URLs and Attachments\n        \u2193\nCheck Recipients\n        \u2193\nCheck Click Activity\n        \u2193\nCheck Endpoint Activity\n        \u2193\nContain Mailbox \/ Host\n        \u2193\nClose Investigation\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Afternoon Hands-On Labs<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Lab 3.1 \u2014 Top Suspicious Email Senders<\/h3>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">index=email_security\n| stats count by sender, sender_domain, action, verdict\n| sort -count\n<\/code><\/span><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Lab 3.2 \u2014 Detect External Sender Spoofing Internal Domain<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-4\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">index=email_security sender_domain=<span class=\"hljs-string\">\"company.com\"<\/span> src_ip!=<span class=\"hljs-string\">\"trusted_mail_gateway_ip\"<\/span>\n| table _time sender recipient subject src_ip action verdict\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-4\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Lab 3.3 \u2014 Detect Malicious Attachments<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-5\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">index=email_security attachment_name=*\n| <span class=\"hljs-built_in\">eval<\/span> suspicious_attachment=<span class=\"hljs-keyword\">if<\/span>(match(attachment_name, <span class=\"hljs-string\">\"\\.(exe|scr|js|vbs|hta|iso|img|lnk)$\"<\/span>), <span class=\"hljs-string\">\"yes\"<\/span>, <span class=\"hljs-string\">\"no\"<\/span>)\n| where suspicious_attachment=<span class=\"hljs-string\">\"yes\"<\/span>\n| table _time sender recipient subject attachment_name verdict action\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-5\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Lab 3.4 \u2014 Detect Suspicious URLs<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-6\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">index=email_security url=*\n| <span class=\"hljs-built_in\">eval<\/span> suspicious_url=<span class=\"hljs-keyword\">if<\/span>(match(url, <span class=\"hljs-string\">\"(login|verify|password|invoice|payment|secure)\"<\/span>), <span class=\"hljs-string\">\"yes\"<\/span>, <span class=\"hljs-string\">\"no\"<\/span>)\n| where suspicious_url=<span class=\"hljs-string\">\"yes\"<\/span>\n| stats count values(url) <span class=\"hljs-keyword\">as<\/span> urls by sender, recipient, subject\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-6\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Lab 3.5 \u2014 Phishing Campaign Detection<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-7\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">index=email_security\n| stats \n    dc(recipient) <span class=\"hljs-keyword\">as<\/span> unique_recipients\n    values(recipient) <span class=\"hljs-keyword\">as<\/span> recipients\n    values(url) <span class=\"hljs-keyword\">as<\/span> urls\n    values(attachment_name) <span class=\"hljs-keyword\">as<\/span> attachments\n    by sender, subject\n| where unique_recipients &gt; <span class=\"hljs-number\">10<\/span>\n| sort -unique_recipients\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-7\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Lab 3.6 \u2014 Email-to-Endpoint Pivot<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Scenario:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A user received a phishing email and clicked a URL. Now check endpoint activity.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Step 1: Find recipient.<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">index=email_security verdict=malicious\n| table _time sender recipient subject url attachment_name\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Step 2: Pivot to endpoint.<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-8\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">index=endpoint_security user=<span class=\"hljs-string\">\"victim.user\"<\/span>\n| table _time host user process_name command_line parent_process_name\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-8\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Step 3: Look for suspicious browser or PowerShell activity.<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-9\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">index=endpoint_security user=<span class=\"hljs-string\">\"victim.user\"<\/span>\n(process_name=<span class=\"hljs-string\">\"powershell.exe\"<\/span> OR process_name=<span class=\"hljs-string\">\"cmd.exe\"<\/span> OR process_name=<span class=\"hljs-string\">\"wscript.exe\"<\/span> OR process_name=<span class=\"hljs-string\">\"mshta.exe\"<\/span>)\n| table _time host user process_name command_line parent_process_name\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-9\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Lab 3.7 \u2014 Email Security Dashboard<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Create dashboard panels:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Panel<\/th><th>Purpose<\/th><\/tr><\/thead><tbody><tr><td>Malicious emails by verdict<\/td><td>Email threat visibility<\/td><\/tr><tr><td>Top phishing senders<\/td><td>Campaign detection<\/td><\/tr><tr><td>Top targeted users<\/td><td>User risk<\/td><\/tr><tr><td>Suspicious attachments<\/td><td>Malware tracking<\/td><\/tr><tr><td>URL clicks by user<\/td><td>Compromise investigation<\/td><\/tr><tr><td>Email action summary<\/td><td>Delivered vs blocked<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Day 3 Deliverables<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Students should produce:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Email security search pack<\/li>\n\n\n\n<li>Phishing investigation workflow<\/li>\n\n\n\n<li>Email security dashboard<\/li>\n\n\n\n<li>Email-to-endpoint pivot process<\/li>\n\n\n\n<li>Phishing campaign detection report<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Day 4 \u2014 Splunk for Endpoint Security<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Theme<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Detect suspicious endpoint behavior using Windows, Linux, Sysmon, EDR, and process telemetry.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The Splunk CIM Endpoint data model is designed for monitoring endpoint clients such as user machines and laptops. It covers endpoint-related events such as processes, services, files, and ports. (<a href=\"https:\/\/docs.splunk.com\/Documentation\/CIM\/latest\/User\/Endpoint?utm_source=chatgpt.com\">docs.splunk.com<\/a>)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Learning Objectives<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">By the end of Day 4, students will understand:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Objective<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td>Endpoint telemetry<\/td><td>Process, file, registry, service, network<\/td><\/tr><tr><td>Windows security logs<\/td><td>Logon, privilege use, account changes<\/td><\/tr><tr><td>Sysmon logs<\/td><td>Process creation, network, file, registry<\/td><\/tr><tr><td>Linux endpoint logs<\/td><td>auth.log, auditd, sudo, SSH<\/td><\/tr><tr><td>EDR integration<\/td><td>How EDR logs support SIEM<\/td><\/tr><tr><td>Malware behavior<\/td><td>PowerShell, persistence, lateral movement<\/td><\/tr><tr><td>Endpoint dashboards<\/td><td>Host and user investigation views<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Morning Session: Concepts<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1. Endpoint Security Data Sources<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Source<\/th><th>Use<\/th><\/tr><\/thead><tbody><tr><td>Windows Security Logs<\/td><td>Authentication, privilege, account changes<\/td><\/tr><tr><td>Sysmon<\/td><td>Process, network, file, registry behavior<\/td><\/tr><tr><td>PowerShell Logs<\/td><td>Script execution and suspicious commands<\/td><\/tr><tr><td>Linux auth logs<\/td><td>SSH, sudo, failed login<\/td><\/tr><tr><td>auditd<\/td><td>Linux process and file activity<\/td><\/tr><tr><td>EDR logs<\/td><td>Malware, behavioral detection, quarantine<\/td><\/tr><tr><td>DNS\/proxy logs<\/td><td>External communication from endpoint<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">2. Important Windows Event IDs<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Event ID<\/th><th>Meaning<\/th><\/tr><\/thead><tbody><tr><td>4624<\/td><td>Successful login<\/td><\/tr><tr><td>4625<\/td><td>Failed login<\/td><\/tr><tr><td>4672<\/td><td>Special privileges assigned<\/td><\/tr><tr><td>4688<\/td><td>Process creation<\/td><\/tr><tr><td>4720<\/td><td>User account created<\/td><\/tr><tr><td>4728<\/td><td>User added to privileged group<\/td><\/tr><tr><td>4732<\/td><td>User added to local group<\/td><\/tr><tr><td>7045<\/td><td>New service installed<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">3. Endpoint Attack Behaviors<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Behavior<\/th><th>Example<\/th><\/tr><\/thead><tbody><tr><td>Suspicious PowerShell<\/td><td>Encoded command<\/td><\/tr><tr><td>Credential dumping<\/td><td>LSASS access<\/td><\/tr><tr><td>Persistence<\/td><td>New service, scheduled task<\/td><\/tr><tr><td>Lateral movement<\/td><td>Remote admin tools<\/td><\/tr><tr><td>Malware execution<\/td><td>Suspicious child process<\/td><\/tr><tr><td>Defense evasion<\/td><td>Disabling antivirus<\/td><\/tr><tr><td>Data staging<\/td><td>Archive files created<\/td><\/tr><tr><td>Exfiltration<\/td><td>Upload to unknown destination<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">4. Endpoint Detection Workflow<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-10\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">Endpoint Alert\n     \u2193\nIdentify Host and User\n     \u2193\nReview Process Tree\n     \u2193\nCheck Parent\/Child Process\n     \u2193\nCheck Network Connections\n     \u2193\nCheck File\/Registry Changes\n     \u2193\nCorrelate <span class=\"hljs-keyword\">with<\/span> Email, DNS, <span class=\"hljs-built_in\">Proxy<\/span>, Identity\n     \u2193\nContain or Escalate\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-10\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Afternoon Hands-On Labs<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Lab 4.1 \u2014 Suspicious PowerShell Detection<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-11\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">index=endpoint_security process_name=<span class=\"hljs-string\">\"powershell.exe\"<\/span>\n| where match(command_line, <span class=\"hljs-string\">\"(?i)(-enc|encodedcommand|downloadstring|iex|invoke-expression|bypass)\"<\/span>)\n| table _time host user parent_process_name process_name command_line\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-11\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Lab 4.2 \u2014 Office Application Spawning Script Interpreter<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-12\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">index=endpoint_security\n(parent_process_name=<span class=\"hljs-string\">\"winword.exe\"<\/span> OR parent_process_name=<span class=\"hljs-string\">\"excel.exe\"<\/span> OR parent_process_name=<span class=\"hljs-string\">\"outlook.exe\"<\/span>)\n(process_name=<span class=\"hljs-string\">\"powershell.exe\"<\/span> OR process_name=<span class=\"hljs-string\">\"cmd.exe\"<\/span> OR process_name=<span class=\"hljs-string\">\"wscript.exe\"<\/span> OR process_name=<span class=\"hljs-string\">\"mshta.exe\"<\/span>)\n| table _time host user parent_process_name process_name command_line\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-12\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Lab 4.3 \u2014 New Service Installation<\/h3>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">index=endpoint_security EventCode=7045\n| table _time host user service_name service_file_name\n<\/code><\/span><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Lab 4.4 \u2014 Privileged User Group Change<\/h3>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">index=endpoint_security EventCode IN (4728,4732)\n| table _time host user member_name group_name\n<\/code><\/span><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Lab 4.5 \u2014 Linux SSH Brute Force<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-13\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">index=endpoint_security sourcetype=linux_secure <span class=\"hljs-string\">\"Failed password\"<\/span>\n| rex <span class=\"hljs-string\">\"from (?&lt;src_ip&gt;\\d+\\.\\d+\\.\\d+\\.\\d+)\"<\/span>\n| stats count by src_ip, host\n| where count &gt; <span class=\"hljs-number\">10<\/span>\n| sort -count\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-13\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Lab 4.6 \u2014 Suspicious Linux Sudo Activity<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-14\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">index=endpoint_security sourcetype=linux_secure sudo\n| stats count values(command) <span class=\"hljs-keyword\">as<\/span> commands by user, host\n| sort -count\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-14\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Lab 4.7 \u2014 Endpoint Investigation Dashboard<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Create panels:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Panel<\/th><th>Purpose<\/th><\/tr><\/thead><tbody><tr><td>Top suspicious processes<\/td><td>Malware behavior<\/td><\/tr><tr><td>PowerShell activity<\/td><td>Script abuse<\/td><\/tr><tr><td>Failed logins by host<\/td><td>Brute force<\/td><\/tr><tr><td>New services installed<\/td><td>Persistence<\/td><\/tr><tr><td>Privilege changes<\/td><td>Account abuse<\/td><\/tr><tr><td>Endpoint risk by host<\/td><td>SOC prioritization<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Day 4 Deliverables<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Students should produce:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Endpoint detection search pack<\/li>\n\n\n\n<li>Windows endpoint dashboard<\/li>\n\n\n\n<li>Linux endpoint dashboard<\/li>\n\n\n\n<li>Endpoint investigation playbook<\/li>\n\n\n\n<li>MITRE ATT&amp;CK mapping for endpoint detections<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Day 5 \u2014 Integrated SOC Capstone: Email + SIEM + Endpoint Security<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Theme<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Students complete a realistic SOC investigation from phishing email to endpoint compromise and SIEM reporting.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Learning Objectives<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">By the end of Day 5, students will be able to:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Objective<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td>Investigate full attack chain<\/td><td>Email \u2192 user \u2192 endpoint \u2192 network<\/td><\/tr><tr><td>Correlate logs<\/td><td>Email, endpoint, DNS, proxy, identity<\/td><\/tr><tr><td>Build SIEM alerting<\/td><td>Create detection and response workflow<\/td><\/tr><tr><td>Prioritize risk<\/td><td>Use severity and risk scoring<\/td><\/tr><tr><td>Document incident<\/td><td>Prepare SOC report<\/td><\/tr><tr><td>Present findings<\/td><td>Explain timeline, impact, response<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Capstone Scenario<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Scenario Name<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Phishing Email Leading to Endpoint Compromise<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Story<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">A user receives an email with the subject:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-15\" data-shcb-language-name=\"HTTP\" data-shcb-language-slug=\"http\"><span><code class=\"hljs language-http\"><span class=\"hljs-attribute\">Urgent<\/span>: Password Verification Required\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-15\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTTP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">http<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">The user clicks a suspicious URL. Shortly after, the endpoint executes PowerShell with an encoded command. The host then communicates with an unknown external IP address. The SOC must investigate and determine whether the incident is a true positive.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Data Sources Used<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Data Source<\/th><th>Purpose<\/th><\/tr><\/thead><tbody><tr><td>Email logs<\/td><td>Identify phishing email<\/td><\/tr><tr><td>Endpoint logs<\/td><td>Detect malicious process<\/td><\/tr><tr><td>Windows logs<\/td><td>Validate user and host activity<\/td><\/tr><tr><td>DNS logs<\/td><td>Identify suspicious domain lookup<\/td><\/tr><tr><td>Proxy logs<\/td><td>Confirm URL access<\/td><\/tr><tr><td>Threat intel<\/td><td>Check IOC reputation<\/td><\/tr><tr><td>SIEM alerts<\/td><td>Prioritize and report<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Morning Session: Guided Capstone Build<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1 \u2014 Identify Suspicious Email<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-16\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">index=email_security\n(subject=<span class=\"hljs-string\">\"*Password Verification*\"<\/span> OR subject=<span class=\"hljs-string\">\"*Urgent*\"<\/span>)\n| table _time sender recipient subject url attachment_name verdict action\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-16\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Step 2 \u2014 Find All Recipients<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-17\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">index=email_security subject=<span class=\"hljs-string\">\"*Password Verification*\"<\/span>\n| stats values(recipient) <span class=\"hljs-keyword\">as<\/span> recipients dc(recipient) <span class=\"hljs-keyword\">as<\/span> recipient_count by sender, subject, url\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-17\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Step 3 \u2014 Identify Clicked URL<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-18\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">index=proxy OR index=email_security url=*\n| search url=<span class=\"hljs-string\">\"*verification*\"<\/span>\n| table _time user src_ip url action\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-18\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Step 4 \u2014 Pivot to Endpoint<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-19\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">index=endpoint_security user=<span class=\"hljs-string\">\"victim.user\"<\/span>\n| table _time host user process_name parent_process_name command_line\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-19\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Step 5 \u2014 Detect Suspicious PowerShell<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-20\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">index=endpoint_security user=<span class=\"hljs-string\">\"victim.user\"<\/span> process_name=<span class=\"hljs-string\">\"powershell.exe\"<\/span>\n| where match(command_line, <span class=\"hljs-string\">\"(?i)(-enc|downloadstring|iex|bypass)\"<\/span>)\n| table _time host user parent_process_name process_name command_line\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-20\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Step 6 \u2014 Check External Communication<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-21\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">index=dns OR index=proxy\nuser=<span class=\"hljs-string\">\"victim.user\"<\/span>\n| stats values(query) <span class=\"hljs-keyword\">as<\/span> domains values(dest_ip) <span class=\"hljs-keyword\">as<\/span> dest_ips by user, src_ip\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-21\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Step 7 \u2014 Check Threat Intel<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-22\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">index=dns OR index=proxy\n| lookup threat_ioc_lookup ioc <span class=\"hljs-keyword\">as<\/span> query OUTPUT severity type\n| where isnotnull(severity)\n| table _time user src_ip query type severity\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-22\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Afternoon Session: Final Project<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Students must build the following:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. Detection Rules<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Detection<\/th><th>Required Logic<\/th><\/tr><\/thead><tbody><tr><td>Phishing email campaign<\/td><td>Same sender\/subject sent to many users<\/td><\/tr><tr><td>Suspicious URL click<\/td><td>User clicked suspicious URL<\/td><\/tr><tr><td>Office spawning PowerShell<\/td><td>Outlook\/Word\/Excel \u2192 PowerShell<\/td><\/tr><tr><td>Encoded PowerShell<\/td><td>PowerShell with <code>-enc<\/code> or suspicious command<\/td><\/tr><tr><td>IOC match<\/td><td>Domain\/IP\/hash matched threat intel<\/td><\/tr><tr><td>High-risk user<\/td><td>Email + endpoint + IOC activity<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">2. Risk Scoring Model<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Example:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Event<\/th><th>Risk Score<\/th><\/tr><\/thead><tbody><tr><td>Malicious email delivered<\/td><td>20<\/td><\/tr><tr><td>User clicked URL<\/td><td>30<\/td><\/tr><tr><td>Suspicious PowerShell executed<\/td><td>40<\/td><\/tr><tr><td>IOC matched<\/td><td>50<\/td><\/tr><tr><td>Privileged user involved<\/td><td>25<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Final risk logic:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">If total risk score &gt;= 80, create high severity notable event.\n<\/code><\/span><\/pre>\n\n\n<h3 class=\"wp-block-heading\">3. SOC Dashboard<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Required panels:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Panel<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td>Active security incidents<\/td><td>Current high-risk alerts<\/td><\/tr><tr><td>Email threat summary<\/td><td>Phishing, malware, spam<\/td><\/tr><tr><td>Top targeted users<\/td><td>Users receiving suspicious emails<\/td><\/tr><tr><td>Endpoint compromise indicators<\/td><td>Suspicious process and command line<\/td><\/tr><tr><td>Threat intel matches<\/td><td>IOC activity<\/td><\/tr><tr><td>Incident timeline<\/td><td>Full attack chain<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">4. Incident Report<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Students must prepare a final incident report with:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Section<\/th><th>Required Content<\/th><\/tr><\/thead><tbody><tr><td>Executive Summary<\/td><td>What happened<\/td><\/tr><tr><td>Timeline<\/td><td>When each event occurred<\/td><\/tr><tr><td>Affected Users<\/td><td>Who was targeted<\/td><\/tr><tr><td>Affected Hosts<\/td><td>Which systems were involved<\/td><\/tr><tr><td>IOCs<\/td><td>Domains, IPs, hashes, URLs<\/td><\/tr><tr><td>Evidence<\/td><td>SPL results and screenshots<\/td><\/tr><tr><td>Severity<\/td><td>Low\/Medium\/High\/Critical<\/td><\/tr><tr><td>Root Cause<\/td><td>How attack started<\/td><\/tr><tr><td>Impact<\/td><td>What was compromised or attempted<\/td><\/tr><tr><td>Response Actions<\/td><td>Quarantine, block, disable, reset<\/td><\/tr><tr><td>Lessons Learned<\/td><td>Detection and prevention improvements<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Day 5 Deliverables<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Students should submit:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Final SOC dashboard<\/li>\n\n\n\n<li>Detection rule pack<\/li>\n\n\n\n<li>Risk scoring logic<\/li>\n\n\n\n<li>Incident investigation timeline<\/li>\n\n\n\n<li>Final incident report<\/li>\n\n\n\n<li>Presentation of findings<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Complete 5-Day Agenda Summary<\/h1>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Day<\/th><th>Main Topic<\/th><th>Core Outcome<\/th><\/tr><\/thead><tbody><tr><td>Day 1<\/td><td>Splunk Security Foundation<\/td><td>Data onboarding, SPL, dashboards, CIM basics<\/td><\/tr><tr><td>Day 2<\/td><td>SIEM with Splunk Enterprise Security<\/td><td>Correlation searches, notable events, RBA, threat intel<\/td><\/tr><tr><td>Day 3<\/td><td>Email Security<\/td><td>Phishing detection, malicious URL\/attachment analysis<\/td><\/tr><tr><td>Day 4<\/td><td>Endpoint Security<\/td><td>Windows\/Linux endpoint detection and investigation<\/td><\/tr><tr><td>Day 5<\/td><td>Integrated SOC Capstone<\/td><td>Full attack-chain investigation and final report<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Recommended Practical Assignments<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Assignment 1 \u2014 SPL Search Practice<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Create 10 SPL searches:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Top email senders<\/li>\n\n\n\n<li>Top email recipients<\/li>\n\n\n\n<li>Failed logins by user<\/li>\n\n\n\n<li>Failed logins by source IP<\/li>\n\n\n\n<li>Suspicious PowerShell<\/li>\n\n\n\n<li>New service installed<\/li>\n\n\n\n<li>Suspicious attachment<\/li>\n\n\n\n<li>Malicious URL click<\/li>\n\n\n\n<li>IOC match<\/li>\n\n\n\n<li>User risk summary<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Assignment 2 \u2014 Email Security Dashboard<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Build a dashboard containing:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Delivered vs blocked emails<\/li>\n\n\n\n<li>Top suspicious senders<\/li>\n\n\n\n<li>Top targeted recipients<\/li>\n\n\n\n<li>Suspicious attachments<\/li>\n\n\n\n<li>Suspicious URLs<\/li>\n\n\n\n<li>Phishing campaign view<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Assignment 3 \u2014 Endpoint Security Dashboard<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Build a dashboard containing:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Top risky hosts<\/li>\n\n\n\n<li>Top risky users<\/li>\n\n\n\n<li>Suspicious PowerShell<\/li>\n\n\n\n<li>Office spawning command shell<\/li>\n\n\n\n<li>Failed login trend<\/li>\n\n\n\n<li>New service installation<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Assignment 4 \u2014 SIEM Detection Engineering<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Create three detections:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Detection<\/th><th>Severity<\/th><\/tr><\/thead><tbody><tr><td>Brute force followed by success<\/td><td>High<\/td><\/tr><tr><td>Phishing email clicked<\/td><td>High<\/td><\/tr><tr><td>Suspicious PowerShell after email click<\/td><td>Critical<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Assignment 5 \u2014 Final SOC Investigation<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Investigate one complete incident and submit:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Timeline<\/li>\n\n\n\n<li>Evidence<\/li>\n\n\n\n<li>IOCs<\/li>\n\n\n\n<li>Affected users<\/li>\n\n\n\n<li>Affected hosts<\/li>\n\n\n\n<li>Final verdict<\/li>\n\n\n\n<li>Recommended response<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Final Project Evaluation Rubric<\/h1>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Area<\/th><th>Weight<\/th><\/tr><\/thead><tbody><tr><td>SPL correctness<\/td><td>20%<\/td><\/tr><tr><td>SIEM detection quality<\/td><td>20%<\/td><\/tr><tr><td>Email security investigation<\/td><td>15%<\/td><\/tr><tr><td>Endpoint investigation<\/td><td>15%<\/td><\/tr><tr><td>Dashboard quality<\/td><td>10%<\/td><\/tr><tr><td>Incident report quality<\/td><td>10%<\/td><\/tr><tr><td>Final presentation<\/td><td>10%<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Course Outcome<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">After this 5-day program, students should be able to:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Use Splunk for real-world SOC investigations.<\/li>\n\n\n\n<li>Onboard and search email, endpoint, identity, and network logs.<\/li>\n\n\n\n<li>Build SIEM detections using SPL.<\/li>\n\n\n\n<li>Investigate phishing and malicious email campaigns.<\/li>\n\n\n\n<li>Detect suspicious endpoint behavior.<\/li>\n\n\n\n<li>Correlate email and endpoint events into one attack story.<\/li>\n\n\n\n<li>Build SOC dashboards and incident reports.<\/li>\n\n\n\n<li>Understand how Splunk Enterprise Security, SOAR, and Attack Analyzer fit into a modern SOC workflow.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Program Title Splunk Security Operations Masterclass: Email Security, SIEM &amp; Endpoint Detection Duration 5 DaysRecommended format: 6\u20137 hours per dayMode: Instructor-led + hands-on labs + final SOC&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[11138],"tags":[],"class_list":["post-77237","post","type-post","status-publish","format-standard","hentry","category-best-tools"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/77237","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=77237"}],"version-history":[{"count":1,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/77237\/revisions"}],"predecessor-version":[{"id":77238,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/77237\/revisions\/77238"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=77237"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=77237"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=77237"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}