finding badness with log analysis
SIEM Essentials
A Security Information Event Manager (SIEM) is an essential tool in modern detection and response security operations. Therefore, having skills with data manipulation in Splunk — or its open-source sister, ELK/Kibana, or their many SIEM cousins — is an absolute *MUST* for the modern day security specialist. The fact that these wonderful applications can ingest logs from EVERY DEVICE OR TOOL THAT CAN MAKE A LOG ON YOUR NETWORK and construct a framework to intelligently scour that data for clues about hijinks consistently blows my mind.
It can take awhile to truly grasp how important this is -- as well as the amazing dashboards, automation, and analytics you might be able to build -- but you gotta start somewhere.
Splunk Fundamentals 1 Course
This is Splunk's free training/overview of Splunk Enterprise. Fundamentals 2 digs into how to use more of the core commands and allows you to take the exam for the Splunk Power User Certification but costs $2000, unfortunately. You won't need it if you spend enough time solving problems with the product.
Splunk Introductory Documentation
Here you can read the overview, installation manual, search tutorial, and getting data in. This will give you the big picture idea of what Splunk does and *how* it does it so you'll know how to get it to do what you want. Then, if you need help trying to do a specific thing...
Splunk Community
If you're trying to do something, someone else has probably tried to do that same thing and run into that same problem. Or sometimes, reading about similar problems may help you solve your own. I regularly Google "site:community.splunk.com "how thing" supplementary things" to get ideas how to solve a problem. Think of this as StackOverflow for Splunk.
Splunk Blue Team Academy
I’ve been so honored to be part of making these awesome courses. We were looking for something that specifically prepares someone for the role of SOC Analyst and the skills needed, and couldn’t find anything out there! Ultimately this will be a suite of free training, as well as some hands on labs, that culminate with a Cybersecurity Defense Analyst certification (which will cost a small amount to run thru Pearson VUE certification centers).
The month we came out with our first module, Google released their Cybersecurity Professional Certification which looks to be pretty good, but we’re covering things from a different and more concise angle. You can register for six out of the upcoming seven courses here:
The Cybersecurity Landscape
Understanding Threats and Attacks
Security Operations and the Defense Analyst
Data and Tools for Defense Analysts
The Art of Investigation
Investigating with Splunk - with Labs (300 USD)
Splunk Docs
If you ever have trouble with a command or know that something *can* do something but you're not sure *how*, here is where to turn.
Leveling Up
Boss of the SOC
Some of the lovely Splunk folks have crafted this CTF-style competition called Boss of the SOC and it is a great introduction to what you can do with Splunk.
If you create an account on Splunk’s website, you’ll be able to create and explore all sorts of environments on the BOTS Portal. My two favorites for beginners are the “Investigating Ransomware / APT with Splunk” modules, as there are videos as well as a Splunk app that guides you through answering all of the questions. This is one of my favorite teaching tools of all time! Definitely check it out if you’re interested in HOW you actually do what you need to do as a Security Analyst.
Hunting with Splunk
The security folks here have posted some really great articles; a lot of these will be way past where you're at with Splunk but it may help show you how the pros use it!
Knowing Good to Find Evil
This is all to give you an idea of the kinds of things we look for to determine badness and WHY. All of this is subsumed under the skills of digital forensics analysis, and there is always more to learn. A good way of knowing what is bad is knowing what good normally looks like, and this poster from SANS is a great infographic to teach you part of that. Another excellent poster by @ACEResponder on twitter is this Periodic Table of Windows Events, which gives you an idea of what can happen in a Windows environment and what might be relevant to security investigation. Not everything will be quite as relevant, but Malware Archaeology provides some great cheat sheets about what you should enable, plus links to other great resources!
There are so many cool videos out there that can help you build these skillsets; take notes while you learn and soon enough all of the pieces will start fitting together.
Setting Up Your Own Splunk Instance
You can also try setting up Splunk inside a lightweight VM or Docker to start using it at home. Using sample data is alright, but setting up devices in your own network to forward logs into that Splunk instance will be an INVALUABLE learning experience. Be prepared for a long road ahead, but there's a pot of gold at the end!
Hope that gets you started in the right direction!