Palacin, V. (2020). Practical Threat Intelligence and Data-Driven Threat Hunting. Packt Publishing. Chapter 3: Where does data come from?
In order to hunt for threats, threat analysts must have access to several sources of data including system logs (endpoint logs) and network logs. In this lesson, you will learn about the data that’s been collected, Windows operating system specific tools/logs and network logs. Feel free to skim through operating systems basics and networking basics, if you are arleady familiar with these concepts.
Splunk provides a powerful yet simple to use search query language to effectively search for relevant events from many. This guide from TryHackMe provides an introduction to Search & Reporting App in Splunk and walks you through most commonly used query patters with examples.
SANS Digital Forensics and Incident Response. (2023, March 21). Deconstructing the Analyst Mindset [Video]. YouTube. https://www.youtube.com/watch?v=Qy-19aRN58M In this keynote, Chris Sanders, Founder of Applied Network Defense, walk you through the question of how analysts conduct investigations.
SANS Digital Forensics and Incident Response. (Uploaded 8 years ago). SANS DFIR Webcast - Incident Response Event Log Analysis [Video]. YouTube. https://www.youtube.com/watch?v=Xw536W7kbDQ In this talk, you will learn about Windows Event Logs based on real attack examples.
Splunk Security Essentials app provides an extensive library of over 900 pre-built detections and data recommendations that work with any version of Splunk.
While we focus on Splunk SIEM in this course, you are highly encouraged to have at least a basic understanding of ELK (Elasticsearch, Logstash, Kibana) open source stack that is also used in the industry as a SIEM tool.