Thiago Teixeira
EN | PT

Splunk

Splunk Inc.

Industry-leading log search, analytics, and SIEM platform.

Logging & SIEM Commercial Platform / Suite Practiced in lab Cross-platform
Homepage Docs

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain
1 Reconnaissance
2 Weaponization
3 Delivery
4 Exploitation
5 Installation
6 Command & Control
7 Actions on Objectives
Defender — IR Lifecycle
8 Detection / Monitoring
9 Containment & Eradication
10 Post-incident Forensics

Description

Splunk is the dominant commercial SIEM and log analytics platform. Its Search Processing Language (SPL) is one of the most expressive query languages in the industry, and CySA+ questions frequently quote SPL snippets.

What to know:

  • Universal Forwarder vs Heavy Forwarder vs Indexer vs Search Head architecture.
  • Data models, CIM, accelerated searches for Enterprise Security.
  • SPL fundamentals: index= ... | search ... | stats count by ... | sort - count.
  • Splunk ES correlation searches, notable events, and risk-based alerting.

Use cases

  • SIEM use-case engineering and correlation
  • Threat hunting across raw logs at scale
  • Dashboards for executive and SOC consumption
  • Compliance reporting (PCI, HIPAA)

Example

index=wineventlog EventCode=4625
| stats count by Account_Name, src_ip
| where count > 10
| sort - count