Overview:
Investigating with Splunk is a modular, hands-on workshop designed to familiarize participants with how to investigate incidents using Splunk and open source. This workshop provides users a way to gain experience searching in Splunk to answer specific questions related to an investigation. These questions are similar to what would be asked in their own organizations. The workshop leverages the popular Boss of the SOC (BOTS) dataset in a question and answer format. Users will leave with a better understanding of how Splunk can be used to investigate in their enterprise.
The workshop is approximately 2 hours and includes real-time access to a Splunk SME and the opportunity to get hands-on experience with Splunk. Our SME will cover:
- An investigation primer
- Ransomware scenario
During the scenario, we will construct a timeline of events as well as traffic flow diagrams to help visualize what has happened. Why aren't we using the Lockheed Martin Kill Chain for this? The Kill Chain was not really designed for commercial malware, it focuses on targeted adversary attacks. During an investigation, you may find yourself working backward to reconstruct an attack, but you may also find yourself somewhere in the middle of an attack and you must work both backward to reconstruct the past but also forward to find if additional actions have transpired. For simplicity, we will walk through this scenario in chronological order and build our timeline and traffic flow as we progress.
Benefits:
Attendees will receive expert guidance from August Schell's Splunk security subject matter expert, Alex Maier. You'll learn from Splunkers who have years of experience, not only in Splunk but also in security.
The workshop incorporates real world data. Based on attack scenarios from Splunk's Boss of the SOC, the data collected showcases common security attacks that you may encounter on a daily basis.
Lastly, this workshop lets participants interact with Splunk and the data set to gain a better understanding on how to answer security questions using Splunk during the 'hands-on time' that's built into the workshop agenda.
About the Speaker:
Alex Maier, one of August Schell’s senior engineers and Splunk Certified architect, will be delivering the demo. Alex has been deploying, maintaining, and expanding our customer's Splunk environments for more than seven years.
Next Events in this Series:
May 12, 2021 | Custom Basic Core IT Ops with Splunk | 1PM to 3PM Eastern
