Open in app

Sign in

Write

Sign in

๐Ÿ‘จโ€๐Ÿ’ป๐Ÿ’ฅ[๐’๐ฉ๐ฅ๐ฎ๐ง๐ค ๐’๐ˆ๐„๐Œ ๐‡๐จ๐ฆ๐ž ๐‹๐š๐›]๐Ÿ’ฅ๐Ÿ‘ฉโ€๐Ÿ’ป

Javed Khan
2 min readAug 11, 2023

--

Photo by Mika Baumeister on Unsplash

This is the most powerful home-lab focused on setting up Splunk SIEM and real-world use cases.
If youโ€™re interested in becoming a SOC Analyst(Tier 1/2), this lab will help you with SOC tools, rules, queries, apps, and integration.

๐ŸŸข ๐๐ฅ๐š๐ญ๐Ÿ๐จ๐ซ๐ฆ ๐š๐ง๐ ๐Ž๐’
๐Ÿ“Œ Download Virtualbox https://www.virtualbox.org/wiki/Downloads
๐Ÿ“Œ Download Windows Server 2019 [FREE TRIAL 180 days] https://info.microsoft.com/ww-landing-windows-server-2019.html

๐ŸŸข ๐’๐ž๐ญ ๐ฎ๐ฉ ๐’๐ฉ๐ฅ๐ฎ๐ง๐ค ๐’๐ˆ๐„๐Œ
๐Ÿ“Œ Download Splunk Enterprise [FREE TRIAL 60 days] https://www.splunk.com/en_us/download/splunk-enterprise.html
๐Ÿ“Œ Download Splunk Security Essentials App [FREE] https://splunkbase.splunk.com/app/3435

๐ŸŸข ๐’๐š๐ฆ๐ฉ๐ฅ๐ž ๐’๐ž๐œ๐ฎ๐ซ๐ข๐ญ๐ฒ ๐ƒ๐š๐ญ๐š๐ฌ๐ž๐ญ
๐Ÿ“Œ BOTS V2 Dataset [16.4 GB]. https://s3.amazonaws.com/botsdataset/botsv2/botsv2_data_set_attack_only.tgz
๐Ÿ“Œ BOTS V2 Dataset(Attack Only) [3.2 GB] https://s3.amazonaws.com/botsdataset/botsv2/botsv2_data_set.tgz

๐ŸŸข Top 20 Use Cases
You can go through the list of Splunk queries, detection rules and playbook here: https://research.splunk.com/detections/
Iโ€™ve mentioned top 20 Detection rules below:
โญ ๐Œ๐ฎ๐ฅ๐ญ๐ข๐ฉ๐ฅ๐ž ๐…๐š๐ข๐ฅ๐ž๐ ๐‹๐จ๐ ๐ข๐ง๐ฌ: Detect multiple failed login attempts within a short time frame from a single source IP.
โญ๐”๐ง๐ฎ๐ฌ๐ฎ๐š๐ฅ ๐€๐œ๐œ๐จ๐ฎ๐ง๐ญ ๐€๐œ๐ญ๐ข๐ฏ๐ข๐ญ๐ฒ: Monitor for unusual activities, such as excessive failed logins or multiple password changes within a short time for a specific user.
โญ๐๐ซ๐ฎ๐ญ๐ž ๐…๐จ๐ซ๐œ๐ž ๐€๐ญ๐ญ๐š๐œ๐ค: Look for repeated login failures across multiple accounts within a specific time window.
โญ๐๐ซ๐ข๐ฏ๐ข๐ฅ๐ž๐ ๐ž๐ ๐€๐œ๐œ๐จ๐ฎ๐ง๐ญ ๐”๐ฌ๐š๐ ๐ž: Monitor privileged account logins and actions to identify any unauthorized or unusual activities.
โญ๐Œ๐š๐ฅ๐ฐ๐š๐ซ๐ž ๐€๐ซ๐ญ๐ข๐Ÿ๐š๐œ๐ญ๐ฌ: Search for known malware file hashes, filenames, or command-and-control IP addresses.
โญ๐Ž๐ฎ๐ญ๐›๐จ๐ฎ๐ง๐ ๐ƒ๐š๐ญ๐š ๐„๐ฑ๐Ÿ๐ข๐ฅ๐ญ๐ซ๐š๐ญ๐ข๐จ๐ง: Detect large data transfers to external destinations that may indicate data exfiltration.
โญ๐ˆ๐ง๐›๐จ๐ฎ๐ง๐ ๐’๐ฎ๐ฌ๐ฉ๐ข๐œ๐ข๐จ๐ฎ๐ฌ ๐“๐ซ๐š๐Ÿ๐Ÿ๐ข๐œ: Look for unexpected incoming traffic from suspicious IP addresses or geolocations.
โญ๐€๐ง๐จ๐ฆ๐š๐ฅ๐จ๐ฎ๐ฌ ๐๐ž๐ญ๐ฐ๐จ๐ซ๐ค ๐“๐ซ๐š๐Ÿ๐Ÿ๐ข๐œ: Identify unusual network traffic patterns, such as spikes or deviations from baseline.
โญ๐’๐ฎ๐ฌ๐ฉ๐ข๐œ๐ข๐จ๐ฎ๐ฌ ๐”๐ฌ๐ž๐ซ-๐€๐ ๐ž๐ง๐ญ ๐’๐ญ๐ซ๐ข๐ง๐ ๐ฌ: Identify potentially malicious user-agent strings used in web requests.
โญ๐‘๐š๐ง๐ฌ๐จ๐ฆ๐ฐ๐š๐ซ๐ž ๐€๐œ๐ญ๐ข๐ฏ๐ข๐ญ๐ฒ: Detect ransomware indicators like file renames with specific extensions or ransom notes.

๐Ÿ’ฌ๐Ÿ’ฌ COMMENT โ€” Found Useful? Share and Comment! ๐Ÿ’ฌ๐Ÿ’ฌ

Cybersecurity
Hacker
Hacking
Ethical Hacking
Technology

--

--

Javed Khan
Javed Khan

Written by Javed Khan

90 Followers
71 Following

Sign up here to be notified when I publish: https://teenwolf18.medium.com

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams