Good Splunk resources

McxRisley

I have recently taken on a new role at my job and was wondering if anyone here knew of any good books for learning and tweaking Splunk to my needs besides docs.splunk.com. I know the docs site is a very goods resource but I am looking for other resources as well.

I have access to free Splunk training through my company (which I will be starting soon) and I also have access to safari, so I am open to any and all suggestions.

cyberguypr

Are you in an admin role or more of a power user?

veritas_libertas

Unfortunately I've found that Splunk is one of those tools you have to dive into in order to learn. I haven't seen much as far books, there are a few good blogs and web sites out there to help with writing queries.

McxRisley

cyberguypr wrote: »

Are you in an admin role or more of a power user?

I'll be the admin.

veritas_libertas wrote: »

Unfortunately I've found that Splunk is one of those tools you have to dive into in order to learn. I haven't seen much as far books, there are a few good blogs and web sites out there to help with writing queries.

Ya that's exactly what the current admin has told me as well.

veritas_libertas

Out of curiosity, are you in a security role?

xxxkaliboyxxx

Not sure what your role is, but I watched some talks on YouTube about IR, Threat Hunting with Splunk. Just search for those terms on YT.

McxRisley

veritas_libertas wrote: »

Out of curiosity, are you in a security role?

Yes, I do many things here(all security related) and administering Splunk is being added to that list since our current admin is leaving.

shochan

Here are a couple of books -

https://www.amazon.com/Big-Data-Analytics-Using-Splunk/dp/143025761X/ref=sr_1_1?ie=UTF8&qid=1515681602&sr=8-1&keywords=9781430257615

https://www.amazon.com/Implementing-Splunk-Development-Operational-Intelligence/dp/1849693285/ref=sr_1_1?s=books&ie=UTF8&qid=1515681669&sr=1-1&keywords=9781849693288

McxRisley

xxxkaliboyxxx wrote: »

Not sure what your role is, but I have watch some talks on YouTube about IR and threat hunting with Splunk. Just search for those terms on YT.

Network security team lead will be my official role title, but I will be mainly dealing with log monitoring and occasionally doing some offensive stuff. I've been pushing for them to finally let us do pentesting here but upper management is the issue with that happening. I was previously a pentester at my last company.

tedjames

Occupy The Web (OTW) usually has some great training on his site.
https://www.hackers-arise.com/search-results-page/splunk

xxxkaliboyxxx

McxRisley wrote: »

Network security team lead will be my official role title, but I will be mainly dealing with log monitoring and occasionally doing some offensive stuff. I've been pushing for them to finally let us do pentesting here but upper management is the issue with that happening. I was previously a pentester at my last company.

Those talks on YouTube are mainly defensive, either reactionary or proactive. With your Red Team knowledge (OSCP), you would be a perfect candidate for threat hunting, which is still defensive.

NOVA_USA

Udemy has a bunch of videos. Prices may very.

dmoore44

If your place of employ already has a relationship with Splunk, see if they'd be willing to host a Boss of the SOC event (.conf2017 - Boss of the SOC)

Or, see if there's a Splunk Users Group in your area - lots of good info passes between Splunk users there. You might also find out that another company in your area is planning on hosting a BOTS event.

McxRisley

Thanks for the tips guys, I really appreciate it. For now I will just be doing the official Splunk training up to admin. My company has been the #1 Splunk partner for the last couple of years and they have their own personal certified Splunk instructor on site. So I will be finishing up the User and Power User courses within the next 2 weeks and then I will attend one of our company training events for the admin course.