Good Splunk resources

McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk AdminMember Posts: 494 ■■■■■□□□□□
I have recently taken on a new role at my job and was wondering if anyone here knew of any good books for learning and tweaking Splunk to my needs besides docs.splunk.com. I know the docs site is a very goods resource but I am looking for other resources as well.

I have access to free Splunk training through my company (which I will be starting soon) and I also have access to safari, so I am open to any and all suggestions.
I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.

Comments

  • cyberguyprcyberguypr Senior Member Mod Posts: 6,917 Mod
    Are you in an admin role or more of a power user?
  • veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5 Greenville, SC USAMember Posts: 5,738 ■■■■■■■■■■
    Unfortunately I've found that Splunk is one of those tools you have to dive into in order to learn. I haven't seen much as far books, there are a few good blogs and web sites out there to help with writing queries.
    Currently working on: Linux and Python
  • McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk Admin Member Posts: 494 ■■■■■□□□□□
    cyberguypr wrote: »
    Are you in an admin role or more of a power user?

    I'll be the admin.
    Unfortunately I've found that Splunk is one of those tools you have to dive into in order to learn. I haven't seen much as far books, there are a few good blogs and web sites out there to help with writing queries.

    Ya that's exactly what the current admin has told me as well.
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5 Greenville, SC USAMember Posts: 5,738 ■■■■■■■■■■
    Out of curiosity, are you in a security role?
    Currently working on: Linux and Python
  • xxxkaliboyxxxxxxkaliboyxxx Member Posts: 466
    Not sure what your role is, but I watched some talks on YouTube about IR, Threat Hunting with Splunk. Just search for those terms on YT.
    Studying: GPEN
    Reading
    : SANS SEC560
    Upcoming Exam: GPEN
  • McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk Admin Member Posts: 494 ■■■■■□□□□□
    Out of curiosity, are you in a security role?

    Yes, I do many things here(all security related) and administering Splunk is being added to that list since our current admin is leaving.
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk Admin Member Posts: 494 ■■■■■□□□□□
    Not sure what your role is, but I have watch some talks on YouTube about IR and threat hunting with Splunk. Just search for those terms on YT.

    Network security team lead will be my official role title, but I will be mainly dealing with log monitoring and occasionally doing some offensive stuff. I've been pushing for them to finally let us do pentesting here but upper management is the issue with that happening. I was previously a pentester at my last company.
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • tedjamestedjames Scruffy-looking nerfherdr Member Posts: 1,179 ■■■■■■■■□□
    Occupy The Web (OTW) usually has some great training on his site.
    https://www.hackers-arise.com/search-results-page/splunk
  • xxxkaliboyxxxxxxkaliboyxxx Member Posts: 466
    McxRisley wrote: »
    Network security team lead will be my official role title, but I will be mainly dealing with log monitoring and occasionally doing some offensive stuff. I've been pushing for them to finally let us do pentesting here but upper management is the issue with that happening. I was previously a pentester at my last company.

    Those talks on YouTube are mainly defensive, either reactionary or proactive. With your Red Team knowledge (OSCP), you would be a perfect candidate for threat hunting, which is still defensive.
    Studying: GPEN
    Reading
    : SANS SEC560
    Upcoming Exam: GPEN
  • NOVA_USANOVA_USA Member Posts: 13 ■■□□□□□□□□
    Udemy has a bunch of videos. Prices may very.
  • dmoore44dmoore44 Member Posts: 646
    If your place of employ already has a relationship with Splunk, see if they'd be willing to host a Boss of the SOC event (.conf2017 - Boss of the SOC)

    Or, see if there's a Splunk Users Group in your area - lots of good info passes between Splunk users there. You might also find out that another company in your area is planning on hosting a BOTS event.
    Graduated Carnegie Mellon University MSIT: Information Security & Assurance Currently Reading Books on TensorFlow
  • McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk Admin Member Posts: 494 ■■■■■□□□□□
    Thanks for the tips guys, I really appreciate it. For now I will just be doing the official Splunk training up to admin. My company has been the #1 Splunk partner for the last couple of years and they have their own personal certified Splunk instructor on site. So I will be finishing up the User and Power User courses within the next 2 weeks and then I will attend one of our company training events for the admin course.
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
Sign In or Register to comment.