SOC LEVEL 1
  • Path 1
    • Cyber Defense Framework
      • Security Analyst Intro
      • Pyramid of Pain
      • Cyber Kill Chain
      • Unified Kill Chain
      • Diamond Model
      • MITRE
  • PATH 2
    • Cyber Threat Intelligence
      • Intro to Cyber Threat Intel
      • Threat Intelligence Tools
      • Yara
      • OpenCTI
      • MISP
  • PATH 3
    • Network Security and Traffic Analysis
      • Traffic Analysis Essentials
      • Snort
      • Snort Challenge - The Basics
      • Snort Challenge - Live Attacks
      • NetworkMiner
      • Zeek
      • Zeek Exercises
      • Brim
      • Wireshark: The Basics
      • Wireshark: Packet Operations
      • Wireshark: Traffic Analysis
  • PATH 4
    • Endpoint Security Monitoring
      • Intro to Endpoint Security
      • Core Windows Processes
      • Sysinternals
      • Windows Event Logs
      • Sysmon
      • Osquery: The basics
      • Wazuh
  • PATH 5
    • Security Information and Event Management
      • Introduction to SIEM
      • Investigating with ELK 101
      • ItsyBitsy
      • Splunk: Basics
      • Incident Handling with Splunk
      • Investigating with Splunk
      • Benign
  • PATH 6
    • Digital Forensics and Incident Response
      • DFIR: An Introduction
      • Windows Forensics 1
      • Windows Forensics 2
      • Linux Forensics
      • Autopsy
      • Redline
      • Kape
      • Volatility
      • Velociraptor
      • TheHive Project
      • Intro to Malware Analysis
  • PATH 7
    • Phishing
      • Phishing Analysis Fundamentals
      • Phishing Emails in Action
      • Phishing Analysis Tools
      • Phishing Prevention
      • The Greenholt Phish
Powered by GitBook
On this page
  • Splunk Components
  • Splunk Forwarder
  • Splunk Indexer
  • Search Head
  1. PATH 5
  2. Security Information and Event Management

Splunk: Basics

Learn the basics of Splunk.

As the leading SIEM solution, Splunk allows for collecting, analyzing, and correlating logs in real-time.

Splunk Components

Splunk's three main components are the Forwarder, Indexer, and Search Head.

Splunk Forwarder

Splunk Forwarder is a lightweight agent that can be installed on an endpoint wished to be monitored. The Forwarder will collect and send data to the Splunk instance and does not affect the endpoint's performance due to minimal processing of resources.

Key data sources include:

  • Web server generating web traffic.

  • Windows machine generating Windows Event Logs, PowerShell, and Sysmon data.

  • Linux host generating host-centric logs.

  • Database generating DB connection requests, responses, and errors.

Splunk Indexer

Splunk Indexer is the main component as it processes the received data into normalized field-value pairs and determines the data types as stored events. This is beneficial since processed data is easy to search and analyze.

Search Head

Splunk Search Head allows for users to search the indexed logs. This is made possible by using Splunk SPL (Search Processing Language). The request is sent to the indexer which returns relevant events as field-value pairs. Additionally, Search Head can transform results into visualizations.

PreviousItsyBitsyNextIncident Handling with Splunk

Last updated 2 years ago