█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Incident Response/Hands-on: SIEM Basics with Splunk
60 minIntermediate

Hands-on: SIEM Basics with Splunk

After this lesson, you will be able to: Use Splunk Free (or the Splunk Boss of the SOC dataset) to query logs, write a detection, and build a basic alert.

SIEM is the central nervous system of every SOC. Splunk is the most-used SIEM in the world and the lingua franca of detection engineering interviews. This lesson gets you running queries in a real Splunk instance and writing your first detection.

Prerequisites:Incident Response in Practice

What a SIEM actually is

A SIEM (Security Information and Event Management) collects logs from every system that matters (endpoints, servers, firewalls, cloud, identity), normalises them, and lets analysts search across the whole environment. On top of search, it provides alerting (a saved query that runs on a schedule and fires when results appear), dashboards, and case-management workflows. Splunk dominates the enterprise market. Microsoft Sentinel, Elastic Security, Sumo Logic, and Chronicle (Google) are the other big names you'll see on job postings.

Stand up Splunk Free

The Free tier indexes up to 500MB of data per day and is enough for serious learning.

  1. 1

    Sign up at splunk.com (free) and download Splunk Enterprise (the free tier flag activates after 60 days, plenty of time to learn)

  2. 2

    Install on your host OS or in a small Linux VM (Splunk has 1-click installers for Windows, macOS, Linux)

  3. 3

    Start Splunk and log in to http://localhost:8000 with the admin account you set during install

  4. 4

    Download the Splunk Boss of the SOC v1 dataset (https://github.com/splunk/botsv1-attack-only) and follow its README to import data

  5. 5

    Go to Search & Reporting and run a first query: index=botsv1 | stats count by sourcetype

The SPL queries every SOC analyst memorises

Splunk Processing Language (SPL) is its own dialect. These five queries cover most day-to-day work.

tsx
# 1. Top user-agents in HTTP logs (find suspicious automation)
index=botsv1 sourcetype=stream:http
| stats count by http_user_agent
| sort -count
# 2. Failed logins clustered by source IP (brute force candidates)
index=botsv1 sourcetype=WinEventLog:Security EventCode=4625
| stats count by src_ip, user
| where count > 5
# 3. Outbound traffic to rare destinations (potential exfil)
index=botsv1 sourcetype=stream:tcp dest_ip!=10.0.0.0/8
| stats count by dest_ip
| sort count
# 4. PowerShell encoded commands (often malicious)
index=botsv1 sourcetype=WinEventLog:* CommandLine="*-enc*"
| table _time, host, user, CommandLine
# 5. New process executions by parent (look for cmd.exe spawned from word.exe)
index=botsv1 sourcetype=WinEventLog:* EventCode=4688
| stats values(NewProcessName) by ParentProcessName

Write your first detection

Saved searches become alerts. This is the basic loop of detection engineering.

  1. 1

    Pick a query above that looks for malicious behavior (e.g., #2: clustered failed logins)

  2. 2

    In the Search bar, run it and adjust until it returns true positives in the BOTS dataset

  3. 3

    Save As > Alert. Give it a name and a schedule (every 5 minutes)

  4. 4

    Set trigger conditions: 'Number of Results' > 5 within 5 min

  5. 5

    Set action: Add to Triggered Alerts (for the lab), in production you'd send to email / Slack / case-management

  6. 6

    Leave it running; check Triggered Alerts after another search cycle confirms it fires

  7. 7

    Document the alert: title, query, false-positive rate, response steps. This becomes the alert runbook.

💡 Alert fatigue is the real enemy

An alert that fires 200 times a day teaches your team to ignore it. Write detections that are SPECIFIC (rare behaviour, real signal) and PAIR each with a runbook so the analyst knows exactly what to check. Detections without runbooks are noise, not security.

Common mistakes only experienced detection engineers catch

Alerting on raw signals (every 4625 event) instead of correlated patterns (5+ failures from one IP across 5+ accounts in 5 min). Forgetting time-based context, the same activity is suspicious at 3am and benign at 10am. Not testing detections against the BOTS dataset (or similar) before pushing to prod, false positives ship by default. Not measuring alert volume after deployment, alerts that fire too often or too rarely both die in the queue. Skipping the runbook, the alert is the question, the runbook is the answer.

Quick Check

Which detection is most likely to be useful in production?

Pick the one that minimises false positives.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Incident Response in Practice
Back to Incident Response
Tabletop Exercise: Credential Compromise→