Advanced Threat Hunting With Splunk

Or log in to access your purchased courses

When it comes to log analysis Splunk is one of the most popular enterprise grade solutions in the field today. It can pull logs from nearly any device in the network, and it can integrate with most of the popular security products on the market. In the InfoSec field today Splunk is a common tool for what is called Cyber Threat Hunting/Hunt Teaming/Malware Hunting/Defensive Cyber Operations (DCO)/Cyber Threat Analysis and many other names.

As popular as Splunk is – surprisingly few people are comfortable performing security event analysis with it. We decided to develop a Hands-on Splunk course designed specifically for InfoSec Professionals that want to do HANDS-ON DEEP TECHNICAL SECURITY ANALYSIS with Splunk.

Deploying Splunk, configuring logging and forwarding

    Installing Splunk
    Configuring logging in Windows and Linux
    Setting up log forwarding
    Understanding how Windows Event logging works


Attacking Servers and Workstations

    • Learning attacker tools/tactics/procedures (TTPs)
    • Generating real world security events to analyze
    • Attacking Workstations
    • Attacking Application Servers
    • Learning what types of security events generate log events
    • Writing basic queries for common attacks
    • Analyzing PCAP files with Splunk


Hunting with Splunk

    • Data-Centric vs End-Point Hunting
    • Understanding IOCs/IOAs
    • Indicators of Compromise (IOCs)
    • Indicators of Attack (IOAs)
    • Integrating data from popular security products
    • Writing complex queries
    • Detecting Zero-Day attacks


Who is this class for?

IT System Administrators, IT Security Professionals, SOC Analysts, First Responders, Incident Handlers, Intrusion Analysts, Malware Analysts


Class pre-requisites

Students should be familiar with using Windows and Linux operating environments and be able to troubleshoot general connectivity and setup issues.

Students should be familiar with VMware Workstation and be able to create and configure virtual machines.

Students are recommended to have a high-level understanding of key programming concepts, such as variables, loops and functions; however, no programming experience is necessary.

Students will be provided with detailed courseware, detailed lab manuals, and copy/paste notes so that even if a student is not very strong technically they will be able to complete the lab exercises and take notes effectively.


Class Schedule & Delivery Method

This class is a hybrid of both self-paced and live-online training. By purchasing this course you’ll immediately be given access to the self-paced portion of this training. The self-paced training includes content, lab exercises, videos, and quizzes. The live portion of the training will happen on Tuesday the 6th of November. You can access the course by clicking on the “My Courses” link in the top right corner of

Live classes will run on Tuesdays and Thursdays from 6pm EST to 10pm EST

  • Tuesday November 6th
    • 6pm EST to 10pm EST
  • Thursday y November 7th
    • 6pm EST to 10pm EST
  • Tuesday November 6th
    • 6pm EST to 10pm EST
  • Thursday November 14th
    • 6pm EST to 10pm EST
  • Saturday November 24th –  (threat hunting challenge day)
    • 10m EST to 2pm EST


Each live class will be recorded and made available to the students as additional content in the courses section of the website. So you can keep up with the class even if you have to miss time or even a whole day.


Students can request help via the support chat system in the site or via the email based trouble ticketing system (allow 24 hours for a response). Send all questions/concerns to [email protected]

Course By

Marcus Smith


Lesson 1: Live Classes and Getting started with Course content

Author: Marcus Smith

Introduction In this lesson we will know the virtual machines with which we will work, you can also create your own machines and tools and then modify them depending on the test you are doing. Learning Objectives 1) Know the tools with which we will work. 2) Install the virtual machines that we will use. [...]

Lesson 2: Installing Splunk on the Ubuntu VM

Author: Marcus Smith

Introduction In this lesson we will explain step by step how to make the installation of Splunk, in the same way, we have several videos that will help you to understand better, also in each of the screenshots you can look at each one of the commands necessary for the installation. Learning Objectives 1) Perform [...]

Lesson 3: Installing the Universal Forwarder

Author: Marcus Smith

Introduction In this lesson we will perform the download and installation of Universal Forwarder, this is installed on the host that you want to monitor, which in this case will be on the Windows 7 virtual machine. Learning Objectives 1) Download Universal Forwarder. 2) Install the universal forwarder. 3) Configuring Splunk Forward data to Splunk [...]

Lesson 4: Attacking your Windows VM

Author: Marcus Smith

Introduction In this lesson we will attack our Windows 7 virtual machine, we will use Ubuntu and Metasploit if you still do not know about this Framework you can stop and reading a bit is a handy tool for pentesters. Learning Objectives 1) Make an attack on our windows 7 virtual machine 2) Use Metasploit [...]

Lesson 5: Identifying Security events with Splunk

Author: Marcus Smith

Introduction In this lesson, we will perform an essential consultation of some critical events. This is done through the Splunk web interface; it is necessary to identify the event we want to monitor very well. Learning Objectives 1) Identify security events. 2) Know some types of important events. Identifying Security events with Splunk Your task [...]

Lesson 6: Exporting Splunk logs/events

Author: Marcus Smith

Introduction After obtaining the information of the event that we are monitoring, we can export it in several formats in a straightforward way through the Splunk web interface. Learning Objectives 1) Export log/events 2) Know the formats in which I can export the information obtained Exporting Splunk logs/events Below are options for exporting large amounts [...]

Lesson 7: Remove Splunk

Author: Marcus Smith

Introduction In this lesson, we will learn to eliminate Splunk from our machine. It is recommended that this lesson is not done yet, it takes more than half of the course and all the lessons require Splunk installed, in the same way, you can read how it is done is very simple. Learning Objectives 1) [...]

Lesson 8: Hunting With Splunk – Lookup

Author: Marcus Smith

Introduction On the previous lession, it was stated the utility of Splunk to search for logs within Windows system and use different tools to add and improve these capabilities of data transference. Splunk can also be equipped with other sections of the same structure to hunt different threats searching through the various logs that can [...]

Lesson 9: Using Splunk Stream

Author: Marcus Smith

Introduction Splunk Stream is a Free app that is extended by Splunk Enterprise that serves to collect data and break down the basic concepts of that data using necessary protocols. Streams support over 28 protocols over the OSI structure including UDP, DNS, TCP and many others. a stream is a group of network event data. [...]

Lesson 10: Workflow Actions

Author: Marcus Smith

Introduction Workflows are a Splunk functionality that allows faster and more effective analysis. The research tasks of domains, IP addresses, host names, routes, and others can be done in a very simple way thanks to the implementation of knowledge objects. Learning Objectives Describe the workflow functionality. Explain the advantages of a workflow. Workflows Actions Workflow [...]

Lesson 11: Using Metadata and tstats

Author: Marcus Smith

Introduction Gathering information, is an essential task to understand what happens in our network, Splunk has metadata and statistics that facilitate this task and thus hunt for possible threats. Learning Objectives Describe How we can get information examining Metadata and stats. Explain the use of tstat command. Metadata and Tstats commands: Before mentioning the parameters [...]

Lesson 12: Peeping Through Windows (Logs)

Author: Marcus Smith

Introduction In this lesson, we will explain the Windows event codes, and you will also have an example of how to use it. There are many events in which you can check, depending on the characteristics of the company and the network you should choose the activities that can be a threat, then you have [...]