analyzing-security-logs-with-splunk
Installation
SKILL.md
Analyzing Security Logs with Splunk
When to Use
- Investigating a security incident that requires correlation across multiple log sources
- Hunting for adversary activity using known TTPs and IOCs
- Building detection rules for specific attack patterns
- Reconstructing an incident timeline from disparate log sources
- Analyzing authentication anomalies, lateral movement, or data exfiltration patterns
Do not use for real-time packet-level analysis; use Wireshark or Zeek for full packet capture analysis.
Prerequisites
- Splunk Enterprise or Splunk Cloud with Enterprise Security (ES) app installed
- Log sources ingested: Windows Event Logs (via Splunk Universal Forwarder or WEF), firewall, proxy, DNS, EDR, email gateway
- Splunk CIM (Common Information Model) data models configured for normalized field names
- SPL proficiency at intermediate level or higher
- Role-based access with
searchandaccelerate_searchcapabilities in Splunk