Level: Technical

Abstract:

Investigating with Splunk is a modular, hands-on workshop designed to familiarize participants with how to investigate incidents using Splunk and open source. This workshop provides users a way to gain experience searching in Splunk to answer specific questions related to an investigation. These questions are similar to what would be asked in their own organizations. The workshop leverages the popular Boss of the SOC (BOTS) dataset in a question and answer format. Users will leave with a better understanding of how Splunk can be used to investigate in their enterprise.

Full description:

Splunk has open-sourced a data set that contains attack simulation data along with lots of noise. The class will log into cloud instances of Splunk, and conduct investigations around two different attack scenarios — a web based attack, and a ransomware incident. The data set tries to emulate real world simulations as closely as possible. Students will learn real investigation and searching tactics, using Splunk and open-source tools. They will have access to the tools and data after the class, so they can take them home and practice after the conference as well.

Prerequisites:

• Students should bring a laptop
• Students should have a very basic understanding of Splunk, or they can take the following on-line training to prepare for the workshop: https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html

Bio:

Robert Wagner is a security professional with 15+ years of InfoSec experience. He is a co-founder of “Hak4Kidz”, an organizer of BurbSecCon in Chicago, and is on the Board of Directors of the ISSA Chicago Chapter.