Writing Detection Rules and Correlation
Create Splunk SPL or Kibana KQL queries to detect brute force, lateral movement, and data exfiltration.
Detection Engineering Basics
Detection rules translate attacker behaviors into query logic that fires when the pattern appears in logs. Good detection engineering is specific enough to avoid false positives but broad enough to catch variations of an attack.
Splunk SPL: Search Processing Language
SPL queries use a pipe syntax: search → transform → display. Start with an index and sourcetype, filter for relevant events, and aggregate or alert on the results.
# Basic SPL structure
index=security sourcetype=WinEventLog EventCode=4625
| stats count by src_ip, user
| where count > 10
| sort -count
# Explanation:
# Search Security index for logon failures
# Count failures per source IP + user
# Alert if more than 10 failures
# Sort descending by countAll lessons in this course
- Log Sources: OS, Network, and Application Logs
- SIEM Architecture and Log Ingestion
- Writing Detection Rules and Correlation
- Alert Triage and SOC Workflow