// learning dashboard
Welcome back, analyst.
Pick up where you left off, or jump into the Splunk lab.
UP NEXT · DAY 1
Introduction to the SOC
What a Security Operations Center is, why it exists, and how it delivers value
Course Progress
0%
0 of 30 days completed
0d
Streak
0
Modules Covered
0
Labs Done
Curriculum
W1
SOC Foundations
Mission, hierarchy, tools, security, networking, OS, frameworks
0/7
D014 modules · 8 slidesD026 modules · 10 slidesD037 modules · 9 slidesD045 modules · 7 slidesD055 modules · 8 slidesD064 modules · 8 slidesD074 modules · 7 slides
Introduction to the SOC
What a Security Operations Center is, why it exists, and how it delivers value
SOC Hierarchy & Roles
The 3-tier model, specialist roles, alert lifecycle, and shift handovers
SOC Tools Landscape
Every tool in the modern SOC stack — and why Splunk sits at the centre
Security Fundamentals
CIA triad, AAA, defense in depth, threat vs vulnerability vs risk
Networking for Defenders
TCP/IP, OSI, ports, protocols, DNS, TLS — and what to log
Operating System Logs
Windows Event Logs, Sysmon, Linux auth & auditd
ATT&CK & the Cyber Kill Chain
Threat frameworks that drive every modern detection program
W2
Splunk Core
Architecture, ingest, SPL, knowledge objects, dashboards, alerts
0/7
D085 modules · 8 slidesD094 modules · 6 slidesD103 modules · 6 slidesD115 modules · 7 slidesD124 modules · 7 slidesD134 modules · 6 slidesD144 modules · 6 slides
Splunk Architecture & Components
Indexers, search heads, forwarders, deployment server, license master
Data Onboarding & Parsing
props.conf, transforms.conf, sourcetypes, time extraction, field extraction
SPL — Search Processing Language (Beginner)
search · stats · table · top · rare · fields · sort · where
SPL — Advanced (eval · rex · lookup · tstats · transaction)
Power tools that turn an analyst into a hunter
Knowledge Objects
Fields, lookups, event types, tags, macros, data models
Dashboards & Visualizations
Build SOC dashboards with Studio, tokens, drilldowns, scheduled PDFs
Alerts, Reports & Saved Searches
Schedule, throttle, trigger conditions, alert actions
W3
Admin + Enterprise Security
Splunk admin, CIM, ES tour, Notables, Correlation, RBA, A&I
0/7
D154 modules · 6 slidesD164 modules · 6 slidesD173 modules · 6 slidesD184 modules · 6 slidesD193 modules · 5 slidesD204 modules · 6 slidesD214 modules · 6 slides
Splunk Admin Essentials
Roles, indexes, deployment server, monitoring console, license
CIM — Common Information Model
How Splunk normalizes every log into 25 standard data models
Splunk Enterprise Security — Tour
Every dashboard, every menu, every concept inside ES
Notable Events & Incident Review
The analyst's daily workspace
Correlation Searches
Author the rules that produce Notable Events
Risk-Based Alerting (RBA)
The modern paradigm — accumulate small risks into one notable
Threat Intel + Asset & Identity
Enrich every event with context — feeds, assets, identities
W4
Detect & Respond
Use cases, malware, phishing, hunting, IR, SOAR, cloud, capstone
0/9
D223 modules · 6 slidesD233 modules · 5 slidesD243 modules · 5 slidesD253 modules · 5 slidesD263 modules · 5 slidesD273 modules · 5 slidesD282 modules · 5 slidesD293 modules · 5 slidesD303 modules · 7 slides
Use Case Engineering
From threat hypothesis to production correlation search
Malware Investigation
From Sysmon alert to root cause and IOCs
Phishing Investigation
Trace from email → click → payload → C2
Threat Hunting
Hypothesis-driven proactive search across 24h+ of data
Incident Response Playbook
PICERL — Prepare, Identify, Contain, Eradicate, Recover, Lessons
SOAR Playbook Authoring
Automate the analyst — Splunk SOAR (Phantom)
Cloud & SaaS Detection
AWS, Azure/Entra ID, O365, Okta — modern attack surface
Metrics, KPIs & SOC Reporting
What the CISO actually wants to see
Capstone — End-to-End Incident
Phish → cred theft → VPN → PsExec → DNS exfil → ransomware