WEEK_1 · DAY_03 · 1 HOUR

SOC Tools Landscape

Every tool in the modern SOC stack — and why Splunk sits at the centre

Learning Objectives

Security Information & Event Management. Ingests, normalizes, correlates, alerts on logs from every source.

Industry leaders: Splunk Enterprise Security, Microsoft Sentinel, IBM QRadar, Google Chronicle, Elastic Security.

Splunk ES is the most-deployed enterprise SIEM and the focus of this course.

Endpoint Detection & Response. Records every process, network connection, file write on hosts.

Leaders: CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne, Carbon Black.

EDR alerts and telemetry feed directly into Splunk for correlation.

Network Detection & Response. Inspects east-west and north-south traffic for anomalies.

Tools: Zeek (open source), Corelight, Darktrace, ExtraHop, Suricata (IDS/IPS).

Email gateway: Proofpoint, Mimecast, Microsoft Defender for O365 — phishing is still the #1 initial access vector.

Identity: Okta, Azure AD/Entra ID, Ping, Duo — sign-in logs, MFA, conditional access.

Security Orchestration, Automation & Response. Codifies analyst workflows into playbooks.

Leaders: Splunk SOAR (Phantom), Palo Alto Cortex XSOAR, Microsoft Sentinel Logic Apps.

Typical actions: enrich IP, lookup user, disable account, isolate host, block at firewall.

Threat Intel Platform: MISP, Anomali, Recorded Future — feeds Splunk's threat intel framework.

Vulnerability Management: Tenable, Qualys, Rapid7 — feeds asset criticality and patch context.

Universal Forwarder (lightweight Splunk agent on every host)

Syslog (network devices, firewalls)

API pull (cloud, SaaS — Okta, AWS, O365)

HTTP Event Collector / HEC (custom apps, webhooks)

For a 5,000-employee fintech, list every tool category needed.
Pick a specific product per category (SIEM, EDR, NDR, SOAR, TIP, Email, Identity, VM).
Sketch the data flow: which tools send to Splunk, and how (agent / syslog / API / HEC).
Identify the 10 highest-value log sources to onboard first.