dashboard
WEEK_4 · DAY_30 · 1 HOUR
Capstone — End-to-End Incident
Phish → cred theft → VPN → PsExec → DNS exfil → ransomware
Learning Objectives
- ›Triage 10 connected Notable Events
- ›Reconstruct the full attack timeline
- ›Map every step to ATT&CK
- ›Produce IR report, IOCs, containment plan, 3 new detections
Module 1 — Scenario
Acme Fintech — 5,000 employees. At 12:00 you walk into your shift.
10 notable events landed in your queue between 12:04 and 12:55.
They tell ONE story.
Module 2 — Mission
Triage every notable. Connect them. Build the timeline. Map to ATT&CK. Recommend containment. Propose detection improvements.
Module 3 — Deliverables
1) IR timeline (10+ events, ordered).
2) ATT&CK mapping (8+ techniques).
3) IOC list (IPs, hashes, users, domains).
4) Containment plan (host isolate, account disable, FW block, SOAR playbook).
5) 3 new correlation searches with SPL.
SPL Queries
Capstone — risk by entity
index=risk earliest=-24h | stats sum(risk_score) as total values(search_name) as contributing by risk_object | where total > 100 | sort - total
// Surfaces the entities most involved in the chain.
Lab 30 — CAPSTONE
- Open Splunk ES → Incident Review (10 notables loaded).
- Triage every notable. Read the SPL. Read the detail.
- Order them on a timeline. They span 12:04 → 12:55.
- Map each to ATT&CK.
- Build the kill chain narrative: phish → exec → C2 → priv esc → lateral → exfil → ransom.
- Produce: IR report (1 page), IOC list, containment plan, 3 new detections (with SPL).
Key Takeaways
- ✓You have triaged, hunted, and responded across the full chain
- ✓You can author detections, build dashboards, and run an IR
- ✓You are SOC-ready