CNIT 50: Network Security Monitoring

Spring 2019 Sam Bowne

Sat 1:10-4:00 PM SCIE 37 CRN 39269

Schedule · Quizzes · Lecture Notes · Projects · Links · Home Page


Learn modern, powerful techniques to inspect and analyze network traffic, so you can quickly detect abuse and attacks and respond to them. This class covers the configuration and use of Splunk, the industry standard for network security monitoring. This class helps to prepare for Splunk Core Certified User certification.

Advisory: CNIT 106 and 120, or comparable understanding of networking and security concepts.

Course Justification

Firewalls and antivirus are not enough to protect modern computer networks--abuse and attacks are common and cannot be prevented. Instead, networks are now monitored to detect security incidents, and security teams respond to them to limit the harm they cause. This class prepares students for jobs in monitoring and incident response, providing skills that are in high demand. This course is part of the Advanced Cybersecurity Certificate.


There is no textbook for this class. Instead, we will use this free online course:

Splunk Fundamentals 1

Quizzes and Canvas

The quizzes are multiple-choice, online, and open-book. They are hosted on my Canvas server, along with the project scores. Study the textbook chapter and take the quiz before that class. Each quiz is due 30 min. before class. Each quiz has 5 questions, you have ten minutes to take it, and you can make two attempts.

To access the quizzes:

  • Go to
  • If you've taken one of my classes previously, you should already have an account on this Canvas server (it's NOT the usual CCSF Canvas system). Otherwise, create a new account.
  • You should see the quizzes, as shown below.
  • Questions? Email
To reset your password, go to:

To access the course after you have enrolled, go to:

Live Streaming

You can attend class remotely using Zoom at

The lectures start at 1:10 PM California time on Saturdays.

Classes will also be recorded and published on YouTube for later viewing.


Date Due Topic

Sat 1-19  1 - What is Machine Data
2 - What is Splunk
3 - Installing Splunk
4 - Getting Data In

Sat 2-9 Quizzes 1-2, 3-4, 5, 6
Mod 3-5 due

5 - Basic Searching
6 - Using Fields


Sat 3-9 Mod 6 & 8 due 7 - Best Practices
8 - SPL Fundamentals
9 - Transforming Commands

Sat 3-16 Quizzes 7-8, 9, 10, 11-12
Mod 9-11 due
10 - Reports and Dashboards
11 - Pivot and Datasets
12 - Lookups

Sat 4-6 Quiz 13
Mod 12 due

Purple 1: Drupal, Splunk, and Suricata

13 - Scheduled Reports and Alerts

Sat 4-27  CTF Competition in SCIE 37

Wed 5-15 -  
Wed 5-22
Final Exam available online throughout the week.
You can only take it once.

* Quizzes due 30 min. before class
No penalty for late work in this class



To access course materials,
including videos, lab instructions, and
review quizzes, register at this site:

Enrolling in the Online Splunk Class

1 - What is Machine Data
2 - What is Splunk
3 - Installing Splunk
4 - Getting Data In
5 - Basic Searching
6 - Using Fields
7 - Best Practices
8 - SPL Fundamentals
9 - Transforming Commands
10 - Reports and Dashboards
11 - Pivot and Datasets
12 - Lookups
13 - Scheduled Reports and Alerts

Archived class materials (restricted access)


Mod 3 & 4 (20 pts) *
Mod 5 (10 pts)
Mod 6 (10 pts)
Mod 8 (10 pts) *
Mod 9 (10 pts) *
Mod 10 (10 pts) *
Mod 11 (10 pts) *
Mod 12 (10 pts) *

Extra Credit

Splunk Authentication

My public Splunk server now runs Splunk Free.

Use a username and password of student1

Proj 1x: BOSS OF THE SOC: Finding Attack Servers (35 pts)
Proj 2x: BOSS OF THE SOC: Identifying Threat Actors (50 pts)
Proj 3x: BOSS OF THE SOC: Using Sysmon and Stream (50 pts)

Purple 1: Drupal, Splunk, and Suricata (35 pts)

* Score goes directly into Canvas



Get started with Search - Splunk Documentation
Splunk and the ELK Stack: A Side-by-Side Comparison
What on earth is 'Splunk' -- and why does it pay so much? (from 2017)
Splunk in 2 Charts: 85 of the Fortune 100 companies use Splunk (from 2017)
Splunk Core Certified User Test Blueprint

New Unsorted Links

Splunk Certification Flashcards | Quizlet
The Windows Logging Cheat Sheet
delete - Splunk Documentation
ATT&CKized Splunk - Threat Hunting with MITRE's ATT&CK using Splunk
Securing Splunkweb (Free version) -- THIS WORKS
2020-03-06: Statement by a quarantined nurse from a northern California Kaiser facility
Splunk Certification Pathway (2022)
Free Training Courses | Splunk
Configure a Splunk asset in Splunk SOAR to pull data from the Splunk platform - Splunk Documentation
About Splunk App for SOAR Export - Splunk Documentation
The Essential Guide to Security | Splunk -- SECURITY JOURNEY PDF
Overview of the Splunk Common Information Model - Splunk Documentation
Splunk Security Essentials Explained—Splunk Cloud SecOps Webinar Series - YouTube
Splunk Security Schooling With Static Datasets For Budding Blue Teamers
GitHub - splunk/attack_data: A repository of curated datasets from various attacks
Blue Team Labs Online - Cyber Range

Last Updated: 5-17-19