CNIT 50: Network Security Monitoring

Spring 2019 Sam Bowne

Sat 1:10-4:00 PM SCIE 37 CRN 39269

Schedule · Quizzes · Lecture Notes · Projects · Links · Home Page

Description

Learn modern, powerful techniques to inspect and analyze network traffic, so you can quickly detect abuse and attacks and respond to them. This class covers the configuration and use of Splunk, the industry standard for network security monitoring. This class helps to prepare for Splunk Core Certified User certification.

Advisory: CNIT 106 and 120, or comparable understanding of networking and security concepts.

Course Justification

Firewalls and antivirus are not enough to protect modern computer networks--abuse and attacks are common and cannot be prevented. Instead, networks are now monitored to detect security incidents, and security teams respond to them to limit the harm they cause. This class prepares students for jobs in monitoring and incident response, providing skills that are in high demand. This course is part of the Advanced Cybersecurity Certificate.

Textbook

There is no textbook for this class. Instead, we will use this free online course:

Splunk Fundamentals 1

Quizzes and Canvas

The quizzes are multiple-choice, online, and open-book. They are hosted on my Canvas server, along with the project scores. Study the textbook chapter and take the quiz before that class. Each quiz is due 30 min. before class. Each quiz has 5 questions, you have ten minutes to take it, and you can make two attempts.

To access the quizzes:

  • Go to https://canvas.instructure.com/enroll/GDMX8C
  • If you've taken one of my classes previously, you should already have an account on this Canvas server (it's NOT the usual CCSF Canvas system). Otherwise, create a new account.
  • You should see the quizzes, as shown below.
  • Questions? Email CNIT.50sam@gmail.com
To reset your password, go to: https://canvas.instructure.com/login/canvas

To access the course after you have enrolled, go to: https://canvas.instructure.com/courses/1509793

Live Streaming

You can attend class remotely using Zoom at https://zoom.us/j/4108472927

The lectures start at 1:10 PM California time on Saturdays.

Classes will also be recorded and published on YouTube for later viewing.

Schedule

Date Due Topic

Sat 1-19  1 - What is Machine Data
2 - What is Splunk
3 - Installing Splunk
4 - Getting Data In


Sat 2-9 Quizzes 1-2, 3-4, 5, 6
Mod 3-5 due

5 - Basic Searching
6 - Using Fields


Sat 2-23 CLASS POSTPONED TO 3-9

Sat 3-9 Mod 6 & 8 due 7 - Best Practices
8 - SPL Fundamentals
9 - Transforming Commands


Sat 3-16 Quizzes 7-8, 9, 10, 11-12
Mod 9-11 due
10 - Reports and Dashboards
11 - Pivot and Datasets
12 - Lookups


Sat 4-6 Quiz 13
Mod 12 due

Purple 1: Drupal, Splunk, and Suricata

13 - Scheduled Reports and Alerts


Sat 4-27  CTF Competition in SCIE 37

Wed 5-15 -  
Wed 5-22
Final Exam available online throughout the week.
You can only take it once.

* Quizzes due 30 min. before class
No penalty for late work in this class

Lectures

Policy

To access course materials,
including videos, lab instructions, and
review quizzes, register at this site:

Enrolling in the Online Splunk Class

1 - What is Machine Data
2 - What is Splunk
3 - Installing Splunk
4 - Getting Data In
5 - Basic Searching
6 - Using Fields
7 - Best Practices
8 - SPL Fundamentals
9 - Transforming Commands
10 - Reports and Dashboards
11 - Pivot and Datasets
12 - Lookups
13 - Scheduled Reports and Alerts

Archived class materials (restricted access)

Projects

Mod 3 & 4 (20 pts) *
Mod 5 (10 pts)
Mod 6 (10 pts)
Mod 8 (10 pts) *
Mod 9 (10 pts) *
Mod 10 (10 pts) *
Mod 11 (10 pts) *
Mod 12 (10 pts) *

Extra Credit

Splunk Authentication

My public Splunk server now runs Splunk Free.

Use a username and password of student1

Proj 1x: BOSS OF THE SOC: Finding Attack Servers (35 pts)
Proj 2x: BOSS OF THE SOC: Identifying Threat Actors (50 pts)
Proj 3x: BOSS OF THE SOC: Using Sysmon and Stream (50 pts)

Purple 1: Drupal, Splunk, and Suricata (35 pts)

* Score goes directly into Canvas

Links

SPLUNK CERTIFICATION Candidate Handbook

Get started with Search - Splunk Documentation
Splunk and the ELK Stack: A Side-by-Side Comparison
What on earth is 'Splunk' -- and why does it pay so much? (from 2017)
Splunk in 2 Charts: 85 of the Fortune 100 companies use Splunk (from 2017)
Splunk Core Certified User Test Blueprint

New Unsorted Links

Splunk Certification Flashcards | Quizlet
The Windows Logging Cheat Sheet
delete - Splunk Documentation
ATT&CKized Splunk - Threat Hunting with MITRE's ATT&CK using Splunk
Securing Splunkweb (Free version) -- THIS WORKS

Last Updated: 5-17-19