CNIT 50: Network Security Monitoring

Spring 2025 Sam Bowne

Sat 11:00-2:30 pm CRN 35904 MUB 230

Schedule · Projects · Links · Grading

Use Twitch


To attend class:
https://twitch.tv/sambowne

Description

Learn modern, powerful techniques to inspect and analyze network traffic, so you can quickly detect abuse and attacks and respond to them. This class covers the configuration and use of Splunk, the industry standard for network security monitoring. This class helps to prepare for Splunk Core Certified User certification.

Advisory: CNIT 106 and 120, or comparable understanding of networking and security concepts.

Course Justification

Firewalls and antivirus are not enough to protect modern computer networks--abuse and attacks are common and cannot be prevented. Instead, networks are now monitored to detect security incidents, and security teams respond to them to limit the harm they cause. This class prepares students for jobs in monitoring and incident response, providing skills that are in high demand. This course is part of the Advanced Cybersecurity Certificate.

Textbook

There is no textbook for this class.

Instead, we will use free online materials from Splunk, available at this link with a username and password provided by your instructor:

Splunk Class Materials

Quizzes

The quizzes are multiple-choice, online, and open-book. However, you may not ask other people to help you during the quizzes. Each quiz is due 30 min. before class. Each quiz has 5 questions, you have ten minutes to take it, and you can make two attempts. If you take the quiz twice, the higher score counts.

Don't use CCSF's Canvas system for this class. Instead, all students should use this Canvas server:

Email

For class-related questions, please send messages inside Canvas or email
cnit.50sam@gmail.com

Schedule

Date Due Topic

Sat 1-18  Modules 1-4

1 - What is Machine Data
2 - What is Splunk
3 - Installing Splunk
4 - Getting Data In

Demo: Mod 3-4


Thu 1-25 Quizzes 1-2, 3-4, 5, 6
Mod 3-5 Proj due

Modules 5-6

5 - Basic Searching
6 - Using Fields

Demos: Mods 5, 6, & 8 and BoTS Part 1


Sat 2-1 Mod 6 & 8 Proj due Modules 7-9

7 - Best Practices
8 - SPL Fundamentals
9 - Transforming Commands Demo: BoTS Part 2


Sat 2-8 Quizzes 7-8, 9, 10, 11-12  
Mod 9-10 Proj due
Modules 10-11

10 - Reports and Dashboards
11 - Pivot and Datasets
12 - Creating Lookups
Demo: BoTS Part 3


Sat 2-15 Holiday -- No Class

Sat 3-1 Quiz 13
Mod 11-12 Proj due
Mod 13
Demo: BoTS Part 4

Sat 3-8 LAST CLASS
No new material

Sun 3-9 -  
Fri 3-14
Final Exam available online
You can only take it once.

* Quizzes due 30 min. before class

Lectures

Class materials (restricted access)

1 - What is Machine Data
2 - What is Splunk
3 - Installing Splunk
4 - Getting Data In
5 - Basic Searching
6 - Using Fields
7 - Best Practices
8 - SPL Fundamentals
9 - Transforming Commands
10 - Reports and Dashboards
11 - Pivot and Datasets
12 - Lookups
13 - Scheduled Reports and Alerts

Projects

Mod 3 & 4 (20 pts)

The projects below refer to the exercises in the
Class materials (restricted access)

Mod 5 (10 pts)
Mod 6 (10 pts)
Mod 8 (10 pts)
Mod 9 (10 pts)
Mod 10 (10 pts)
Mod 11 (10 pts)
Mod 12 (10 pts)

Boss of the SOC Project Submission

This project has its own CTF scoreboard.

Boss of the SOC v1: Threat Hunting with Splunk (325 pts extra)

Links

SPLUNK CERTIFICATION Candidate Handbook

Get started with Search - Splunk Documentation
Splunk and the ELK Stack: A Side-by-Side Comparison
What on earth is 'Splunk' -- and why does it pay so much? (from 2017)
Splunk in 2 Charts: 85 of the Fortune 100 companies use Splunk (from 2017)
Splunk Core Certified User Test Blueprint

New Unsorted Links

Splunk Certification Flashcards | Quizlet
The Windows Logging Cheat Sheet
delete - Splunk Documentation
ATT&CKized Splunk - Threat Hunting with MITRE's ATT&CK using Splunk
Securing Splunkweb (Free version) -- THIS WORKS
2020-03-06: Statement by a quarantined nurse from a northern California Kaiser facility
Splunk Certification Pathway (2022)
Free Training Courses | Splunk
Configure a Splunk asset in Splunk SOAR to pull data from the Splunk platform - Splunk Documentation
About Splunk App for SOAR Export - Splunk Documentation
The Essential Guide to Security | Splunk -- SECURITY JOURNEY PDF
Overview of the Splunk Common Information Model - Splunk Documentation
Splunk Security Essentials Explained—Splunk Cloud SecOps Webinar Series - YouTube
Splunk Security Schooling With Static Datasets For Budding Blue Teamers
GitHub - splunk/attack_data: A repository of curated datasets from various attacks
Blue Team Labs Online - Cyber Range

Last Updated: 11-16-24