Splunk SIEM & SOAR โ€” SOC Analyst Track

From SPL to Risk-Based Alerting. Splunk Enterprise + Splunk ES + Splunk SOAR โ€” built for SOC L2 / L3 engineers.

๐Ÿ“š 14 Modules โฑ 40 Hours ๐Ÿงช Hands-on Labs ๐Ÿ† SPLK-1003 + 3001 Aligned
Enroll Now ๐Ÿ“„ Download Syllabus PDF ๐Ÿ’ฌ WhatsApp Us

Who Is This For

  • SOC L1 / L2 analysts upgrading to L3 / detection engineering
  • Engineers running Splunk Enterprise on-prem or in cloud
  • SOAR engineers writing playbooks
  • SPLK-1003 / SPLK-3001 candidates

Prerequisites

  • SOC fundamentals โ€” alerts, incidents, MITRE
  • Some Linux CLI exposure

Full Syllabus โ€” 14 Modules

M 1Splunk Architecture & Components
  • Indexer, Search Head, Forwarder roles
  • Distributed search
  • Splunk Cloud vs Enterprise
  • Index time vs search time
M 2Data Onboarding & Forwarders
  • Universal Forwarder, Heavy Forwarder
  • props.conf, transforms.conf
  • Sourcetypes, source, host fields
  • HEC (HTTP Event Collector)
M 3Indexes, Buckets & Retention
  • Index design
  • Hot / Warm / Cold / Frozen buckets
  • Retention policies
  • SmartStore basics
M 4SPL โ€” Search Processing Language
  • Basic search syntax
  • stats, eval, where, top, rare
  • Time modifiers, subsearches
  • Lookups & KV Store
M 5Field Extraction & Parsing
  • Auto extraction vs manual
  • regex (rex) operator
  • Field aliases & calculated fields
  • Tags & event types
M 6Dashboards & Visualizations
  • Classic dashboards (XML)
  • Dashboard Studio
  • Drill-down, tokens
  • Sharing & permissions
M 7Alerts & Reports
  • Scheduled vs real-time alerts
  • Throttle, suppress
  • Alert actions โ€” email, webhook, script
  • Reports & pivots
M 8Splunk ES โ€” Enterprise Security
  • ES architecture & CIM
  • Data Models, accelerated
  • Notable Events & Risk Object
  • Incident Review workflow
M 9Correlation Searches & RBA
  • Correlation search authoring
  • Risk-Based Alerting (RBA)
  • Risk modifiers
  • Tuning false positives
M 10MITRE ATT&CK Mapping
  • ATT&CK on Splunk dashboards
  • Detections per tactic / technique
  • Coverage gap analysis
  • Threat-informed defense
M 11Splunk SOAR โ€” Playbooks
  • SOAR architecture
  • Playbook builder & visual editor
  • Common playbooks โ€” phish, malware, brute force
  • Apps & Assets
M 12Threat Hunting
  • Hunt hypothesis methodology
  • Lateral movement, persistence, exfil hunts
  • Behavioral baselining
  • Threat Intel enrichment
M 13Real-World SOC Use Cases
  • Phishing chain investigation
  • Insider exfil detection
  • Ransomware kill chain
  • Cloud audit log abuse
M 14Cert Path & Interview Prep
  • SPLK-1003 (Splunk Admin)
  • SPLK-3001 (ES Certified Admin)
  • SOC L2 / L3 interview question bank

What You Get

๐ŸŽฅ

40 Hours

Live + recorded for Splunk Enterprise + ES + SOAR.

๐Ÿงช

Hands-on Labs

Splunk Enterprise free trial + sample data โ€” write SPL, build dashboards, alerts.

๐Ÿ› ๏ธ

Real Case Studies

Phish chain, ransomware kill chain, insider exfil, RBA tuning.

๐Ÿ“

Interview Q&A

SOC L2 / L3 question bank.

๐Ÿ†

Certificate

Techclick Infosec course completion certificate.

๐Ÿ’ฌ

WhatsApp Group

Doubt-clearing batch group with the trainer.

Your Instructor

Trained by working senior cloud and network security engineers with 13+ years of hands-on enterprise experience across Splunk, SIEM operations, detection engineering and large-scale SOC builds.

FAQ

Q 1Hands-on labs?

Yes โ€” Splunk Enterprise free trial with sample data lets you write SPL, build dashboards, and run correlation searches.

Q 2Splunk vs Sentinel?

Take both for full SOC vendor coverage. Splunk dominates large enterprise; Sentinel dominates Microsoft shops.

Q 3Cert path?

SPLK-1003 (Admin) and SPLK-3001 (ES). Module 14 walks both blueprints.

Q 4Duration?

About 40 hours over 5โ€“6 weeks.

Q 5Placement help?

CV review and interview prep. SOC L2 / L3 demand is high.

Master the SOC analyst's favorite SIEM.

Talk to us about the next batch.

๐Ÿ’ฌ Book Free Demo Class โœ‰๏ธ Email support@techclick.in