analyzing-security-logs-with-splunk

Featured

Leverages Splunk Enterprise Security and SPL (Search Processing Language) to investigate security incidents through log correlation, timeline reconstruction, and anomaly detection. Covers Windows event logs, firewall logs, proxy logs, and authentication data analysis. Activates for requests involving Splunk investigation, SPL queries, SIEM log analysis, security event correlation, or log-based incident investigation.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Analyzing Security Logs with Splunk ## When to Use - Investigating a security incident that requires correlation across multiple log sources - Hunting for adversary activity using known TTPs and IOCs - Building detection rules for specific attack patterns - Reconstructing an incident timeline from disparate log sources - Analyzing authentication anomalies, lateral movement, or data exfiltration patterns **Do not use** for real-time packet-level analysis; use Wireshark or Zeek for full packet capture analysis. ## Prerequisites - Splunk Enterprise or Splunk Cloud with Enterprise Security (ES) app installed - Log sources ingested: Windows Event Logs (via Splunk Universal Forwarder or WEF), firewall, proxy, DNS, EDR, email gateway - Splunk CIM (Common Information Model) data models configured for normalized field names - SPL proficiency at intermediate level or higher - Role-based access with `search` and `accelerate_search` capabilities in Splunk ## Workflow ### Step 1: Scope the Investigation in Splunk Define search parameters based on incident triage data: ```spl | Set initial investigation scope index=windows OR index=firewall OR index=proxy earliest="2025-11-14T00:00:00" latest="2025-11-16T00:00:00" (host="WKSTN-042" OR src_ip="10.1.5.42" OR user="jsmith") | stats count by index, sourcetype, host | sort -count ``` This query establishes which log sources contain relevant data for the investigation timeframe and affected assets. ### Step 2: Analyze Authentica...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

analyzing-windows-event-logs-in-splunk

Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks, privilege escalation, persistence mechanisms, and lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC analysts need to investigate Windows-based threats, build detection queries, or perform forensic timeline analysis of Windows endpoints and domain controllers.

12,642 Updated today
mukul975
AI & Automation Featured

performing-log-analysis-for-forensic-investigation

Collect, parse, and correlate system, application, and security logs to reconstruct events and establish timelines during forensic investigations.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-lateral-movement-with-splunk

Detect adversary lateral movement across networks using Splunk SPL queries against Windows authentication logs, SMB traffic, and remote service abuse.

12,642 Updated today
mukul975
AI & Automation Featured

triaging-security-alerts-in-splunk

Triages security alerts in Splunk Enterprise Security by classifying severity, investigating notable events, correlating related telemetry, and making escalation or closure decisions using SPL queries and the Incident Review dashboard. Use when SOC analysts face queued alerts from correlation searches, need to prioritize investigation order, or must document triage decisions for handoff to Tier 2/3 analysts.

12,642 Updated today
mukul975
AI & Automation Solid

log-analysis-security

Execute log analysis security operations. Auto-activating skill for Security Advanced. Triggers on: log analysis security, log analysis security Part of the Security Advanced skill category. Use when working with log analysis security functionality. Trigger with phrases like "log analysis security", "log security", "log".

2,266 Updated today
jeremylongshore