Splunk investigation walkthrough¶

What?¶

An investigation with Splunk and the Cyber kill chain as framework.

A guided approach to analyzing security incidents in Splunk, structured around the Cyber Kill Chain (CKC)—a model that breaks attacks into stages (recon, exploitation, command & control, etc.). This helps trace an attacker’s steps methodically.

Why?¶

• See the full attack story: Map Splunk logs to each kill chain stage to understand how the breach happened.

• Prioritize evidence: Focus on critical phases (like lateral movement or data exfiltration).

• Speak the language of defenders: CKC is widely used in IR reports and threat intel sharing.

How?¶

• I am really not batman

• Reconnaissance phase

• Exploitation phase

• Installation phase

• Action on objectives

• Command and control phase

• Weaponisation phase

• Delivery phase

Tip: Start with the end goal (e.g., “data stolen”) and work backward through the kill chain—it’s often faster!