Santosh Ganjur

Last October, or Cyber Security Awareness month, I had just completed acquiring two GIAC certifications – the GSEC and GCIH. I was in a non-technical role, and trying hard to move back into IT. Wanting to continue in the high from the GIAC exams, and encouraged by our mentor Nik Alleyne, I along with a few others from the Ryerson University cohort started on a journey to learn more about the tools we had come across recently. Our mentor had created a learning path for us – first the SIEMs, and then firewalls. With this, we would be able to understand how to analyze logs, the tools used for the same (SIEMs), and packet analysis.

Learning the SIEMs required for a Cyber Security Analyst role seemed quite easy on paper – start by creating a couple of virtual machines (VM), setup a SIEM such as QRadar or Splunk on one of them, and forward all of the logs from the VMs to the SIEM. You’re basically setting up a virtual lab at home on your personal computer. Fair enough. Now, this post is about the Splunk Core Certified User, so I’m going to come back and write another post on setting up a virtual lab. Just need to tidy up the notes I have. For now, onward toward the Splunk Core certification then.

I chose to study Splunk after a battle setting up QRadar on my laptop. The darn brought my 12 gig laptop to its knees. I was almost going to buy an actual physical server and host QRadar on that, but decided to go with Splunk given it’s ease of setup, configuration and use. I setup Splunk on a Kali box, and bought a license to VMware Workstation Pro 16 for ease of back up and restore if something went wrong. I then signed myself up for the Splunk Fundamentals 1 course on the official website and started studying. It’s very nicely designed and laid out, with the man in the videos wearing a different t-shirt with a witty Splunk caption for each module (not kidding). So why not.

Fast forward a few weeks to mid-November, I had never really got around to finishing the course as I started a few interviews, coffee chats and otherwise 40 hours of work. I had two days left for my exam and I had no idea how I was going to get through it. To make matters worse, the course is only valid for 30 days and my access had expired. Yay!

How did I do it?

1. Certification Blueprint – This should be step-0 really. You cannot start studying without knowing what topic is on the exam. Download and go through the blueprint carefully. Understand the weightage given to each topic. This is going to give you the clue needed to excel in step-3 as well.
2. Course work – First Friday night after work, I signed up for another account on Splunk and ran through the modules over an entire day. I completely skipped the lab portion. The license to Splunk on my VM had expired and I was too tensed to start over with it.
3. Quizzes – I went through all the quizzes in the Splunk course twice. This is a great way of understanding the topics and seeing where you’re falling behind. Some of the questions are not multiple choice requiring you to fill in the exact answer. This was extremely helpful as it made me understand those topics with high weightage towards the certification really well – and most of these were fundamental to learning Splunk.
4. YouTube – For the doubts I had, I went into YouTube and searched for videos about those topics. Splunk How-to guides were quite handy. From these, I understood the general working of Splunk, how to search for events, use expressions to refine searches, and control a search job.
5. Flashcards – I had previously found that a helpful bloke had put together flashcards for Splunk Fundamentals 1. Spent the morning of the exam going through them. The Quizlet website gamifies the experience with something called “gravity”. This was a nice light hearted approach towards learning, but quickly turned into getting on the top of the leaderboard. I managed to finish it in 32s before I gave up, let me know yours!

That’s it. I stopped an hour and a half before the exam, setup my desk and removed all electronics from the room (not taking any chances with these online proctored exams), went in and PASSED!

In all honesty, it’s a very simple exam structured around understanding what Splunk can do, learning to search Splunk and filtering the results as needed. In my opinion, it’s meant to whet your appetite for diving deeper into Splunk, which I think it did for me but not professionally.

What would I do differently – put in more time to studying, of course. Without hands-on experience, this certification, or any other SIEM certification for that matter, is not going to be of any use. I went back in after the exam, setup my lab, and played around with it for another week. Quite frankly I think it’s a great platform, and a nice little certification to help bolster that resume for entry-level Security Analyst roles where a SIEM is used everyday. Per my understanding from speaking with industry insiders, the Splunk Core Certified Power User certification is something that’s recognized well within the industry. So if you could do this in 2 days, put in some time and effort, and you can definitely go after the Power User certification. Good luck!