Documentation & Tools →
Sign In

Splunk Detection and Incident Response

Detect and Investigate Attacks in Splunk

Write the SPL that turns Splunk's data into detections and an investigation: scope and shape searches, accelerate them with tstats over CIM data models, hunt across identity, endpoint, network, and cloud, and run an incident end to end. Every search runs on the page against the Northgate Engineering corpus, with no Splunk license and no instance to stand up.

Preview Course See Pricing
SEC405 | Premium tier | 13 modules across 6 phases | 36–40 hours at your own pace | 40 CPE credits | Free preview, no account needed | Updated June 2026
Course Agenda View all 10 modules

Course overview

Splunk Detection and Incident Response teaches you to detect and investigate attacks using SPL, the Search Processing Language, the way a working detection engineer and incident responder uses it. You learn how Splunk stores and retrieves data, how to write searches that stay fast as the data grows, how to normalize across sources with the Common Information Model, and how to accelerate detection at scale with tstats over data models. From there the course moves into building tuned detections, hunting across the estate, and running an incident from first lead to final report.

Every module works against the same fictional company, Northgate Engineering, and its real attack chains: password spray, adversary-in-the-middle token replay, endpoint compromise, ransomware pre-encryption, and a hybrid pivot to cloud. The course runs against a prepared corpus with a live SPL engine on the page, so you write and run real searches against real evidence with nothing to install, no Splunk license, and no instance of your own.

This is a course in the SPL search and detection craft, not a tour of the Splunk product. It does not cover building dashboards or visualizations, configuring alerts, onboarding data, or Splunk administration. It is what a detection engineer and incident responder does in the search bar, against data that is already there.

Who this course is for

This is an intermediate-to-advanced course. It assumes you can already write basic SPL, a filtered search, a stats aggregation, a simple eval, and builds from there to tstats, data models, advanced commands, and full investigations. Every advanced concept is explained at first use, so you do not need prior detection-engineering experience in Splunk, but you will move fastest if SPL is not brand new to you.

SOC analysts and engineers who can search Splunk but want to build detections that scale
Detection engineers moving from ad-hoc searches to tstats-accelerated rules over CIM data models
Incident responders who need to scope and reconstruct an intrusion across sources in Splunk
Threat hunters who want a repeatable, cross-source method rather than one-off queries

What you'll learn

Scope and shape searches so they stay fast: indexes, sourcetypes, the search pipeline, and the search-time cost model
Normalize across sources with the Common Information Model and query whole categories through data models
Accelerate detection at scale with tstats, and write detections with eventstats, streamstats, transaction, and subsearches
Engineer tuned detections with defensible thresholds, lookup-driven allowlisting, and systematic false-positive reduction
Hunt and correlate across identity, endpoint, network, web, DNS, and cloud sources in a single investigation
Triage a lead, scope blast radius, reconstruct a timeline, preserve evidence, and write a defensible incident report

Key course takeaways

A working library of SPL detections you can adapt to your own Splunk environment
The judgment to set a threshold from the data's distribution rather than a guessed round number
A repeatable method for hunting and correlating across sources rather than searching one at a time
The discipline to separate what the evidence proves from what it only suggests
A Splunk-driven incident response workflow, from triage through containment to a report you can hand over

Things you need to know

What are the prerequisites?

Comfort with basic SPL: a filtered search, a stats aggregation, a simple eval. This is an intermediate-to-advanced course pitched above the beginner material Splunk and others cover well, and it builds from those basics to tstats, data models, the advanced command surface, and full investigations. Every advanced concept is explained at first use, so you do not need prior Splunk detection-engineering experience, only a working familiarity with searching.

What tools does this course use?

SPL throughout, including tstats over accelerated CIM data models, the advanced command surface (eventstats, streamstats, transaction, subsearches, lookups, rex, and spath), and the patterns behind detection-as-correlation-search. The evidence spans identity, endpoint, network, web, DNS, and cloud sources, normalized through the Common Information Model. The course frames detections against MITRE ATT&CK and follows the NIST SP 800-61 incident response method.

Do I need a Splunk license or an instance?

No. Every search runs on the page against a prepared corpus through a built-in SPL engine, so the full method works with nothing to install, no license, and no instance of your own. You write real SPL and get real results against embedded attack chains, and the SPL Lab and Query Practice surfaces give you free-run space to test your own searches against the same data.

How will this course benefit your career?

Splunk is one of the most widely deployed SIEMs, and organizations need people who can do more than search it: who can build detections that scale, tune them so analysts trust them, and drive an investigation from a single lead to a defensible report. That practitioner capability is in short supply, because most Splunk training teaches the product and the certifications rather than the defender's job against a live adversary. This course builds the detection-and-response capability end to end.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may adapt the detection logic, searches, and runbooks for use in your own production environment. You may not redistribute course content or share account credentials.

Fictional environment: All scenarios use Northgate Engineering (NE) and its Splunk estate. Hosts, accounts, addresses, and identities are fictional. Any resemblance to real organizations is coincidental.

Version and changelog

Status: In development  |  Last updated: June 2026

June 2026: Phase 0 (Foundations) in place: the Course Orientation (Module 0) is open as a free preview, with runnable SPL on the page against the NE corpus. The paid modules, from the Splunk detection and IR landscape through detection engineering, hunting and correlation, incident response, and the capstone, are in build.

This course is actively being developed.