INTRODUCTION

This guide is my personal SOC L3 SPL playbook.

It contains the most important, industry-standard Splunk queries used in real Security Operations Centers (SOC) for:

• Threat detection
• Threat hunting
• Incident investigation
• Dashboard building

The goal is simple:

👉 Quickly revise core SPL
👉 Understand detection logic
👉 Combine queries like a professional
👉 Become SOC L3 ready from day one

This is not about memorizing SPL.
This is about understanding how attackers behave and how to detect them.

SECTION 1 — CORE SPL BASICS (FOUNDATION)

These are the ONLY commands you need to master.

---

1. Basic Search

index=botsv3 sourcetype=WinEventLog:Security

What it does:
Searches logs from a specific index and source.

---

2. Filter Events

index=botsv3 EventCode=4688

What it does:
Filters process creation events.

---

3. Select Fields

| table _time Parent_Process_Name New_Process_Name Command_Line

What it does:
Shows only important columns.

---

4. Sort Data

| sort – _time

What it does:
Shows latest events first.

---

5. Limit Results

| head 10

What it does:
Shows first 10 events (quick overview).

SECTION 2 — FIELD UNDERSTANDING (VERY IMPORTANT)

You must understand these fields deeply:

• Parent_Process_Name → Who launched the process
• New_Process_Name → What process was created
• Command_Line → What exactly was executed
• Account_Name → Who executed it
• ComputerName → Where it happened

👉 These 5 fields = 80% of SOC detection

SECTION 3 — CORE DETECTION PATTERNS

This is where you become SOC L3.

---

1. PowerShell Detection

index=botsv3 EventCode=4688
| search powershell

Detects: PowerShell execution

2. Suspicious Command Line

| where like(Command_Line,”%enc%”) OR like(Command_Line,”%bypass%”)

Detects: Encoded or bypassed commands

---

3. Parent-Child Relationship

| table Parent_Process_Name New_Process_Name

Detects: Abnormal execution chains

Example:
Word → PowerShell = suspicious

---

4. Aggregation (VERY IMPORTANT)

| stats count by New_Process_Name

Detects: Most executed processes

---

5. Top Activity

| top limit=10 New_Process_Name

Detects: Most frequent activity

SECTION 5 — REAL DETECTION LOGIC BUILDING

This is where you combine everything.

---

Example 1 — PowerShell Attack Detection

index=botsv3 EventCode=4688
| search powershell
| eval suspicious=if(like(Command_Line,”%enc%”) OR like(Command_Line,”%bypass%”),”YES”,”NO”)
| table _time Parent_Process_Name New_Process_Name Command_Line suspicious

---

Example 2 — Lateral Movement Detection

index=botsv3 EventCode=4688
| search “\\”
| table _time Command_Line ComputerName

---

Example 3 — Persistence Detection

index=botsv3 EventCode=4688
| search schtasks
| table Command_Line

---

SECTION 6 — HOW TO COMBINE SPL (IMPORTANT)

Think like this:

Step 1 → Search logs
Step 2 → Filter behavior
Step 3 → Add logic (eval)
Step 4 → Clean output (table)
Step 5 → Analyze (stats/top)

---

Example Combined Query:

index=botsv3 EventCode=4688
| search powershell
| where like(Command_Line,”%enc%”)
| eval suspicious=”YES”
| stats count by ComputerName Account_Name

This is SOC L3 level thinking

---

SECTION 7 — HOW TO THINK LIKE SOC L3

Don’t think:

👉 “What query should I write?”

Think:

👉 “What is the attacker doing?”

Then translate into SPL.

---

SECTION 8 — DAILY REVISION SYSTEM

Use this daily:

15 minutes:

• Run basic search
• Check EventCode 4688
• Look at top processes

30 minutes:

• Run 1 detection
• Modify query
• Understand output

15 minutes:

Think like attacker

Map to MITRE