Overall Goal
Goal: Master all knowledge areas required for Splunk Certified Cybersecurity Defense Analyst (SPLK-5001).
Time Frame: 6 weeks total.
Outcome: Be fully prepared to take and pass the SPLK-5001 exam confidently.
Study Methodology
Pomodoro Technique:
Study in focused 25-minute sessions ("Pomodoro").
After each 25 minutes, take a 5-minute break.
After 4 sessions, take a longer 15–30 minute break.
Ebbinghaus Forgetting Curve:
Immediate review after first learning.
First review after 1 day.
Second review after 3 days.
Third review after 7 days.
Fourth review after 14 days.
SPLK-5001 Study Plan — Week 1
Theme: Cybersecurity Landscape, Frameworks, and Standards
Main Objective:
Gain a complete understanding of the cybersecurity environment, key industry frameworks, and important compliance standards.
Day 1: Introduction to the Cybersecurity Landscape
Daily Goal:
Understand the basic components of the cybersecurity landscape: threat actors, threat vectors, vulnerabilities, and emerging trends.
Learning Content:
Definition of cybersecurity landscape
Types of threat actors (hackers, nation-states, insiders, hacktivists)
Threat vectors (phishing, malware, social engineering)
Types of vulnerabilities
Trends in cybersecurity
Detailed Tasks:
Pomodoro 1: Read and summarize definitions of threat actors and threat vectors.
Pomodoro 2: Create a mind map listing 5 types of threat actors and 5 threat vectors with examples.
Pomodoro 3: Research and write short notes on 3 major cyber trends (such as ransomware-as-a-service).
Pomodoro 4: Flashcard session: Recall and explain types of threat actors without using notes.
Quick Review: 10-minute self-test on threat actor and vector identification.
Day 2: Deep Dive into Cybersecurity Frameworks - NIST CSF
Daily Goal:
Understand the structure and use of the NIST Cybersecurity Framework (CSF).
Learning Content:
Overview of NIST CSF
5 Core Functions: Identify, Protect, Detect, Respond, Recover
How organizations apply NIST CSF
Detailed Tasks:
Pomodoro 1: Read and summarize the 5 functions of NIST CSF.
Pomodoro 2: For each function, write a real-world example (e.g., Identify = Asset Inventory).
Pomodoro 3: Create a diagram showing the NIST CSF cycle.
Pomodoro 4: Quiz yourself: Describe each NIST function aloud without reading notes.
Review: 10 multiple-choice questions on NIST CSF.
Day 3: Introduction to the MITRE ATT&CK Framework
Daily Goal:
Understand attacker behavior mapping using MITRE ATT&CK.
Learning Content:
Structure of MITRE ATT&CK Matrix
Tactics vs Techniques
Examples of common tactics and techniques
Detailed Tasks:
Pomodoro 1: Study the layout of the ATT&CK Matrix (initial access, execution, persistence, etc.).
Pomodoro 2: Choose 3 tactics and list their associated techniques.
Pomodoro 3: Create a small attack scenario based on ATT&CK tactics.
Pomodoro 4: Flashcard drill: Match tactics to techniques without looking.
Quick Practice: 10-minute write-up: "How MITRE ATT&CK helps in threat hunting."
Day 4: Understanding CIS Critical Security Controls
Daily Goal:
Learn the purpose and examples of the top 6 CIS Controls.
Learning Content:
Purpose of CIS Controls
First 6 Basic Controls
How CIS Controls improve security posture
Detailed Tasks:
Pomodoro 1: Read and summarize the first 6 CIS Controls.
Pomodoro 2: Create a two-column chart: CIS Control vs Real-World Example.
Pomodoro 3: Draft a checklist for a small company's compliance with the top 6 controls.
Pomodoro 4: Flashcard session: Identify each control and its priority.
Quiz: 10 matching questions (control names and purposes).
Day 5: Compliance Standards Overview
Daily Goal:
Understand the basics of important cybersecurity compliance standards.
Learning Content:
ISO/IEC 27001
PCI DSS
HIPAA
GDPR
SOX
Detailed Tasks:
Pomodoro 1: Read a summary of each compliance standard (focus on purpose and scope).
Pomodoro 2: Build a comparison table: Standard vs Covered Domain vs Key Requirement.
Pomodoro 3: Case study: Research how GDPR changed security operations in companies.
Pomodoro 4: 100-word essay: "Why cybersecurity compliance is essential."
Quick Quiz: 5 short-answer questions about compliance requirements.
Day 6: Review and Consolidation
Daily Goal:
Consolidate all Week 1 knowledge and identify weak areas.
Learning Content:
Recap of threat landscape, frameworks, and standards
Summary diagrams and notes
Detailed Tasks:
Pomodoro 1: Create a large visual mind-map connecting all studied concepts.
Pomodoro 2: Rework notes: Reorganize and clean up Week 1 summaries.
Pomodoro 3: Complete a 20-question cumulative quiz (timed: 20 minutes).
Pomodoro 4: Focused review session on areas scoring below 80%.
Memory Drill: Oral explanation without notes ("teach back" method).
Day 7: Weekly Review and Testing
Daily Goal:
Simulate exam conditions and evaluate learning progress.
Learning Content:
Practice questions covering full Week 1 topics
Self-assessment
Detailed Tasks:
Pomodoro 1: Take a 50-question practice exam (timed: 45 minutes).
Pomodoro 2: Immediate review of all incorrect answers.
Pomodoro 3: Build a "Mistake Notebook" listing wrong answers and correct explanations.
Pomodoro 4: Reflect and prepare a learning plan adjustment for Week 2.
Special Review Reminder (Forgetting Curve)
Review Day 1 notes on Day 2 evening (10-minute review session)
Review Day 1+2 notes on Day 4 evening
Review full Week 1 notes on Day 7
SPLK-5001 Study Plan — Week 2
Theme: Threat and Attack Types, Motivations, and Tactics
Main Objective:
Master the understanding of different types of cyberattacks, understand threat actors’ motivations, and study common attack tactics used by adversaries.
Day 8: Phishing and Malware
Daily Goal:
Understand how phishing attacks work and the types of malware used by attackers.
Learning Content:
Anatomy of phishing attacks
Common malware types: viruses, worms, trojans, ransomware
Detailed Tasks:
Pomodoro 1: Read detailed explanations and examples of phishing and malware attacks.
Pomodoro 2: Create a table: Malware Type vs Delivery Method vs Impact.
Pomodoro 3: Case Study: Research a real-world phishing attack (e.g., 2020 Twitter breach) and summarize in 100 words.
Pomodoro 4: Write 5 preventive measures against phishing attacks.
Quick Drill: Flashcard session: Malware types recognition.
Day 9: Ransomware, DDoS, and Zero-Day Exploits
Daily Goal:
Understand specific high-impact attack types and how they disrupt systems.
Learning Content:
Ransomware lifecycle
How DDoS attacks overwhelm services
What zero-day vulnerabilities are and why they are dangerous
Detailed Tasks:
Pomodoro 1: Read about ransomware behavior and incident examples.
Pomodoro 2: Create a diagram explaining a DDoS attack chain.
Pomodoro 3: Research and write 100 words on a famous zero-day attack (e.g., WannaCry exploit).
Pomodoro 4: List preventive actions for each attack type.
Mini Quiz: Identify key differences between ransomware, DDoS, and zero-day exploits.
Day 10: Insider Threats and Credential Theft
Daily Goal:
Learn about internal threats and credential-based attacks.
Learning Content:
Malicious insiders vs negligent insiders
Credential theft techniques
Detailed Tasks:
Pomodoro 1: Read about the characteristics of insider threats.
Pomodoro 2: List methods attackers use to steal credentials (e.g., phishing, keylogging, social engineering).
Pomodoro 3: Create a small incident response plan for insider threat scenarios.
Pomodoro 4: Flashcard Drill: Symptoms of insider attacks.
Short Exercise: Write 3 detection strategies for credential theft.
Day 11: Motivations of Threat Actors
Daily Goal:
Understand why attackers act: financial gain, espionage, political motives, personal revenge.
Learning Content:
Overview of threat actor motivations
Historical examples
Detailed Tasks:
Pomodoro 1: Study motivations and relate them to attack types.
Pomodoro 2: Build a table: Motivation Type vs Real-World Cyberattack Example.
Pomodoro 3: Short essay: How different motivations shape attack strategies.
Pomodoro 4: Flashcard Drill: Quickly identify the motivation given a sample attack scenario.
Quiz: Match motivation to example case.
Day 12: Attack Tactics — Initial Access and Persistence
Daily Goal:
Learn initial access methods and how attackers maintain long-term presence inside networks.
Learning Content:
Initial Access tactics (phishing, exploitation of vulnerabilities)
Persistence tactics (backdoors, scheduled tasks)
Detailed Tasks:
Pomodoro 1: Study definitions and techniques related to Initial Access.
Pomodoro 2: Study definitions and techniques related to Persistence.
Pomodoro 3: Create a story: Simulate a simple intrusion maintaining persistence.
Pomodoro 4: Flashcard Drill: Techniques to achieve initial access vs persistence.
Mini Quiz: Identify initial access or persistence from given scenarios.
Day 13: Attack Tactics — Privilege Escalation, Lateral Movement, and Exfiltration
Daily Goal:
Learn how attackers move deeper inside networks and steal data.
Learning Content:
Privilege Escalation techniques (exploiting system flaws)
Lateral Movement (moving between systems)
Exfiltration methods (data theft)
Detailed Tasks:
Pomodoro 1: Study privilege escalation definitions and examples.
Pomodoro 2: Study lateral movement and identify tools (like Mimikatz, PsExec).
Pomodoro 3: Draw an example attack path starting from a phishing email to full database exfiltration.
Pomodoro 4: Flashcard Drill: Recognize movement and exfiltration techniques.
Practice Exercise: Write 5 defense strategies against lateral movement.
Day 14: Weekly Review and Application
Daily Goal:
Consolidate learning on attack types, motivations, and tactics.
Learning Content:
Full review of Days 8–13 material
Application practice
Detailed Tasks:
Pomodoro 1: Mind-map connecting Threat Types, Motivations, Tactics.
Pomodoro 2: Simulated exercise: Identify stages of a simulated attack.
Pomodoro 3: 30-question practice quiz covering all Week 2 topics (timed: 30 minutes).
Pomodoro 4: Review mistakes and write corrective notes.
Reflection: Summarize in 5 bullet points how attacks evolve from initial access to exfiltration.
Special Review Reminder (Forgetting Curve)
Review Day 8 notes on Day 9 evening (10 minutes quick review)
Review Day 8+9 notes on Day 11 evening
Review all Days 8–13 notes on Day 14
Prepare a cumulative mini-test on Day 14 to ensure memory consolidation
SPLK-5001 Study Plan — Week 3
Theme: Defenses, Data Sources, and SIEM Best Practices
Main Objective:
Master the understanding of cybersecurity defenses, key data sources for monitoring, and best practices for operating a SIEM like Splunk.
Day 15: Security Defenses — Controls Overview
Daily Goal:
Understand different types of security controls and how they protect systems.
Learning Content:
- Types of controls: Preventive, Detective, Corrective, Physical, Administrative
Detailed Tasks:
Pomodoro 1: Read and summarize each type of control, with at least 2 examples each.
Pomodoro 2: Create a five-column table listing Control Type, Definition, Example, Strength, Weakness.
Pomodoro 3: Build a simple incident scenario and match proper controls to each stage.
Pomodoro 4: Flashcard Drill: Identify control types based on example scenarios.
Quick Quiz: 10 questions identifying control types.
Day 16: Firewall Logs and IDS/IPS Logs
Daily Goal:
Learn how to interpret firewall logs and IDS/IPS logs for threat detection.
Learning Content:
Firewall logs (allow/deny traffic)
IDS/IPS (signature-based and anomaly-based alerts)
Detailed Tasks:
Pomodoro 1: Read sample firewall and IDS logs; learn common fields (e.g., source IP, destination port, action taken).
Pomodoro 2: List key indicators that suggest suspicious activity in logs.
Pomodoro 3: Analyze 3 firewall log examples to spot anomalies (manual practice).
Pomodoro 4: Flashcard Drill: Recognize log patterns (e.g., port scans, brute-force attacks).
Mini Exercise: Write a 5-step guide to reviewing firewall and IDS alerts.
Day 17: Endpoint and Authentication Logs
Daily Goal:
Understand endpoint activity monitoring and login event tracking.
Learning Content:
Windows Event Logs (login success, login failure)
Endpoint behavior logs (process creation, file modifications)
Detailed Tasks:
Pomodoro 1: Study common Windows Security Event IDs (e.g., 4624, 4625).
Pomodoro 2: Create a list: Important fields to review in authentication and endpoint logs.
Pomodoro 3: Analyze case studies showing credential theft detection through login logs.
Pomodoro 4: Flashcard Drill: Event ID identification.
Practice Exercise: Write a small detection rule (e.g., 5 failed logins in 5 minutes).
Day 18: Web Server Logs, VPN Logs, Cloud Logs
Daily Goal:
Learn how web, remote access, and cloud platform logs reveal security issues.
Learning Content:
HTTP request logs
VPN connection logs
Cloud environment monitoring (AWS CloudTrail, Azure Monitor)
Detailed Tasks:
Pomodoro 1: Read and interpret sample web server logs (status codes, request types).
Pomodoro 2: Study VPN log fields and indicators of suspicious remote access.
Pomodoro 3: Explore common cloud activity logs and typical security alerts (like API misuse).
Pomodoro 4: Flashcard Drill: Identify normal vs abnormal activity from log samples.
Short Exercise: List 3 signs of a compromised VPN account.
Day 19: Threat Intelligence Feeds and External Data Sources
Daily Goal:
Understand how external intelligence sources improve detection and hunting.
Learning Content:
Threat Intelligence (IPs, URLs, hashes)
Lookup tables in Splunk
Detailed Tasks:
Pomodoro 1: Read about open-source threat intel feeds (e.g., AlienVault OTX, AbuseIPDB).
Pomodoro 2: Create a diagram showing how a threat feed integrates into Splunk searches.
Pomodoro 3: Practice a small case study: Detecting a malicious IP address using threat feeds.
Pomodoro 4: Flashcard Drill: Common fields in threat feeds (IOC types).
Practice Exercise: Design a basic lookup enrichment process.
Day 20: SIEM Best Practices — Data Normalization, Alert Fine-Tuning
Daily Goal:
Master SIEM operation concepts that improve security detection efficiency.
Learning Content:
Data normalization (field consistency)
Alert fine-tuning to reduce false positives
High-value data prioritization
Detailed Tasks:
Pomodoro 1: Study why normalization matters and common Splunk data models.
Pomodoro 2: Read about fine-tuning alert thresholds (example: failed login limits).
Pomodoro 3: Write 3 SIEM use cases for prioritized monitoring (e.g., admin login after hours).
Pomodoro 4: Flashcard Drill: Best practice checklist.
Mini Lab: Draft one correlation search logic in Splunk (pseudocode).
Day 21: Weekly Review and Application
Daily Goal:
Consolidate understanding of defenses, data sources, and SIEM best practices.
Learning Content:
Review all key concepts
Apply practical analysis skills
Detailed Tasks:
Pomodoro 1: Create a mega mind-map linking Defenses, Data Sources, SIEM processes.
Pomodoro 2: Complete a 30-question timed practice quiz (time limit: 30 minutes).
Pomodoro 3: Review incorrect quiz answers; correct understanding gaps.
Pomodoro 4: Case Simulation: "Given sample logs, identify the attack pattern."
Reflection: 5-minute writing: “How data sources empower cybersecurity operations.”
Special Review Reminder (Forgetting Curve)
Review Day 15 notes on Day 16 evening.
Review Days 15–16 notes again on Day 18.
Complete full Week 3 review on Day 21.
SPLK-5001 Study Plan — Week 4
Theme: Investigation, Event Handling, Correlation, and Risk
Main Objective:
Learn how to investigate cybersecurity incidents, manage events properly, correlate data from multiple sources, and understand risk assessment and scoring.
Day 22: Cybersecurity Investigation Fundamentals
Daily Goal:
Understand the structured process of cybersecurity investigations.
Learning Content:
- Investigation steps: Detection, Validation, Scoping, Root Cause Analysis, Evidence Collection
Detailed Tasks:
Pomodoro 1: Read detailed explanation of each investigation step.
Pomodoro 2: Create a checklist: “Steps to investigate a security incident.”
Pomodoro 3: Study a case study of a real-world incident investigation (example: Capital One breach).
Pomodoro 4: Flashcard Drill: Name and order the investigation steps without notes.
Practice: Create a simple flowchart of an incident investigation process.
Day 23: Incident Classification and Containment Strategies
Daily Goal:
Learn how to classify incidents and quickly contain them to minimize damage.
Learning Content:
Severity classification: low, medium, high, critical
Containment techniques: isolation, blocking, disabling accounts
Detailed Tasks:
Pomodoro 1: Study classification criteria based on impact and urgency.
Pomodoro 2: Create an incident classification table with examples for each severity.
Pomodoro 3: Study containment actions and select correct methods for given attack types.
Pomodoro 4: Practice Drill: Match sample incidents to containment strategies.
Mini Exercise: Design a quick containment checklist for phishing incidents.
Day 24: Eradication, Recovery, and Post-Incident Review
Daily Goal:
Learn how to eliminate threats completely and ensure full recovery.
Learning Content:
Threat eradication methods
Recovery operations
Importance of post-incident analysis
Detailed Tasks:
Pomodoro 1: Read about techniques for removing malware, patching vulnerabilities, changing credentials.
Pomodoro 2: Study backup and recovery strategies (full backup, incremental backup).
Pomodoro 3: Create a post-incident review template (questions to ask, lessons to document).
Pomodoro 4: Flashcard Drill: Correct recovery steps sequence.
Mini Exercise: Draft a post-mortem report for a simulated malware infection.
Day 25: Understanding Event Correlation
Daily Goal:
Master how to link multiple events across different systems to detect advanced attacks.
Learning Content:
What is event correlation
Examples: Brute-force detection, Lateral movement identification
Detailed Tasks:
Pomodoro 1: Study event correlation concepts and examples.
Pomodoro 2: Draw two correlation chains (e.g., failed logins + successful login = credential compromise).
Pomodoro 3: Practice building a basic Splunk correlation search (conceptual design).
Pomodoro 4: Flashcard Drill: Spot correct event links given multiple logs.
Practice Exercise: Create a small correlation map for detecting insider threat behavior.
Day 26: Correlation Techniques in Splunk
Daily Goal:
Learn Splunk-specific methods for building and managing correlation searches.
Learning Content:
Correlation searches
Notable events
Multi-source analysis
Detailed Tasks:
Pomodoro 1: Study how correlation searches are built in Splunk ES.
Pomodoro 2: Understand how notable events are generated and managed.
Pomodoro 3: Build a basic conceptual multi-source analysis use case (authentication logs + firewall logs).
Pomodoro 4: Flashcard Drill: Splunk correlation keywords.
Mini Exercise: Draft an idea for an automated notable event.
Day 27: Cybersecurity Risk Components and Risk Scoring
Daily Goal:
Understand how risk is measured and managed in cybersecurity operations.
Learning Content:
Threats, Vulnerabilities, Impact
Risk scoring techniques
Risk-based prioritization
Detailed Tasks:
Pomodoro 1: Study and define threat, vulnerability, impact clearly.
Pomodoro 2: Create risk scoring models (example: scoring critical assets higher).
Pomodoro 3: Study risk scoring use in Splunk Enterprise Security (entity risk aggregation).
Pomodoro 4: Flashcard Drill: Recognize components of a cybersecurity risk equation.
Practice: Design a risk score system for failed logins, lateral movement, and privileged access misuse.
Day 28: Weekly Review and Application
Daily Goal:
Consolidate knowledge about investigation, event handling, correlation, and risk management.
Learning Content:
Review all major processes and models
Apply practical analysis
Detailed Tasks:
Pomodoro 1: Mind-map linking Investigation Process, Event Handling Steps, Correlation Logic, Risk Analysis.
Pomodoro 2: 30-question cumulative quiz (timed: 30 minutes).
Pomodoro 3: Review and analyze errors from quiz answers.
Pomodoro 4: Simulate a full mini incident:
Receive an alert
Classify the incident
Contain, Eradicate, Recover
Correlate related events
Perform basic risk assessment
Reflection: 5-minute write-up: "How correlation and risk scoring improve threat detection."
Special Review Reminder (Forgetting Curve)
Review Day 22 notes on Day 23 evening.
Review Days 22–23 notes again on Day 25.
Full Week 4 review on Day 28.
SPLK-5001 Study Plan — Week 5
Theme: SPL (Search Processing Language) and Efficient Searching
Main Objective:
Master the ability to write efficient and accurate SPL queries in Splunk to detect, investigate, and analyze cybersecurity events.
Day 29: Introduction to SPL and Basic Search Syntax
Daily Goal:
Understand SPL basics and how to structure a simple search query.
Learning Content:
What is SPL
Basic search structure: index, sourcetype, keywords
Detailed Tasks:
Pomodoro 1: Read about SPL fundamentals and its pipeline structure.
Pomodoro 2: Study examples of simple searches (e.g.,
index=security sourcetype=wineventlog:security error).Pomodoro 3: Practice writing 10 basic search queries targeting specific keywords and fields.
Pomodoro 4: Flashcard Drill: Identify parts of an SPL search command.
Mini Exercise: Build a search to find all failed login events in the past 24 hours.
Day 30: Core SPL Commands — search, stats, timechart
Daily Goal:
Master the use of search, stats, and timechart commands in Splunk.
Learning Content:
The
searchcommand for finding eventsThe
statscommand for aggregationThe
timechartcommand for trend analysis
Detailed Tasks:
Pomodoro 1: Deep dive into
searchand practice OR/AND/NOT logic.Pomodoro 2: Learn
stats(count, sum, avg) and practice building summaries.Pomodoro 3: Learn
timechartto create time-based trend visualizations.Pomodoro 4: Practice Drill: Write 5 queries using stats and timechart with different fields.
Mini Lab: Create a simple dashboard showing login failures over time.
Day 31: Core SPL Commands — top, rare, eval, dedup
Daily Goal:
Learn to identify most/least frequent values and manipulate fields.
Learning Content:
topandrarefor finding frequent or rare valuesevalfor creating or transforming fieldsdedupfor removing duplicates
Detailed Tasks:
Pomodoro 1: Practice using
topandrarewith real log data.Pomodoro 2: Learn
evalexpressions (e.g., combine fields, conditional logic).Pomodoro 3: Study
dedupand practice deduplicating login events by username.Pomodoro 4: Flashcard Drill: What command to use for each search goal?
Practice Exercise: Write 5 mini-queries combining top, eval, and dedup.
Day 32: Core SPL Commands — rex, lookup, eventstats
Daily Goal:
Learn to extract fields, enrich data, and add event-level statistics.
Learning Content:
rexfor field extraction via regular expressionslookupto bring external data into Splunk eventseventstatsto add stats across events without collapsing them
Detailed Tasks:
Pomodoro 1: Study
rexexamples and write 3 field extraction queries.Pomodoro 2: Practice
lookupby enriching login events with user department info.Pomodoro 3: Use
eventstatsto calculate average login attempts per user.Pomodoro 4: Flashcard Drill: What does rex/lookup/eventstats do?
Mini Lab: Build a lookup-based search to identify high-risk users.
Day 33: Search Efficiency Techniques
Daily Goal:
Learn best practices for optimizing searches to improve performance.
Learning Content:
Time filtering early
Specific index and sourcetype targeting
Filtering early in the pipeline
Structured field searches vs text search
Detailed Tasks:
Pomodoro 1: Study why specifying time, index, and sourcetype improves speed.
Pomodoro 2: Practice rewriting bad searches into optimized versions.
Pomodoro 3: Read and practice using sample efficient searches.
Pomodoro 4: Flashcard Drill: Good vs bad search examples.
Practice: Turn a full-text "slow" search into an optimized structured field search.
Day 34: Advanced Efficiency — Regex Optimization and Summary Indexing
Daily Goal:
Learn how to make regex lighter and use summary indexing for faster reporting.
Learning Content:
Best practices for writing efficient regular expressions
Benefits and setup of summary indexing in Splunk
Detailed Tasks:
Pomodoro 1: Study how to write short, specific regular expressions.
Pomodoro 2: Practice 5 regex-based field extractions and optimize them.
Pomodoro 3: Learn what summary indexing is and when to use it.
Pomodoro 4: Practice building a conceptual summary indexing process.
Mini Lab: Design a search plan using summary indexing for high-volume login logs.
Day 35: Weekly Review and SPL Practice
Daily Goal:
Consolidate SPL command mastery and efficient search techniques.
Learning Content:
Full review of all commands studied
Apply efficient searching techniques
Detailed Tasks:
Pomodoro 1: Create a mind-map linking all SPL commands by purpose.
Pomodoro 2: Write 10 complete searches combining multiple commands.
Pomodoro 3: Take a 30-question SPL-focused quiz (timed: 30 minutes).
Pomodoro 4: Analyze mistakes and rework bad queries.
Mini Challenge: Build a full SPL query detecting a brute-force attack and summarize the logic.
Special Review Reminder (Forgetting Curve)
Review Day 29 notes on Day 30 evening.
Review Days 29–30 notes again on Day 32.
Full Week 5 review on Day 35.
SPLK-5001 Study Plan — Week 6
Theme: Threat Hunting, Remediation, and Final Comprehensive Review
Main Objective:
Integrate all knowledge and skills learned; simulate real-world threat hunting and remediation; finalize preparation with comprehensive review and mock exam practice.
Day 36: Introduction to Threat Hunting
Daily Goal:
Understand what threat hunting is, why it matters, and how to initiate a hunt.
Learning Content:
Proactive threat hunting vs reactive incident response
Hypothesis-driven hunting
Sources of hunting triggers (intel, anomalies, vulnerabilities)
Detailed Tasks:
Pomodoro 1: Study the definition and key characteristics of threat hunting.
Pomodoro 2: Read about different triggers for threat hunts (threat intelligence, behavioral anomalies).
Pomodoro 3: Write 3 sample hunting hypotheses (e.g., "Multiple login failures from unusual countries").
Pomodoro 4: Flashcard Drill: What are the steps of a standard hunt?
Mini Exercise: Design a simple initial threat hunt plan based on a phishing trigger.
Day 37: Threat Hunting Methodologies
Daily Goal:
Master different methods of conducting a threat hunt.
Learning Content:
Intel-driven hunting
TTP-based hunting (MITRE ATT&CK model)
Anomaly-based hunting
Situational (event-driven) hunting
Detailed Tasks:
Pomodoro 1: Study intel-driven and TTP-based hunting methods.
Pomodoro 2: Study anomaly-based and situational hunting approaches.
Pomodoro 3: Create a comparison table: Hunting Method vs Trigger vs Example Hunt.
Pomodoro 4: Flashcard Drill: Identify hunting method based on sample case.
Mini Lab: Build a basic Splunk search aligned with a hunting hypothesis (e.g., detection of lateral movement).
Day 38: Threat Hunting Tools and Techniques in Splunk
Daily Goal:
Learn how to perform hunting in Splunk effectively.
Learning Content:
Splunk Data Models
Risk-Based Alerting
Splunk ES Threat Activity and Risk Analysis dashboards
Lookups and modular searches
Detailed Tasks:
Pomodoro 1: Study how to use accelerated data models in Splunk for faster searches.
Pomodoro 2: Learn about Risk-Based Alerting (RBA) in Splunk and its advantages.
Pomodoro 3: Practice building searches using lookups (e.g., list of known malicious IPs).
Pomodoro 4: Flashcard Drill: Splunk tools used for different hunting phases.
Mini Lab: Create a small modular search plan combining notable events and risk scores.
Day 39: Remediation and Automation Basics
Daily Goal:
Understand remediation steps and basic automation concepts.
Learning Content:
Identification, Containment, Eradication, Recovery
Post-mortem reviews
Introduction to SOAR (Security Orchestration, Automation, and Response)
Detailed Tasks:
Pomodoro 1: Study each step of the remediation process in detail.
Pomodoro 2: Read about common SOAR automations (e.g., automatic IP blocking, user disabling).
Pomodoro 3: Write a simple manual remediation playbook for malware infection.
Pomodoro 4: Flashcard Drill: Match each remediation step to its correct action.
Mini Lab: Draft an automated playbook flow (Alert ➔ Threat Intel Enrichment ➔ Containment ➔ Notification).
Day 40: Full Frameworks and Standards Review
Daily Goal:
Consolidate your understanding of all cybersecurity frameworks and compliance standards.
Learning Content:
NIST CSF, MITRE ATT&CK, CIS Controls
ISO 27001, PCI DSS, HIPAA, GDPR, SOX
Detailed Tasks:
Pomodoro 1: Quick reading and summarization of each framework.
Pomodoro 2: Create a master comparison chart linking framework focus areas.
Pomodoro 3: Practice explaining frameworks verbally (simulate teaching).
Pomodoro 4: Flashcard Drill: Recognize key points from each standard.
Mini Quiz: 20-question review covering all frameworks and standards.
Day 41: Full SPL Practice Session
Daily Goal:
Sharpen SPL skills through end-to-end practice without guidance.
Learning Content:
Writing full SPL queries
Simulating threat detection scenarios
Detailed Tasks:
Pomodoro 1: Write 5 full searches detecting specific behaviors (failed logins, admin privilege abuse, VPN anomalies).
Pomodoro 2: Optimize 5 poorly written sample searches for speed and efficiency.
Pomodoro 3: Build a small hunting dashboard using SPL (timechart and stats-based panels).
Pomodoro 4: Take a 20-question SPL-only timed practice quiz (20 minutes).
Reflection: Identify personal strengths and weaknesses in SPL writing.
Day 42: Final Mock Exam and Review
Daily Goal:
Simulate real SPLK-5001 exam conditions and complete a final review.
Learning Content:
Full-length mock exam
Self-assessment and final tuning
Detailed Tasks:
Pomodoro 1: Take a 65-question mock exam simulating real SPLK-5001 (90 minutes, strict timing).
Pomodoro 2: Immediate detailed review of all incorrect and uncertain answers.
Pomodoro 3: Build a mistake notebook, listing wrong answers, correct answers, and explanations.
Pomodoro 4: Focused last review on weak topics (1-2 Pomodoros).
Mini Challenge: Write a self-evaluation: "Am I ready? What can I improve in the last 48 hours?"
Special Review Reminder (Forgetting Curve)
Review Day 36 notes on Day 37 evening.
Review Days 36–37 notes again on Day 39.
Full Week 6 review before final exam simulation (Day 42).