Overall Goals
Pass the SPLK-5002 certification exam and master the practical application of Splunk in cybersecurity monitoring and defense.
Systematically master the following five major knowledge modules:
Data Engineering
Detection Engineering
Building Effective Security Processes and Programs
Automation and Efficiency
Auditing and Reporting on Security Programs
At the same time, maximize memory retention and application skills through efficient learning methods (Pomodoro Technique + Spaced Repetition).
Study Schedule
Total Duration: 8 weeks (2 months)
Weekly Arrangement: 5 days of study + 2 days of review/adjustment
Daily Investment: 2–3 hours
Pomodoro Learning Rhythm:
Focus for 25 minutes per session → 5 minutes break.
After completing 4 Pomodoros, take a longer break of 15–20 minutes.
Spaced Repetition Plan:
Quick review once within 24 hours after first learning.
Review again after 3 days.
Review again after 7 days.
Review again after 14 days.
Conduct a final review before the exam.
SPLK-5002 Detailed Study Plan — Week 1
Weekly Goal:
Master the foundations of Data Engineering for cybersecurity in Splunk.
Be able to identify security data sources, onboard them into Splunk, normalize the fields, enrich the data, ensure data quality, and secure the ingestion pipeline.
Use the Pomodoro Technique (25 min study + 5 min break), 6 sessions per day.
Apply Ebbinghaus Forgetting Curve reviews at 24h, 3 days, 7 days intervals after each topic.
Day 1: Introduction to Data Engineering & Identifying Data Sources
Learning Objectives:
Understand what Data Engineering means in a cybersecurity context.
Learn the most important types of security log sources.
Detailed Tasks:
Read about the role of Data Engineering in cybersecurity.
List at least 15 different security data sources (e.g., firewalls, antivirus, Active Directory, VPN, cloud providers).
Categorize these sources into groups: Network, Endpoint, Identity, Cloud, Application.
Summarize in a table: Source Name | Type | Example Data Fields.
Pomodoro Sessions:
2 Pomodoro sessions: Theory reading.
2 Pomodoro sessions: Source listing and categorization.
2 Pomodoro sessions: Table creation and summary.
Day 2: Data Collection Methods in Splunk
Learning Objectives:
- Understand the different methods to collect data into Splunk: Universal Forwarder, Heavy Forwarder, HEC, Syslog.
Detailed Tasks:
Study Splunk documentation on Universal Forwarders (UF) and Heavy Forwarders (HF).
Install a Universal Forwarder on a Windows virtual machine.
Configure the UF to collect Windows Security logs.
Verify successful ingestion in Splunk (basic search).
Pomodoro Sessions:
2 Pomodoro sessions: Learning collection methods.
2 Pomodoro sessions: Setting up Universal Forwarder.
2 Pomodoro sessions: Testing and verification.
Day 3: Data Normalization and CIM Mapping
Learning Objectives:
Understand field extractions.
Learn how to map raw fields into the Splunk Common Information Model (CIM).
Detailed Tasks:
Study what CIM is and why normalization is critical.
Practice using the Splunk Field Extractor to extract fields from sample firewall logs.
Map extracted fields to relevant CIM tags (e.g., src_ip, user, dest_ip).
Save your extractions and validate by searching normalized data.
Pomodoro Sessions:
2 Pomodoro sessions: CIM theory and Field Extraction basics.
2 Pomodoro sessions: Practicing field extraction.
2 Pomodoro sessions: Applying CIM mapping.
Day 4: Data Enrichment: Asset and Threat Intelligence
Learning Objectives:
- Understand why enrichment (adding context) is crucial for better detection and investigation.
Detailed Tasks:
Create a basic Asset Inventory Lookup Table mapping IP addresses to owners and departments.
Configure Splunk to ingest a basic Threat Intelligence Feed (use AbuseIPDB or similar).
Perform a sample correlation search: Check if any ingested IP matches the threat feed.
Pomodoro Sessions:
2 Pomodoro sessions: Asset inventory setup.
2 Pomodoro sessions: Threat feed ingestion.
2 Pomodoro sessions: Search and correlation test.
Day 5: Data Quality Assurance and Troubleshooting
Learning Objectives:
- Learn methods to validate data completeness, accuracy, and timeliness.
Detailed Tasks:
Create a Saved Search that checks for missing important fields (e.g., username, src_ip).
Set up a basic alert that triggers if no logs are received from a critical source within 30 minutes.
Study examples of common data ingestion issues and how to troubleshoot.
Pomodoro Sessions:
2 Pomodoro sessions: Learning data quality metrics.
2 Pomodoro sessions: Setting up saved search and alert.
2 Pomodoro sessions: Reviewing troubleshooting best practices.
Day 6: Indexing Strategy and Storage Management
Learning Objectives:
- Understand how to separate, manage, and retain different types of data using Splunk indexes.
Detailed Tasks:
Create two new indexes:
One for authentication logs (e.g.,
auth_logs).One for endpoint monitoring logs (e.g.,
endpoint_logs).
Study Splunk's Hot → Warm → Cold → Frozen bucket lifecycle.
Configure basic retention settings (e.g., keep authentication logs for 180 days).
Pomodoro Sessions:
2 Pomodoro sessions: Indexing theory and Splunk storage concepts.
2 Pomodoro sessions: Hands-on index creation.
2 Pomodoro sessions: Setting retention policies.
Day 7: Data Security and Compliance Basics
Learning Objectives:
Secure data in transit and at rest.
Implement access controls in Splunk for sensitive data.
Detailed Tasks:
Configure SSL encryption between a Universal Forwarder and Indexer.
Create a Splunk Role that only allows access to non-sensitive indexes.
Assign the role to a test user and validate permissions.
Study compliance basics (PCI-DSS, HIPAA) relating to data security.
Pomodoro Sessions:
2 Pomodoro sessions: SSL configuration and testing.
2 Pomodoro sessions: Role-based access control setup.
2 Pomodoro sessions: Compliance reading and summary notes.
Week 1 Ebbinghaus Forgetting Curve Review Plan:
Review Day 1 topics on Day 2 (quick notes flashback, self-quiz).
Review Day 2 topics on Day 3, and so on.
Set 1-hour review blocks every Sunday for weekly topic consolidation.
SPLK-5002 Detailed Study Plan — Week 2
Weekly Goal:
Master advanced Data Engineering skills and start transitioning into basic Detection Engineering.
Be able to enrich, optimize, monitor, and secure your Splunk data ingestion pipelines at a professional level.
Use the Pomodoro Technique (6 sessions/day).
Follow the Ebbinghaus review method: review key topics at 1-day, 3-day, and 7-day intervals.
Day 8: Advanced Threat Intelligence Integration
Learning Objectives:
- Deepen your understanding of external data enrichment and threat detection support.
Detailed Tasks:
Integrate an additional threat intelligence source (e.g., AlienVault OTX).
Configure Splunk to auto-update threat indicators daily.
Build a correlation search that matches incoming IPs or domains with known threat lists.
Pomodoro Sessions:
2 Pomodoro sessions: Study threat intelligence feed formats.
2 Pomodoro sessions: Configure feed ingestion and auto-refresh.
2 Pomodoro sessions: Build correlation search.
Day 9: Asset and Identity Framework Deep Dive
Learning Objectives:
- Use Asset and Identity frameworks for faster, more intelligent investigations.
Detailed Tasks:
Expand the asset inventory by adding more fields (e.g., system owner, department, criticality).
Link user identities to organizational units.
Modify an existing search to enrich results with asset or identity data.
Pomodoro Sessions:
2 Pomodoro sessions: Study Asset and Identity framework structure.
2 Pomodoro sessions: Populate expanded asset lookup tables.
2 Pomodoro sessions: Create an enrichment-enhanced search.
Day 10: Data Health Monitoring and Alerting
Learning Objectives:
- Monitor Splunk ingestion health and detect ingestion failures.
Detailed Tasks:
Set up alerts when forwarders stop sending data (e.g., no data from a source in 30 minutes).
Build a dashboard showing forwarder health status.
Document procedures for troubleshooting forwarder issues.
Pomodoro Sessions:
2 Pomodoro sessions: Create forwarder heartbeat searches.
2 Pomodoro sessions: Build dashboard visualizations (pie charts, bar charts).
2 Pomodoro sessions: Write a troubleshooting checklist.
Day 11: Data Aging and Storage Optimization
Learning Objectives:
- Learn how to optimize data storage to balance performance, cost, and compliance.
Detailed Tasks:
Configure warm, cold, frozen bucket policies for existing indexes.
Study and simulate the use of Summary Indexing for event aggregation.
Set a frozen script (e.g., archive old data to external storage).
Pomodoro Sessions:
2 Pomodoro sessions: Configure bucket aging settings.
2 Pomodoro sessions: Create a basic summary indexing report.
2 Pomodoro sessions: Study frozen bucket archival methods.
Day 12: Data Security Enhancements
Learning Objectives:
- Ensure Splunk deployments meet enterprise-grade security standards.
Detailed Tasks:
Enable audit logging for forwarders and indexers.
Secure the Management Port (port 8089) using certificates.
Enforce stronger access controls on searches (e.g., restrict access to
_auditindex).
Pomodoro Sessions:
2 Pomodoro sessions: Configure audit logging.
2 Pomodoro sessions: Secure management interfaces.
2 Pomodoro sessions: Create search role restrictions.
Day 13: Practical Lab: Full Data Pipeline Setup
Learning Objectives:
- Simulate real-world data engineering tasks from ingestion to secured search.
Detailed Tasks:
Ingest a new sample dataset (e.g., Apache web server logs).
Normalize the data (field extraction + CIM mapping).
Create a saved search that correlates IP activity with threat intelligence.
Document the pipeline from source → ingestion → normalization → detection.
Pomodoro Sessions:
2 Pomodoro sessions: Data onboarding.
2 Pomodoro sessions: Field extraction and normalization.
2 Pomodoro sessions: Detection search creation and documentation.
Day 14: Transition to Detection Engineering Basics
Learning Objectives:
- Prepare mindset and skills for entering detection-focused learning (starting Week 3).
Detailed Tasks:
Study basic principles of Detection Engineering:
What is a correlation search?
What is a notable event?
How do we prioritize alerts?
Write your own examples of:
A good quality alert.
A poor quality alert (and why it’s bad).
List 5 real-world use cases you want to detect using Splunk (e.g., brute-force attacks, ransomware activity).
Pomodoro Sessions:
2 Pomodoro sessions: Study detection basics.
2 Pomodoro sessions: Write alert quality examples.
2 Pomodoro sessions: Create personal detection use-case list.
Week 2 Ebbinghaus Forgetting Curve Review Plan:
Quick 10–15 minute review of Day 8 topics on Day 9.
Quick review of Day 9 topics on Day 10, and so on.
Full Week 1 + Week 2 review on Sunday evening:
- Draw mind maps, revisit any unclear points.
SPLK-5002 Detailed Study Plan — Week 3
Weekly Goal:
Begin mastering Detection Engineering.
Learn how to perform threat modeling, design high-quality correlation searches, and optimize Splunk detections.
Focus on the fundamentals of identifying attacker behavior and building efficient detection logic.
Use the Pomodoro Technique (6 sessions/day).
Apply the Ebbinghaus Forgetting Curve for structured revision.
Day 15: Introduction to Threat Modeling with MITRE ATT&CK
Learning Objectives:
Understand how attackers operate by studying MITRE ATT&CK.
Start thinking like an attacker to anticipate behaviors.
Detailed Tasks:
Study the MITRE ATT&CK Framework basics: Tactics, Techniques, and Procedures (TTPs).
Choose 1 Tactic (e.g., Credential Access) and list 5 associated Techniques.
Identify which Techniques are most relevant to your organization (or a sample environment).
Sketch a simple attack path diagram linking multiple Techniques.
Pomodoro Sessions:
2 Pomodoro sessions: ATT&CK Framework theory study.
2 Pomodoro sessions: Mapping techniques to data sources.
2 Pomodoro sessions: Drawing attack path diagrams.
Day 16: Basics of Writing Splunk Correlation Searches
Learning Objectives:
Learn what makes a good correlation search.
Write your first basic SPL detection search.
Detailed Tasks:
Study how Splunk searches work: base searches vs tstats searches.
Write a basic detection SPL to identify multiple failed login attempts from the same IP within 10 minutes.
Save the search as a Correlation Search in Enterprise Security (or as a Saved Search if ES is unavailable).
Pomodoro Sessions:
2 Pomodoro sessions: Review SPL basics and correlation search settings.
2 Pomodoro sessions: Write and save a basic detection.
2 Pomodoro sessions: Test the search with simulated events.
Day 17: Improving Correlation Search Performance
Learning Objectives:
- Understand search optimization techniques to make detections faster and lighter on resources.
Detailed Tasks:
Learn how to use
tstatsfor accelerated searching (study Splunk docs).Rebuild the failed login detection from Day 16 using
tstatsinstead of raw search.Measure and compare search execution time between the raw search and
tstatsoptimized search.
Pomodoro Sessions:
2 Pomodoro sessions:
tstatssyntax and examples study.2 Pomodoro sessions: Rewrite correlation searches using
tstats.2 Pomodoro sessions: Test and time both search methods.
Day 18: Reducing False Positives in Detection Engineering
Learning Objectives:
- Learn how to minimize unnecessary or irrelevant alerts.
Detailed Tasks:
Study methods to reduce false positives:
Threshold tuning
Context enrichment (e.g., trusted IPs, known safe accounts)
Time-based filtering (e.g., non-business hours)
Create a trusted IP lookup table.
Update an existing correlation search to exclude activities from trusted IPs.
Pomodoro Sessions:
2 Pomodoro sessions: False positive reduction theory study.
2 Pomodoro sessions: Create trusted context lookups.
2 Pomodoro sessions: Apply context filters to a detection rule.
Day 19: Threat Coverage Mapping
Learning Objectives:
- Link detection logic to specific attacker techniques using MITRE ATT&CK.
Detailed Tasks:
Create a Threat Coverage Matrix:
- Map each current correlation search to an ATT&CK Technique ID.
Identify gaps: Which Techniques are not currently covered?
Write a plan suggesting at least 3 new detections needed to fill these gaps.
Pomodoro Sessions:
2 Pomodoro sessions: Create and populate threat coverage matrix.
2 Pomodoro sessions: Analyze gaps and missing coverage areas.
2 Pomodoro sessions: Draft new detection ideas.
Day 20: Testing and Validating Detection Effectiveness
Learning Objectives:
- Learn how to simulate attacks and verify detection accuracy.
Detailed Tasks:
Study basic adversary simulation frameworks (e.g., Atomic Red Team).
Choose a simple attack simulation (e.g., Mimikatz password dumping).
Execute the simulation safely in a controlled lab.
Check if your Splunk detections trigger correctly.
Pomodoro Sessions:
2 Pomodoro sessions: Simulation frameworks study.
2 Pomodoro sessions: Set up and execute simple simulation.
2 Pomodoro sessions: Validate detection results.
Day 21: Building Detection Metrics Dashboards
Learning Objectives:
- Track and improve the performance of your detections.
Detailed Tasks:
Build a basic Detection Metrics Dashboard in Splunk:
Number of alerts triggered (daily, weekly)
Alert breakdown by detection rule
False Positive Rate estimates
Set up basic visualizations: pie charts, bar charts, time series trends.
Pomodoro Sessions:
2 Pomodoro sessions: Dashboard design and layout planning.
2 Pomodoro sessions: Building search panels for metrics.
2 Pomodoro sessions: Creating visualizations and alerts.
Week 3 Ebbinghaus Forgetting Curve Review Plan:
Review Day 15 topics on Day 16 (flashcards + self-quiz).
Review Day 16–18 topics on Day 19 with small practice exercises.
Full revision of all Week 3 detection topics on Day 21 evening (knowledge mind-map + practice).
SPLK-5002 Detailed Study Plan — Week 4
Weekly Goal:
Advance Detection Engineering skills to a professional level.
Learn to build modular searches, map complete attack scenarios, validate detections through simulation, and manage detection content systematically.
Use the Pomodoro Technique (6 sessions/day).
Apply the Ebbinghaus Forgetting Curve to reinforce memory at scheduled intervals.
Day 22: Writing Modular, Reusable Detection Searches
Learning Objectives:
- Build small, efficient, modular SPL components that can be reused across many correlation searches.
Detailed Tasks:
Study modular search best practices (short, specific, reusable searches).
Break down an existing detection into smaller sub-searches (e.g., login failures, successful logins, IP lookups).
Save modular sub-searches as macros or saved searches in Splunk.
Pomodoro Sessions:
2 Pomodoro sessions: Study modular search theory.
2 Pomodoro sessions: Practice breaking detections into modules.
2 Pomodoro sessions: Save and reuse sub-searches.
Day 23: Building Use-Case Driven Detections
Learning Objectives:
- Build detections based on real-world security use cases (not just theoretical attacks).
Detailed Tasks:
Choose 2 real-world attack scenarios (e.g., phishing leading to credential theft, lateral movement using stolen credentials).
Write end-to-end detection logic for each scenario:
Initial activity (e.g., email click)
Exploitation (e.g., abnormal authentication)
Post-exploitation behavior (e.g., file access, process creation)
Chain searches where necessary using transaction or append commands.
Pomodoro Sessions:
2 Pomodoro sessions: Select use-cases and design detection flow.
2 Pomodoro sessions: Write detection SPLs.
2 Pomodoro sessions: Test and refine logic.
Day 24: Tuning Detections Based on Environment
Learning Objectives:
- Customize detection thresholds and filters to match normal behavior of your environment.
Detailed Tasks:
Study environment tuning techniques:
Whitelisting known behavior
Adjusting thresholds (e.g., failed logins >5 becomes >10 if normal)
Business hours awareness
Review your correlation searches from previous days.
Tune at least 2 detections based on assumed or simulated environment baselines.
Pomodoro Sessions:
2 Pomodoro sessions: Study tuning strategies.
2 Pomodoro sessions: Apply tuning to searches.
2 Pomodoro sessions: Validate tuned detections with testing.
Day 25: Implementing Risk-Based Alerting (RBA) Basics
Learning Objectives:
- Enhance detections with risk scoring rather than binary alerts.
Detailed Tasks:
Study the concept of Risk-Based Alerting (RBA):
- Assign risk scores to behaviors instead of direct alerts.
Create risk notables instead of classic notables:
Example: Unusual login = +20 points
Unusual file access = +30 points
Total risk >50 triggers an alert
Configure a small risk incident rule in Splunk ES or simulate manually.
Pomodoro Sessions:
2 Pomodoro sessions: Study RBA concepts.
2 Pomodoro sessions: Create a basic risk scoring table.
2 Pomodoro sessions: Implement a simple risk-based detection.
Day 26: Validation of Complex Detections
Learning Objectives:
- Test complex detections involving multiple conditions or longer time windows.
Detailed Tasks:
Simulate multi-stage attacks using Atomic Red Team or manual event generation.
Validate that your modular searches, use-case-driven detections, and RBA all trigger appropriately.
Adjust detection logic if false positives or misses are observed.
Pomodoro Sessions:
2 Pomodoro sessions: Set up complex attack simulations.
2 Pomodoro sessions: Validate detection triggers.
2 Pomodoro sessions: Debug and improve detection SPL.
Day 27: Version Control for Detection Content
Learning Objectives:
- Learn how to systematically manage and version your detection searches.
Detailed Tasks:
Study best practices for content management:
Naming conventions
Version numbers
Change logs
Set up a local Git repository (or folder system) to track detection changes.
Document metadata for each detection (purpose, fields used, risk score, last update).
Pomodoro Sessions:
2 Pomodoro sessions: Study content management practices.
2 Pomodoro sessions: Build your own detection repository.
2 Pomodoro sessions: Document at least 5 detection rules properly.
Day 28: Review and Practical Lab: Build a Full Detection Suite
Learning Objectives:
- Apply all detection engineering skills learned so far into a mini-project.
Detailed Tasks:
Choose a complete attacker scenario (e.g., phishing → credential theft → internal reconnaissance).
Build at least 5 correlation searches to detect various stages of the attack.
Document:
Data sources required
Detection SPL
Thresholds and tuning
Risk scoring approach
Summarize results in a report or dashboard.
Pomodoro Sessions:
2 Pomodoro sessions: Attack scenario planning.
2 Pomodoro sessions: Writing and testing detections.
2 Pomodoro sessions: Reporting and dashboard creation.
Week 4 Ebbinghaus Forgetting Curve Review Plan:
Review Day 22–23 topics on Day 24.
Review Day 24–25 topics on Day 26.
Full review of Week 4 topics on Day 28 evening (mind-mapping + error correction).
SPLK-5002 Detailed Study Plan — Week 5
Weekly Goal:
Master building effective security operations processes and programs.
Learn how to structure incident response, create actionable playbooks, set up security KPIs, and align operations with GRC (Governance, Risk, and Compliance) frameworks.
Use the Pomodoro Technique (6 sessions/day).
Follow the Ebbinghaus Forgetting Curve for reviewing key knowledge areas.
Day 29: Designing Incident Detection and Triage Processes
Learning Objectives:
- Build strong, scalable processes for early threat detection and alert triage.
Detailed Tasks:
Study key phases: Detection → Validation → Triage → Escalation or Closure.
Define criteria for what qualifies as a “security incident” vs. an "event".
Create a flowchart for incident triage steps.
Assign hypothetical roles (e.g., Analyst 1 validates, Analyst 2 escalates).
Pomodoro Sessions:
2 Pomodoro sessions: Study and diagram triage workflow.
2 Pomodoro sessions: Define incident criteria checklist.
2 Pomodoro sessions: Role assignment and simulation.
Day 30: Building the Incident Response (IR) Process
Learning Objectives:
- Build a formal process to handle incidents from containment to recovery.
Detailed Tasks:
Study the IR Lifecycle: Containment → Investigation → Eradication → Recovery → Lessons Learned.
Write a Response Plan Template that includes:
Roles and responsibilities (e.g., IR Lead, Communication Lead, Forensics).
Timeframes for actions.
Simulate a sample ransomware incident response timeline.
Pomodoro Sessions:
2 Pomodoro sessions: IR lifecycle study.
2 Pomodoro sessions: Response plan writing.
2 Pomodoro sessions: Incident simulation practice.
Day 31: Developing Playbooks and SOPs
Learning Objectives:
- Create detailed playbooks and SOPs (Standard Operating Procedures) for daily security activities.
Detailed Tasks:
Study the structure of an effective Playbook:
- Trigger → Data Collection → Decision Points → Actions → Escalation.
Write a full Playbook for detecting and responding to phishing attacks.
Write a second, simpler daily SOP for log review or asset health monitoring.
Pomodoro Sessions:
2 Pomodoro sessions: Playbook structure study.
2 Pomodoro sessions: Phishing Playbook writing.
2 Pomodoro sessions: Daily SOP writing.
Day 32: Designing a Metrics-Driven Security Program
Learning Objectives:
- Measure security program effectiveness using KPIs and KRIs.
Detailed Tasks:
Define important KPIs:
Time to Detect (TTD)
Time to Contain (TTC)
Time to Remediate (TTR)
False Positive Rate (FPR)
Build a simple metrics tracking dashboard in Splunk showing:
Incident volumes
Average response times
Unresolved incidents by severity
Pomodoro Sessions:
2 Pomodoro sessions: Study KPIs/KRIs theory.
2 Pomodoro sessions: KPI definition workshop.
2 Pomodoro sessions: Build dashboard panels.
Day 33: Understanding Governance, Risk, and Compliance (GRC) Alignment
Learning Objectives:
- Align security operations with compliance standards like GDPR, PCI-DSS, HIPAA, and NIST CSF.
Detailed Tasks:
Map key detections and response activities to specific compliance requirements.
Create a GRC Control Map linking Splunk detection/searches to:
GDPR Articles (e.g., Article 32 - Security of Processing)
PCI-DSS Requirements (e.g., 10.2 - Audit Trails)
Identify gaps in compliance coverage.
Pomodoro Sessions:
2 Pomodoro sessions: Study major compliance frameworks.
2 Pomodoro sessions: Build mapping tables.
2 Pomodoro sessions: Gap analysis workshop.
Day 34: Security Awareness Training and Tabletop Exercises
Learning Objectives:
- Prepare teams for real-world incidents and improve security culture.
Detailed Tasks:
Create a basic Security Awareness Training Plan for employees:
- Topics like phishing, password management, insider threat recognition.
Design a Tabletop Exercise for simulating a security incident:
- E.g., Data exfiltration event involving insider activity.
List roles to participate in the exercise (executives, IR team, communications).
Pomodoro Sessions:
2 Pomodoro sessions: Build training content outline.
2 Pomodoro sessions: Design tabletop exercise scenario.
2 Pomodoro sessions: Participant role definition.
Day 35: Continuous Improvement: Post-Incident Reviews
Learning Objectives:
- Implement continuous improvement practices through Lessons Learned and incident analysis.
Detailed Tasks:
Study how to conduct a Post-Incident Review (PIR).
Write a Post-Incident Review Template including:
Incident summary
Timeline
What worked well
What failed
Improvement Actions
Review a sample incident and simulate filling out the PIR Template.
Pomodoro Sessions:
2 Pomodoro sessions: Study PIR best practices.
2 Pomodoro sessions: Write PIR template.
2 Pomodoro sessions: Practice PIR completion with a sample case.
Week 5 Ebbinghaus Forgetting Curve Review Plan:
Review Day 29–30 topics on Day 31.
Review Day 31–32 topics on Day 33.
Final comprehensive review of the whole week on Day 35 evening.
SPLK-5002 Detailed Study Plan — Week 6
Weekly Goal:
Master cybersecurity automation and efficiency concepts.
Learn to identify automation opportunities, design SOAR playbooks, implement Human-in-the-Loop controls, and measure the success of automation strategies.
Use the Pomodoro Technique (6 sessions/day).
Follow the Ebbinghaus Forgetting Curve for structured reinforcement.
Day 36: Identifying Automation Opportunities in the SOC
Learning Objectives:
- Recognize the best candidates for security automation.
Detailed Tasks:
Study typical Tier 1 SOC tasks ideal for automation (e.g., phishing triage, malware enrichment).
Create a table:
- Task | Automation Type | Risk Level | Priority
Identify at least 10 tasks suitable for automation and classify them based on risk and value.
Pomodoro Sessions:
2 Pomodoro sessions: Learn common automation use-cases.
2 Pomodoro sessions: Build the task evaluation table.
2 Pomodoro sessions: Prioritize automation opportunities.
Day 37: Building Basic Splunk SOAR Playbooks
Learning Objectives:
- Learn how to design and implement basic automation workflows in Splunk SOAR.
Detailed Tasks:
Study the Splunk SOAR Visual Playbook Editor interface.
Create a simple Enrichment Playbook:
Trigger: New suspicious IP.
Actions: Lookup IP reputation, enrich with geolocation info.
End: Generate a case with enrichment results.
Pomodoro Sessions:
2 Pomodoro sessions: Study Playbook building blocks.
2 Pomodoro sessions: Design the enrichment flow.
2 Pomodoro sessions: Build and test the playbook.
Day 38: Designing Human-in-the-Loop Automation Workflows
Learning Objectives:
- Build workflows that require human validation at critical steps.
Detailed Tasks:
Study the concept of Human-in-the-Loop (HitL) automation:
When is human approval necessary?
How to build approval nodes in playbooks?
Modify the Day 37 Playbook:
- Add an Approval Step before taking any remediation actions (e.g., isolating an endpoint).
Pomodoro Sessions:
2 Pomodoro sessions: Study HitL theory.
2 Pomodoro sessions: Integrate approval points into the Playbook.
2 Pomodoro sessions: Test different approval/rejection flows.
Day 39: Advanced Automation: Response Playbooks
Learning Objectives:
- Build more complex automation beyond enrichment.
Detailed Tasks:
Create a Phishing Email Response Playbook:
Trigger: Email reported by user.
Actions:
Extract URLs.
Enrich URLs with threat intelligence.
If URL is malicious, block domain on firewall and disable user account (after approval).
Simulate the triggering of this playbook.
Pomodoro Sessions:
2 Pomodoro sessions: Design playbook logic and flowchart.
2 Pomodoro sessions: Build Playbook inside SOAR.
2 Pomodoro sessions: Simulate triggering and validate actions.
Day 40: Measuring Automation Success
Learning Objectives:
- Learn how to evaluate the performance and efficiency of automation.
Detailed Tasks:
Study automation metrics:
Automation Coverage (% of incidents handled automatically).
Time Saved (Reduction in MTTC - Mean Time to Contain).
Error Rate (automation errors vs. manual corrections).
Create a metrics tracking dashboard showing:
Automation success rate.
Top playbooks by number of executions.
Pomodoro Sessions:
2 Pomodoro sessions: Study automation measurement strategies.
2 Pomodoro sessions: Build metrics tracking searches.
2 Pomodoro sessions: Create dashboard visualizations.
Day 41: Scaling and Expanding Automation Programs
Learning Objectives:
- Plan for sustainable automation growth in the security environment.
Detailed Tasks:
Design a 6-Month Automation Expansion Plan:
Phase 1: Automate low-risk, repetitive tasks.
Phase 2: Add medium-risk processes with Human-in-the-Loop.
Phase 3: Expand to high-value/critical incident automation.
Document required:
Tool improvements
Staff training needs
New Playbook priorities
Pomodoro Sessions:
2 Pomodoro sessions: Study scaling strategies.
2 Pomodoro sessions: Write the 6-Month Automation Plan.
2 Pomodoro sessions: Peer review or self-critique the plan.
Day 42: Automation Consolidation: End-to-End Practical Lab
Learning Objectives:
- Apply all automation knowledge in a practical mini-project.
Detailed Tasks:
Choose a full attack scenario:
- Example: External phishing email → compromised account → privilege escalation.
Build an End-to-End Playbook:
- Detect → Enrich → Approve → Respond → Confirm.
Write a full technical report documenting:
Playbook steps
Decision points
Metrics for success
Pomodoro Sessions:
2 Pomodoro sessions: Playbook architecture design.
2 Pomodoro sessions: Playbook building and deployment.
2 Pomodoro sessions: Report writing and presentation.
Week 6 Ebbinghaus Forgetting Curve Review Plan:
Review Day 36–37 on Day 38.
Review Day 38–39 topics on Day 40.
Full review of Week 6 on Day 42 evening with flashcards and practical testing.
SPLK-5002 Detailed Study Plan — Week 7
Weekly Goal:
Master Auditing and Reporting on Security Programs.
Learn to audit Splunk activities, build effective dashboards and reports, automate compliance reporting, and perform security trend analysis.
Use the Pomodoro Technique (6 sessions/day).
Apply the Ebbinghaus Forgetting Curve for regular knowledge reinforcement.
Day 43: Auditing Security Controls and Operations
Learning Objectives:
- Understand auditing fundamentals and how Splunk captures audit data.
Detailed Tasks:
Study Splunk’s built-in
_auditindex.Identify:
Who logged into Splunk?
What searches were performed?
What configurations were changed?
Create a Saved Search listing admin logins and suspicious activities (e.g., failed logins).
Pomodoro Sessions:
2 Pomodoro sessions: Study Splunk audit mechanisms.
2 Pomodoro sessions: Build audit searches.
2 Pomodoro sessions: Save and schedule simple audit reports.
Day 44: Auditing Access Controls and Privilege Changes
Learning Objectives:
- Audit user behavior related to sensitive data access and privilege escalation.
Detailed Tasks:
Create a Splunk search that monitors:
Role changes
Elevated permissions granted
Build a dashboard panel showing:
- Top 10 users with the most privilege escalations.
Set an alert for unexpected admin role assignments.
Pomodoro Sessions:
2 Pomodoro sessions: Study access control audit strategies.
2 Pomodoro sessions: Write monitoring searches.
2 Pomodoro sessions: Dashboard and alert configuration.
Day 45: Auditing Detection and Response Workflows
Learning Objectives:
- Track how efficiently and completely incidents are handled.
Detailed Tasks:
Review Incident Response timelines in Splunk ES or simulate in Splunk Core.
Build a Saved Search showing:
How many Notable Events were reviewed
How many were escalated, closed, or missed
Create a basic Incident Response Metrics Dashboard.
Pomodoro Sessions:
2 Pomodoro sessions: Understand incident workflow audits.
2 Pomodoro sessions: Build response tracking searches.
2 Pomodoro sessions: Create dashboard visualizations.
Day 46: Compliance Auditing with Splunk
Learning Objectives:
- Ensure Splunk data and activities align with regulatory requirements (e.g., PCI-DSS, GDPR).
Detailed Tasks:
Study mapping detection activities to compliance controls.
Build a Compliance Monitoring Dashboard:
Login monitoring (PCI-DSS Requirement 10)
Data access monitoring (GDPR Article 32)
Create scheduled compliance audit reports (weekly or monthly).
Pomodoro Sessions:
2 Pomodoro sessions: Study compliance mapping theory.
2 Pomodoro sessions: Create compliance dashboard panels.
2 Pomodoro sessions: Schedule automated compliance reports.
Day 47: Building Real-Time Management and Technical Dashboards
Learning Objectives:
- Create dashboards for different audiences: executives vs technical teams.
Detailed Tasks:
Build two dashboards:
Management Dashboard (high-level summaries):
Number of incidents
Top threats
Compliance status overview
Technical Dashboard (deep technical insights):
Detailed incident types
False positive rates
Detection performance metrics
Use bar charts, pie charts, trend lines for visualization.
Pomodoro Sessions:
2 Pomodoro sessions: Management dashboard design.
2 Pomodoro sessions: Technical dashboard design.
2 Pomodoro sessions: Visualization and refinement.
Day 48: Scheduled Reporting and Alerting
Learning Objectives:
- Automate regular reporting processes to save analyst time.
Detailed Tasks:
Create a Scheduled Report:
Weekly Notable Events Summary.
Daily Failed Login Report.
Set up automatic email delivery of reports to appropriate recipients.
Configure access controls to restrict who can view sensitive reports.
Pomodoro Sessions:
2 Pomodoro sessions: Build scheduled reports.
2 Pomodoro sessions: Set up email and alert settings.
2 Pomodoro sessions: Configure report access controls.
Day 49: Trend Analysis and Root Cause Analysis Reporting
Learning Objectives:
- Identify trends in incidents and analyze root causes for major security events.
Detailed Tasks:
Build a 30-Day Incident Trend Dashboard:
Number of incidents per day
Most frequent types
Seasonal patterns
Perform a Root Cause Analysis (RCA):
Select a past incident (simulated if needed).
Document:
What happened?
Why it happened?
How it was detected?
How to improve future detection.
Pomodoro Sessions:
2 Pomodoro sessions: Build trend dashboards.
2 Pomodoro sessions: RCA writing and analysis.
2 Pomodoro sessions: Consolidate RCA into executive format.
Week 7 Ebbinghaus Forgetting Curve Review Plan:
Review Day 43–44 topics on Day 45.
Review Day 45–46 topics on Day 47.
Full review of all Week 7 topics on Day 49 evening (dashboard demos + quick quiz).
SPLK-5002 Detailed Study Plan — Week 8
Weekly Goal:
Consolidate all knowledge and simulate the real SPLK-5002 exam environment.
Identify weak areas, fix knowledge gaps, practice time management, and finalize readiness for the certification exam.
Use the Pomodoro Technique (6 sessions/day).
Apply the Ebbinghaus Forgetting Curve to review key topics intensively.
Day 50: Comprehensive Review — Data Engineering
Learning Objectives:
- Refresh all concepts and skills related to data ingestion, normalization, enrichment, and protection.
Detailed Tasks:
Summarize:
Data sources and collection methods (UF, HF, HEC, Syslog)
CIM Mapping and Field Extraction
Asset and Threat Intelligence enrichment
Indexing and Data Security
Redo 2–3 mini-labs:
Field extraction practice.
Threat intelligence correlation.
Quiz yourself with 30 flashcards focused on Data Engineering.
Pomodoro Sessions:
2 Pomodoro sessions: Theory review.
2 Pomodoro sessions: Lab refresh.
2 Pomodoro sessions: Flashcard quiz.
Day 51: Comprehensive Review — Detection Engineering
Learning Objectives:
- Revisit threat modeling, correlation search building, optimization, tuning, and testing.
Detailed Tasks:
Summarize:
MITRE ATT&CK threat modeling.
Writing correlation searches (basic +
tstatsoptimized).Reducing false positives (contextual filters, risk scoring).
Redo 2–3 detection SPLs:
Basic attack detection.
Advanced multi-stage detection with risk scoring.
Take a mini-mock test (10–15 questions) on Detection Engineering.
Pomodoro Sessions:
2 Pomodoro sessions: Theory review.
2 Pomodoro sessions: SPL writing practice.
2 Pomodoro sessions: Practice test and corrections.
Day 52: Comprehensive Review — Security Processes and Programs
Learning Objectives:
- Master incident workflows, playbooks, SOPs, KPIs, and GRC alignment.
Detailed Tasks:
Summarize:
Incident triage and IR lifecycle.
Playbook structure and examples.
Key KPIs: TTD, TTC, TTR.
Mapping activities to compliance (GDPR, PCI-DSS).
Redo 1 IR flowchart and 1 playbook writing exercise.
Quiz yourself on security process concepts.
Pomodoro Sessions:
2 Pomodoro sessions: Concept summary.
2 Pomodoro sessions: Practical exercises.
2 Pomodoro sessions: Flashcard review.
Day 53: Comprehensive Review — Automation and Efficiency
Learning Objectives:
- Confirm strong knowledge of automation opportunities, SOAR playbooks, and Human-in-the-Loop practices.
Detailed Tasks:
Summarize:
Automation identification matrix.
Basic and advanced SOAR playbooks (Enrichment, Response).
Human-in-the-Loop decision nodes.
Measuring automation success.
Rebuild 1 mini-playbook from scratch in SOAR (simulated if needed).
Review the 6-month scaling plan you wrote earlier.
Pomodoro Sessions:
2 Pomodoro sessions: Theory summary.
2 Pomodoro sessions: Playbook reconstruction.
2 Pomodoro sessions: Metrics and scaling strategy review.
Day 54: Comprehensive Review — Auditing and Reporting
Learning Objectives:
- Solidify knowledge of security auditing, compliance reporting, dashboards, and RCA reporting.
Detailed Tasks:
Summarize:
Splunk
_auditindex monitoring.Access Control and Privilege Audit strategies.
Compliance dashboarding (PCI-DSS, GDPR).
Root Cause Analysis (RCA) process.
Redo a compliance monitoring dashboard.
Write a quick RCA report for a simulated incident.
Pomodoro Sessions:
2 Pomodoro sessions: Topic summary.
2 Pomodoro sessions: Dashboard rebuilding.
2 Pomodoro sessions: RCA writing practice.
Day 55: Full Mock Exam 1 + Review
Learning Objectives:
- Simulate the SPLK-5002 exam under real conditions (timing, environment, pressure).
Detailed Tasks:
Take a full-length Mock Exam #1 (approximately 100–120 questions).
Time yourself strictly (e.g., 120 minutes).
After the exam:
Review all incorrect answers immediately.
Write explanations for wrong answers (Why was it wrong? What should be corrected?).
Focus especially on pattern errors (repeated mistakes across topics).
Pomodoro Sessions:
4 Pomodoro sessions: Full mock exam.
2 Pomodoro sessions: Mistake review and correction writing.
Day 56: Full Mock Exam 2 + Final Weakness Review
Learning Objectives:
- Confirm final readiness by retaking another full simulation and reviewing improvement.
Detailed Tasks:
Take Full Mock Exam #2 (new questions or shuffled ones).
Time and simulate the real exam setting exactly.
Review errors.
Create a Final Study Sheet (1–2 pages) of:
Key facts.
Formulas (e.g., MTTC, MTTD calculation examples).
Detection patterns.
Light, positive mental preparation (no cramming).
Pomodoro Sessions:
4 Pomodoro sessions: Mock exam.
2 Pomodoro sessions: Final note consolidation.
Week 8 Ebbinghaus Forgetting Curve Review Plan:
Quick 10-minute flash reviews before each day starts.
Full 1-hour review of all critical concepts after each mock exam.