Here's a comprehensive, structured, and scientifically grounded study plan to help you prepare for the SPLK-3001 (Splunk Enterprise Security Certified Admin) exam, using:

1. Clear learning goals

2. A structured weekly plan based on the Pomodoro Technique

3. Spaced repetition inspired by Ebbinghaus’ Forgetting Curve

4. Content priority based on the 12 core knowledge domains

Study Goal: SPLK-3001 Certification

• Objective: Pass the SPLK-3001 exam with high confidence and deep understanding of Splunk ES core modules.

• Study Duration: 6 weeks (with review and mock testing in week 7)

Week 1 Study Plan: ES Introduction and Monitoring & Investigation

Primary Weekly Objective:
Build foundational knowledge of Splunk Enterprise Security by understanding its architecture, purpose as a SIEM, and how analysts use dashboards and workflows to monitor and investigate security events.

Knowledge Domains Covered:

• Domain 1: ES Introduction

• Domain 2: Monitoring and Investigation

Learning Methods Used:

• Pomodoro Technique (4 focused blocks/day)

• Spaced Repetition Reviews on Days 2, 4, and 7

• Daily layering: theory → hands-on → reflection → review

Day 1 – Monday

Learning Focus: Introduction to Splunk ES and its core SIEM capabilities

Pomodoro 1: Read and Take Notes

• Read official Splunk documentation on "What is Splunk Enterprise Security" and “How ES Extends Splunk Core.”

• Create notes on core concepts: Security Posture Dashboard, Notable Events, Incident Review, Risk Scores.

Pomodoro 2: Diagram the ES Architecture

• Sketch a visual layout (paper or tool) showing how components interact: forwarders, indexers, search heads, and ES dashboards.

• Label key components like correlation searches, data models, and dashboards.

Pomodoro 3: Concept Mapping Exercise

• Use your notes to create a mind map that connects terms like CIM, Notable Event, Risk Score, and Correlation Search.

• Try explaining it aloud as if teaching someone else.

Pomodoro 4: Flashcard Creation (Review Prep)

• Create 10–12 flashcards on major terms (Notable Event, Drilldown, Triage, CIM, Security Posture).

• Quiz yourself and note down the 3 hardest-to-remember terms.

Day 2 – Tuesday

Learning Focus: Deep dive into Monitoring and the Incident Review process

Pomodoro 1: Lab Navigation – Incident Review

• Log into a test Splunk ES instance.

• Practice sorting, filtering, and changing status of events in the Incident Review Dashboard.

• Note differences between urgency, severity, and risk.

Pomodoro 2: Drilldown to Raw Events

• Click into 3 Notable Events and trace them to raw logs.

• Identify which correlation search triggered the event.

• Record: What happened, who was involved, and what field values were used.

Pomodoro 3: Spaced Review – Flashcards Round 1

• Review Monday's flashcards.

• Rewrite or expand explanations for the 3 hardest cards.

• Answer: What is the full workflow from data ingestion to a Notable alert?

Pomodoro 4 (Optional): SOP Practice

• Write a step-by-step analyst guide:
  "How to investigate a Notable Event using Incident Review and raw log drilldown."

Day 3 – Wednesday

Learning Focus: Using Event Timelines and basic SPL commands for investigations

Pomodoro 1: Timeline Exploration

• Use the Timeline view in the Incident Review interface.

• Reconstruct the sequence of events involving one IP address or one user.

• Note how multiple systems can contribute to an investigation (e.g., authentication + firewall logs).

Pomodoro 2: SPL Drill – Using | tstats and | datamodel

• Write and execute sample searches like:
  | datamodel Authentication Authentication search | stats count by user, src

• Record what each command does and how it improves search speed and accuracy.

Pomodoro 3: Compare Notable Events by Type

• Choose 3 Notable Events of different categories (e.g., Access, Malware, Audit).

• Compare metadata fields: event type, tags, urgency, source.

• Analyze what context made each event “notable.”

Day 4 – Thursday

Learning Focus: Contextual tagging, classification, and investigative reasoning

Pomodoro 1: Tags and Event Types Study

• Read how Splunk uses event types and tags to route data into data models.

• In lab, search: eventtype=* and list eventtypes applied to authentication logs.

Pomodoro 2: Classify Events by Context

• Identify 2 events with similar symptoms but different urgency levels.

• Explain how tagging or asset context could change investigation priority.

Pomodoro 3: Spaced Review – Flashcards Round 2

• Review all cards again.

• Cover definitions and applications (e.g., When does drilldown matter most?).

Pomodoro 4 (Optional): Knowledge Check

• Take a short self-quiz (5–7 questions).

• Check understanding of: Security Posture, Notable Events, Event Timeline.

Day 5 – Friday

Learning Focus: Hands-on walkthroughs and weekly consolidation

Pomodoro 1: Simulate Full Workflow

• Start with Security Posture.

• Select a high-risk Notable Event.

• Drill into details, check raw logs, and determine if escalation is needed.

• Assign status and enter analyst notes.

Pomodoro 2: Manual SOP Writing

• Document the full investigation flow using your simulated case:

  • What fields mattered most?

  • Was any data missing?

  • How was the urgency justified?

Pomodoro 3: Weekly Summary Sheet

• Create a one-page summary of everything learned this week.

• Include top terms, workflows, common dashboards, and search commands.

Day 6 – Saturday (Review Day)

• Review all flashcards.

• Reread summaries from Day 1 and 5.

• Revisit 2 challenging events from earlier in the week.

• Answer the question: “What is the complete lifecycle of a Notable Event in ES?”

Day 7 – Sunday (Optional or Light Study)

• Watch a video or webinar on Splunk ES overview or threat investigation use cases.

• Update any remaining notes and prepare flashcards for Week 2 topics.

• Rest and reflect on how you’ve learned so far.

Week 2 Study Plan: Security Intelligence and Threat Intelligence Framework

Primary Weekly Objective:
Learn how Splunk Enterprise Security assigns and uses Risk Scores to prioritize threats and how Threat Intelligence Feeds are ingested, stored, and matched to real-time data. Develop the ability to configure Risk Rules, work with IOCs, and interpret enriched events.

Knowledge Domains Covered:

• Domain 3: Security Intelligence

• Domain 12: Threat Intelligence Framework (TIF)

Learning Methods Used:

• Pomodoro Technique: 3–4 focused learning blocks per day

• Spaced Repetition: Reviews on Days 3, 5, and 7

• Layered Learning: Read → Practice → Analyze → Review

Day 1 – Monday

Learning Focus: Introduction to Risk-Based Alerting (RBA) and Risk Rules

Pomodoro 1: Read and Understand RBA Concepts

• Study Splunk documentation on Risk-Based Alerting.

• Learn the difference between immediate alerts and aggregated risk scoring.

• Write a short explanation: “Why use RBA over traditional alerting?”

Pomodoro 2: Map the Risk Scoring Workflow

• Diagram how multiple low-severity events can build up to a high-risk score.

• Identify key variables: event type, risk_modifier, asset priority.

Pomodoro 3: Explore Risk Analysis Dashboard

• Navigate the Risk Analysis view in Splunk ES.

• Examine a user or system with multiple risk events.

• Document how the score is composed and which correlation rules contributed.

Pomodoro 4 (Optional): Flashcard Creation

• Create flashcards for: RBA, Risk Rule, Risk Score, Risk Modifier, Risk Notable.

• Begin self-testing with examples.

Day 2 – Tuesday

Learning Focus: Hands-on configuration and tuning of Risk Rules

Pomodoro 1: Write a Risk Rule in Lab

• Choose a use case (e.g., multiple failed logins).

• Create a correlation search that outputs a risk event, not a Notable.

• Set risk_object, risk_score, and appropriate tags.

Pomodoro 2: Analyze Rule Execution and Risk Growth

• Trigger the rule via simulated data.

• Check the Risk Analysis dashboard to see if the rule contributes to cumulative risk.

• Adjust risk score and observe the difference in urgency.

Pomodoro 3: Tune Rule Based on Context

• Modify the rule to target only “High priority” assets using the identity lookup.

• Use lookup assets.csv and where priority="high" to refine scope.

Day 3 – Wednesday

Learning Focus: Introduction to the Threat Intelligence Framework (TIF)

Pomodoro 1: Study TIF Architecture and Feed Types

• Understand how IOCs are ingested via TAXII, CSV, and APIs.

• Write down IOC types supported: IP, domain, URL, file hash, email.

Pomodoro 2: Configure a Basic IOC Feed

• Load a sample CSV with threat indicators into threat_intel_by_ip.

• View it via Lookup Editor or KV Store.

• Add threat_type and confidence metadata fields manually.

Pomodoro 3: Spaced Repetition Review – Risk and IOC Concepts

• Review flashcards from Monday.

• Focus on explaining the full journey of an event:
  “From log ingestion to a Risk Notable Event triggered by threat intel.”

Day 4 – Thursday

Learning Focus: IOC matching and threat feed validation

Pomodoro 1: Use Lookups to Detect IOC Matches

• Run a search to compare recent logs with threat_intel_by_ip lookup.

• Example SPL:
  | tstats summariesonly=true count from datamodel=Network_Traffic where All_Traffic.dest_ip=* by All_Traffic.dest_ip | lookup threat_intel_by_ip ip as All_Traffic.dest_ip OUTPUT threat_description

Pomodoro 2: Use Threat Intelligence Manager Dashboard

• Explore feed ingestion status, aging settings, and IOC match summaries.

• Record how many indicators are currently active and what their sources are.

Pomodoro 3: Create a Risk Rule That Incorporates IOC Matches

• Write a correlation search that increases a user’s risk score if they interact with a known malicious IP.

• Set risk_object = user, and join asset identity info to contextualize.

Day 5 – Friday

Learning Focus: Risk rule refinement and IOC enrichment in Notable Events

Pomodoro 1: Add Enrichment Metadata to Risk Events

• Modify a rule to include threat metadata such as confidence, ioc_source, and threat_type.

• Ensure these fields appear in the resulting Notable.

Pomodoro 2: Build a Summary Report of Risk Events

• Create a dashboard panel that lists all current high-risk users with their most recent triggering rule.

• Use | stats and | eventstats to aggregate.

Pomodoro 3: Review Flashcards and Summary Notes

• Reinforce knowledge of feed types, IOC matching, risk scoring, and dashboards.

• Review Monday’s map and Tuesday’s rule script.

Day 6 – Saturday (Review Day)

• Revisit flashcards and redo 5 questions from Week 1.

• Write a one-paragraph answer to the question:
  “How does Splunk ES decide which threats are most important?”

Day 7 – Sunday (Optional or Light Review)

• Watch one Splunk Security Intelligence demo or customer use case video.

• Revisit the Threat Intelligence Manager dashboard and trace 1 IOC match from feed to Notable.

Week 3 Study Plan: Forensics, Glass Tables, and Navigation Control

Primary Weekly Objective:
Learn to investigate incidents by reconstructing timelines, customize executive-level dashboards with Glass Tables, and configure user interface navigation to streamline analyst workflows.

Knowledge Domain Covered:

• Domain 4: Forensics, Glass Tables, and Navigation Control

Learning Methods Used:

• Pomodoro Technique: 3 to 4 focused blocks per day

• Spaced Repetition Reviews: Days 3, 5, and 7

• Hands-on configuration, scenario walkthroughs, summary documentation

Day 1 – Monday

Learning Focus: Event timelines and investigative reconstruction

Pomodoro 1: Understand Forensic Investigation Concepts

• Read about Splunk’s use of event timelines and forensic analysis.

• Learn how events are linked across sources using transaction, stats, and fields.

• Note which event fields (e.g., user, src, dest, time) are critical to constructing an attack timeline.

Pomodoro 2: Build a Timeline from Real Data

• In lab, simulate an attack chain (e.g., brute-force login followed by file access).

• Use SPL to stitch related events into a timeline.

• Tools: transaction command, search filtering by time, and sort.

Pomodoro 3: Write an Investigation Report

• Based on your timeline, write a 5-step narrative:
  “How the attacker moved from access to data exfiltration.”

• Include exact timestamps, system names, and user accounts.

Day 2 – Tuesday

Learning Focus: Glass Tables – visualizing KPIs and threats

Pomodoro 1: Study Glass Table Capabilities and Use Cases

• Learn how Glass Tables visualize risk metrics, Notable Events, and KPIs in real time.

• Read Splunk Docs and watch a demo.

• List scenarios where Glass Tables are used (e.g., executive dashboards, SOC monitoring).

Pomodoro 2: Create a Custom Glass Table in Lab

• Add a network map or business unit map using drag-and-drop.

• Connect a Notable Event count widget to the notable index.

• Add labels showing status such as “All Clear,” “Investigating,” or “Escalated.”

Pomodoro 3: Annotate and Save Your Table

• Add descriptions, thresholds, and tooltips.

• Save your dashboard, share it with a test user role.

• Take screenshots for your personal documentation.

Day 3 – Wednesday

Learning Focus: Timeline review and Glass Table presentation

Pomodoro 1: Spaced Repetition – Timeline and SPL Review

• Revisit Day 1’s timeline work.

• Rewrite one search using tstats or datamodel.

• Practice interpreting event flow from raw logs again.

Pomodoro 2: Peer Simulation – Explain Your Glass Table

• Imagine you are showing your Glass Table to an executive.

• Explain each visual:

  • What it monitors

  • Why it matters

  • What an alert on the screen should trigger in response

Pomodoro 3: Dashboard Performance Optimization

• Study performance considerations:

  • Use of accelerated data models

  • Widget update intervals

  • Dashboard permissions

• Modify your dashboard if needed for better speed and relevance.

Day 4 – Thursday

Learning Focus: Navigation Control and Role-Based UX Customization

Pomodoro 1: Explore Splunk’s Navigation Editor

• Learn how to reorder, hide, or group dashboard links by app or role.

• Use XML or UI to create a new menu layout for the ess_user role.

• Practice adding a custom “Investigations” tab with Incident Review + Timeline views.

Pomodoro 2: Create Role-Specific Navigation Menus

• Assign a new user to a test role (e.g., tier1_analyst).

• Limit their access to:

  • Glass Tables

  • Security Posture

  • Incident Review

• Remove access to advanced tools like Correlation Search Editor.

Pomodoro 3: Write Navigation Workflow Documentation

• Document how users are routed from login → Security Posture → Notable Event → Investigation.

• Create a checklist of permissions and visibility per role.

Day 5 – Friday

Learning Focus: Consolidation and walkthrough practice

Pomodoro 1: Simulate an Analyst Workflow with Custom Navigation

• Log in with a test user role.

• Start with the customized menu.

• Investigate a notable, pivot to logs, record steps, and generate a report.

Pomodoro 2: Review Flashcards and Week Summary Notes

• Recap terms: Glass Table, Timeline View, Navigation XML, Role-Based UI.

• Test yourself with definitions and examples.

Pomodoro 3: Practice Questions and Knowledge Gap Identification

• Take a 10-question practice quiz on this week's content.

• Note which areas caused hesitation or confusion.

Day 6 – Saturday (Review Day)

• Reread your narrative from Day 1 and your Glass Table design notes from Day 2.

• Draw the full flow from “Notable Event Trigger” to “Forensic Report Submission.”

• Use flashcards for a self-test of role and dashboard terminology.

Day 7 – Sunday (Optional or Light Review)

• Watch a real-world Splunk ES dashboard design case study (e.g., customer video).

• Compare your Glass Table to theirs—what’s missing or could be improved?

• Prepare materials and reading for next week: deployment and configuration.

Week 4 Study Plan: ES Deployment and Installation & Configuration

Primary Weekly Objective:
Develop a thorough understanding of how to plan, deploy, and configure Splunk ES in both test and production environments, including installation steps, Data Model Acceleration (DMA), and role-based access control.

Knowledge Domains Covered:

• Domain 5: ES Deployment

• Domain 6: Installation and Configuration

Learning Methods Used:

• Pomodoro Technique: 3 to 4 focused blocks per day

• Spaced Repetition Reviews: Days 2, 5, and 7

• Realistic deployment diagrams, installation labs, and configuration testing

Day 1 – Monday

Learning Focus: Deployment architectures and ES system design

Pomodoro 1: Study ES Deployment Models

• Read the official documentation on single-instance vs. distributed deployments.

• Take notes on the roles of forwarders, indexers, search heads, and deployment servers.

• Write a comparison between test, small production, and enterprise-grade setups.

Pomodoro 2: Draw Architecture Diagrams

• Create two diagrams: one for a single-instance test deployment, one for a distributed production deployment.

• Label all Splunk components, data flow paths, and where ES is installed.

Pomodoro 3: Learn About Search Head Clustering (SHC)

• Read how SHC supports high availability in Splunk ES.

• Identify when SHC is recommended and which ES features are SHC-compatible.

• Write 3 advantages and 3 limitations of SHC in ES environments.

Day 2 – Tuesday

Learning Focus: Installation and dependency management

Pomodoro 1: Prepare for ES Installation

• Read about installation prerequisites: Splunk Core version compatibility, disk I/O, CPU, and RAM requirements.

• Note all required supporting apps: SA-CIM, DA-ESS-Content, SA-ThreatIntelligence.

• Create a checklist for pre-install validation.

Pomodoro 2: Perform Installation in Lab (or Simulated)

• Use a test Splunk instance to simulate the install process using the .spl package.

• Perform post-install checks: confirm dashboards load, supporting apps are present, and menu options appear correctly.

Pomodoro 3: Flashcard Review – Architecture and Installation

• Review terms like indexer, search head, SHC, DMA, SA-CIM, and required indexes.

• Answer the question: “What would break if you installed ES on a shared search head?”

Day 3 – Wednesday

Learning Focus: Configuring Data Model Acceleration (DMA)

Pomodoro 1: Learn the Purpose of DMA

• Read about why ES uses data model acceleration for dashboards and correlation searches.

• Understand the performance impact and disk usage considerations.

Pomodoro 2: Enable DMA for Key Models

• In your Splunk instance, enable DMA for:

  • Authentication

  • Network Traffic

  • Intrusion Detection

• Configure the acceleration period (e.g., 7 days) and monitor summary size.

Pomodoro 3: Monitor DMA and Troubleshoot

• Use Monitoring Console to track acceleration status and summary disk space usage.

• Troubleshoot a model not populating by checking permissions, tags, and data sources.

Day 4 – Thursday

Learning Focus: Configuring roles and permissions in ES

Pomodoro 1: Review Default Roles

• Study the built-in roles: ess_user, ess_analyst, ess_admin.

• Document which capabilities each role includes.

• Compare them to Splunk Core roles like user, admin, power.

Pomodoro 2: Create and Assign Custom Roles

• Create a custom role for Tier 1 analysts with limited access to Correlation Searches.

• Assign it to a test user. Log in and confirm menu access, dashboard visibility, and role restrictions.

Pomodoro 3: Secure the Installation

• Review best practices:

  • Disable unused roles

  • Limit ES admin privileges

  • Use index restrictions (srchIndexesAllowed) to control data access

• Write a brief SOP on new user onboarding for ES access.

Day 5 – Friday

Learning Focus: Validation and system hardening

Pomodoro 1: Conduct a Post-Install Checklist Audit

• Walk through:

  • App presence

  • Index configuration

  • Role permissions

  • DMA status

  • Navigation and menu settings

• Confirm your ES system is fully operational.

Pomodoro 2: Flashcard Review and Fix Knowledge Gaps

• Review flashcards from Days 1–4.

• Rewrite or expand answers for unclear or incorrect items.

• Prepare explanations for: “How does ES use DMA for performance?” and “How to plan for SHC?”

Pomodoro 3: Practice Questions

• Take a 10-question quiz covering architecture, installation steps, DMA, and user roles.

• Write explanations for each answer, especially those you miss or guess.

Day 6 – Saturday (Review Day)

• Use your architecture diagrams and role comparison chart for a recap.

• Run a fresh DMA validation and check if summaries are current.

• Explain to yourself (out loud or written):
  “What are the three most important things to configure right after installing Splunk ES?”

Day 7 – Sunday (Optional or Light Review)

• Revisit a short Splunk ES deployment case study or technical blog post.

• Update your flashcard deck based on quiz results.

• Preview next week’s focus: validating CIM data and building custom add-ons.

Week 5 Study Plan: Data Validation and Custom Add-ons

Primary Weekly Objective:
Learn how to verify that incoming data is CIM-compliant and populating the correct data models in Splunk ES. Gain the ability to build, test, and deploy a custom Technology Add-on using Splunk’s Add-on Builder to handle unsupported data sources.

Knowledge Domains Covered:

• Domain 7: Validating ES Data

• Domain 8: Custom Add-ons

Learning Methods Used:

• Pomodoro Technique: 3 to 4 blocks of study per day

• Spaced Repetition Reviews: Days 3, 5, and 7

• Mix of reading, hands-on validation, field extraction, and lookup configuration

Day 1 – Monday

Learning Focus: Understanding data models and CIM alignment

Pomodoro 1: Read About CIM and Data Model Architecture

• Study Splunk’s Common Information Model (CIM) documentation.

• Learn how CIM acts as a normalization layer to make correlation searches data-agnostic.

• Note the structure of key models: Authentication, Intrusion Detection, and Network Traffic.

Pomodoro 2: Explore the Data Model Audit Dashboard

• Open the Data Model Audit dashboard in Splunk ES.

• Examine the coverage percentage for at least 3 data models.

• Identify any models with low coverage and document possible causes.

Pomodoro 3: List Field Requirements for a Specific Model

• Pick the Authentication model.

• Document all required and optional fields (user, src, dest, action, app).

• Compare those fields to what’s currently extracted from your test log source.

Day 2 – Tuesday

Learning Focus: Hands-on data validation using SPL and dashboards

Pomodoro 1: Run | datamodel and | tstats Searches

• Test whether events are being populated into data models.

• Example:
  | datamodel Authentication Authentication search | stats count by user, src

• Identify missing fields or incorrect values.

Pomodoro 2: Investigate Tagging and Event Types

• Check if events have correct tags (e.g., tag=authentication).

• Use | search tag=authentication and inspect matching sourcetypes.

• Look for misaligned tags or missing field extractions.

Pomodoro 3: Validate a Sample Event Manually

• Copy a raw event into a text file.

• Use the Field Extractor to create or fix field extractions.

• Validate results by checking if the event now populates the right data model.

Day 3 – Wednesday

Learning Focus: Understanding Add-on architecture and planning a custom TA

Pomodoro 1: Learn About Technology Add-ons (TAs)

• Read how TAs are used to format data for Splunk ES.

• Understand the difference between a TA and an App (TAs do not include UI components).

• Make a checklist: inputs, props, transforms, lookups, tags.

Pomodoro 2: Plan a Custom Add-on with Add-on Builder

• Open the Add-on Builder app.

• Choose a simple log source (e.g., syslog, REST API feed).

• Define what fields you want to extract and what data model you want to map to.

Pomodoro 3: Spaced Review – CIM and Field Mapping Flashcards

• Review key field names and tags for Authentication, Intrusion Detection, and Malware.

• Practice matching sourcetypes to the correct model.

Day 4 – Thursday

Learning Focus: Building and deploying a custom TA

Pomodoro 1: Create Field Extractions in Add-on Builder

• Use sample logs to build regex-based field extractions.

• Map each field to its CIM-compliant equivalent.

• Example: convert src_ip to src.

Pomodoro 2: Create Lookups and Tags in the TA

• Define lookup files or scripted lookups if needed.

• Assign event types (e.g., custom_vpn_event) and add relevant tags (e.g., tag=network).

Pomodoro 3: Package and Deploy the TA

• Export the TA as a .tgz package.

• Deploy it to a heavy forwarder or search head (depending on where parsing should occur).

• Monitor deployment logs to confirm success.

Day 5 – Friday

Learning Focus: Testing and validating your custom TA

Pomodoro 1: Validate Events Using CIM Validation Dashboard

• Load sample events into Splunk.

• Use the CIM Validation dashboard to test model population, field correctness, and tag usage.

• Document any mismatches and fix extraction errors.

Pomodoro 2: Use Data Model Audit to Recheck Coverage

• Check if your new data source is now appearing in the correct data model.

• Compare coverage before and after TA deployment.

Pomodoro 3: Spaced Repetition – Flashcards and Rule Recap

• Review all flashcards from Monday and Wednesday.

• Recite or write out the exact flow from data ingestion to model population.

Day 6 – Saturday (Review Day)

• Simulate a new data source integration:

  • Choose a hypothetical sourcetype.

  • List the steps you would follow to onboard and normalize it.

  • Practice extracting fields and writing tags.

• Answer two key questions:

  • “What makes a data source CIM-compliant?”

  • “How do you verify that your correlation searches can now use it?”

Day 7 – Sunday (Optional or Light Review)

• Watch a video or read a blog on Splunk Add-on Builder usage.

• Explore an existing TA from Splunkbase and evaluate its structure.

• Prepare your workspace for Week 6: correlation logic, tuning, and identity management.

Week 6 Study Plan: Correlation Logic, Tuning, and Identity Management

Primary Weekly Objective:
Develop the ability to write and tune correlation searches, apply risk-based logic, and enrich security data with organizational identity and asset context using lookups. Learn to manage Notables efficiently and reduce alert fatigue through prioritization and suppression techniques.

Knowledge Domains Covered:

• Domain 9: Tuning Correlation Searches

• Domain 10: Creating Correlation Searches

• Domain 11: Lookups and Identity Management

Learning Methods Used:

• Pomodoro Technique: 3–4 focused blocks per day

• Spaced Repetition Reviews: Days 3, 5, and 7

• Practice-oriented: write, test, and tune real correlation search logic

Day 1 – Monday

Learning Focus: Understanding correlation search components and tuning principles

Pomodoro 1: Study Correlation Search Anatomy

• Read about the parts of a correlation search: SPL logic, adaptive response actions, severity, urgency, Notable title, and scheduling.

• List key tokens used in titles and descriptions ($src$, $user$, etc.).

• Document how each component contributes to analyst triage efficiency.

Pomodoro 2: Learn Alert Fatigue Prevention Strategies

• Study how to reduce false positives using:

  • Search filters (e.g., where priority="high"),

  • Narrow time ranges (e.g., last 5m),

  • Throttle settings (suppress identical alerts).

• Read about Search Window, Earliest Time, and Throttle Fields.

Pomodoro 3: Analyze an Existing Correlation Search

• Open a built-in correlation rule.

• Identify the SPL structure, response actions, severity, and throttle settings.

• Evaluate its scope, potential noise, and possible tuning improvements.

Day 2 – Tuesday

Learning Focus: Creating a correlation search from scratch

Pomodoro 1: Write a Simple SPL Detection Query

• Choose a use case such as “Multiple failed logins from same source in 10 minutes.”

• Build a search using stats, where, and a condition (count > 5).

• Test using indexed sample data.

Pomodoro 2: Turn SPL into a Correlation Search

• Use the Correlation Search Editor to turn the SPL into a working rule.

• Define:

  • Severity: Medium

  • Adaptive response: Add Risk Score

  • Notable title: “Brute Force from $src$”

  • Description: “$count$ failures for $user$ from $src$ in 10 mins”

Pomodoro 3: Schedule and Tune the Search

• Set a cron schedule (e.g., every 5 minutes).

• Use a search window of 10 minutes.

• Apply throttling: suppress same user, src combo for 15 minutes.

• Save and test trigger behavior.

Day 3 – Wednesday

Learning Focus: Risk scoring, suppression, and refining correlation logic

Pomodoro 1: Convert Search to Risk Rule Instead of Notable

• Modify the previous rule to create a Risk Event.

• Replace | outputlookup notable with | eval risk_score=30 | collect index=risk.

Pomodoro 2: Use Suppression Rules for Known False Positives

• Learn how to suppress alerts from safe tools (e.g., vulnerability scanners).

• Define suppression rules for specific asset IPs or event tags.

Pomodoro 3: Spaced Review – Rule Design and Risk Logic

• Recite or write answers to:

  • “What’s the difference between Notable vs Risk Rule?”

  • “How does tuning reduce false alerts while preserving detection?”

Day 4 – Thursday

Learning Focus: Identity and asset management in ES

Pomodoro 1: Understand Assets and Identities Framework

• Read about assets.csv and identities.csv files.

• Understand fields: ip, mac, nt_domain, priority, location, user.

• Note how priority affects risk scoring and search logic.

Pomodoro 2: Upload and Validate Lookups

• Upload test assets.csv and identities.csv via Lookup Editor.

• Use the Asset and Identity Center dashboard to verify entries and priorities.

• Search: | inputlookup identities.csv and spot-check entries.

Pomodoro 3: Enrich a Correlation Search with Identity Data

• Modify an existing search to join with identity lookup.

• Use SPL such as:
  | lookup identities.csv key=user OUTPUT priority, department

• Use enriched fields to raise severity for high-value users.

Day 5 – Friday

Learning Focus: Consolidating detection logic with identity awareness

Pomodoro 1: Build an End-to-End Detection Rule with Identity Context

• Create a new correlation search for suspicious admin activity.

• Include filters for role=admin, priority=high, and action type (e.g., disable account).

• Trigger a Notable with enriched description.

Pomodoro 2: Review All Flashcards on Rule Creation and Identity

• Go through 15+ flashcards on:

  • Risk Rule components

  • Lookup field names

  • Correlation scheduling options

  • Suppression techniques

Pomodoro 3: Quiz and Gap Identification

• Take a 10-question self-test with 3 Notable-based cases, 3 tuning logic, 4 identity-enriched rules.

• Review mistakes and write brief notes on what went wrong.

Day 6 – Saturday (Review Day)

• Revisit and re-run your correlation searches in lab.

• Check that risk events and Notables are appearing in Incident Review.

• Draw a visual of:

  • Event source → rule match → priority context → Risk score → Notable alert.

Day 7 – Sunday (Optional or Light Review)

• Watch one or two videos or Splunk conference recordings on detection engineering.

• Compare your correlation rules to a Splunk-released use case or blog.

• Prepare notes for Week 7: full review and exam simulation.

Week 7 Study Plan: Final Review and Exam Simulation

Primary Weekly Objective:
Review all 12 knowledge domains, identify and address any weak areas, simulate exam scenarios, and finalize readiness for the SPLK-3001 certification exam.

Learning Methods Used:

• Pomodoro Technique for structured study and testing

• Full-spaced repetition cycle for deep retention

• Mock exams under timed conditions to simulate real test experience

• Reflection-based error analysis to reinforce understanding

Day 1 – Monday

Learning Focus: Core concepts review – ES fundamentals and data structure

Pomodoro 1: Quick Review of Domains 1–4

• Recap key terms and tools:

  • ES Introduction

  • Notable Events

  • Incident Review

  • Timeline views

  • Glass Tables

• Use flashcards, charts, and dashboards to reinforce structure.

Pomodoro 2: Review Search Commands and Model Use

• Practice with | datamodel, | tstats, and | transaction.

• Run through example searches for Authentication and Intrusion Detection data models.

Pomodoro 3: Flashcard Challenge

• Quiz yourself on 30 key terms.

• Focus on fields, tags, priority logic, and dashboard features.

Day 2 – Tuesday

Learning Focus: Risk scoring and threat intelligence integration

Pomodoro 1: Review Risk Rules and TIF Integration

• Recap how risk is calculated, how rules write to the risk index, and how Threat Feeds populate lookups.

Pomodoro 2: Diagram IOC Matching Workflow

• Draw the full flow from IOC ingestion → match via lookup → risk event → Notable Event.

Pomodoro 3: Practice Rule Simulation

• Rebuild or review a correlation rule that integrates risk score and IOC metadata.

• Walk through every step as if teaching someone else.

Day 3 – Wednesday

Learning Focus: Deployment architecture and installation validation

Pomodoro 1: Architecture Review Exercise

• Redraw both single-instance and distributed deployment layouts.

• Label forwarders, indexers, search heads, and ES components.

Pomodoro 2: Installation Process Recall

• Recite the installation steps for Splunk ES, including required apps and post-install validations.

Pomodoro 3: Quiz and Recap

• Take a 10-question quiz on architecture, SHC, DMA, and role assignment.

• Write explanations for any incorrect answers.

Day 4 – Thursday

Learning Focus: Custom add-ons and CIM validation

Pomodoro 1: Add-on Checklist and Mapping Review

• Write out: what every TA must include (inputs, props, transforms, tags, CIM mapping).

• Describe how to validate a new TA using the CIM Validation dashboard.

Pomodoro 2: Build a TA Mini-Plan (Exercise)

• Choose a fictitious data source (e.g., third-party security appliance).

• List all steps needed to extract, tag, and normalize its data using Add-on Builder.

Pomodoro 3: Review Data Model Audit Logs

• Go into your lab environment and look at data model coverage again.

• Use results to refine any field extractions or tagging logic.

Day 5 – Friday

Learning Focus: Correlation logic review and exam readiness self-check

Pomodoro 1: Review Correlation Search Logic and Tuning

• Recap: search windows, cron schedules, throttling, suppression, and risk vs Notable strategies.

• Document one good and one poorly tuned rule from your environment.

Pomodoro 2: Mock Exam 1 (Timed – 60 mins)

• Complete a full-length practice test (approx. 45–50 questions).

• Simulate actual exam conditions (no breaks, timer on).

Pomodoro 3: Analyze Results

• Review all incorrect questions.

• For each, write:

  • Correct answer

  • Why your answer was wrong

  • Concept behind the correct one

Day 6 – Saturday

Learning Focus: Final reinforcement and confidence building

Pomodoro 1: Flashcard Final Round – Full Deck

• Cycle through 50+ flashcards covering all domains.

• Use spaced recall and shuffle terms for unpredictability.

Pomodoro 2: Mock Exam 2 (Timed – 60 mins)

• Take a second full-length practice test.

• Compare score with yesterday’s. Aim for ≥85%.

Pomodoro 3: Reinforcement Notes

• Review your “Top 5 Weak Areas” and write brief summaries for each.

• Teach one concept aloud or write a LinkedIn-style post summarizing your learning.

Day 7 – Sunday (Light Study or Rest)

Option A: Confidence Day

• Review your architecture diagrams, flashcards, and final summaries.

• Visualize yourself confidently navigating dashboards, writing correlation searches, and making decisions under exam conditions.

Option B: Rest Day

• Take a complete break to recharge before the exam.