eCIR Certification Write Up

Hello everyone,

It’s been a long! I back this time to write about my experience in eCIR certifications from elearnSecurity.

Exam:

Let’s know about the exam to know how to prepare for it. You will be given two scenarios. The first one is Splunk and the second is Kibana & pcap file.

There are going to show you the topology and tell you which server is compromised. So you have to figure out how that server got compromised and what happened next. Basically, you need to check everything to draw a mind map for you. In order to check, you need to know how to write queries in Splunk & Kibana.

Preparation:

Everyone advises to go through the content and understand them very well. Here I am going to talk about my external resources which really benefits me.

1- Splunk

I highly recommend you to take the Fundamental course from Splunk. This will give you a good foundation and you will be able to write queries and enable you to deal with Splunk.

After gaining the fundamental, funny part is about to start! There are databases that have incidents and this is very similar to the exam.

Before jumping to the practical part, I advise you to read this

https://www.splunk.com/pdfs/technical-briefs/advanced-threat-detection-and-response-tech-brief.pdf

• Boss of the SOC V1

It has questions so this will be easier than the exam because you know what to look for.

Questions:

Boss of the SOC v1: Threat Hunting with Splunk

This link has more questions, hints, answers:

botsv1content - Google Drive

Answers:

Hunting Methodology — Splunk BOTS (Boss of the SOC) — Part 1

Video:

• Boss of the SOC V2

Questions:

Splunk Boss of the SOC v2

This link has more questions, hints, answers:

botsv2content - Google Drive

Answers:

Hunting with Splunk BOTSv2 - Qns 1xx

Hunting with Splunk BOTSv2 - Qns 2xx

Hunting with Splunk BOTSv2 - Qns 3xx

Hunting with Splunk BOTSv2 - Qns 4xx

Hunting with Splunk BOTSv2 - Qns 5xx

analyze a security incident with splunk -> write up

• Boss of the SOC V3

This link has more questions, hints, answers:

botsv3content - Google Drive

Video:

• TryHackMe: Splunk

TryHackMe | Splunk

TryHackMe-BP-Splunk/Ransomware

2- Elk: Kibana

I did not find free resources to practice Kibana, so I will leave this part to you.

During Exam:

Try your best to capture EVERY single finding, and virus total will be your friend during the exam. Also, trust your feelings, if you feel this is suspicious, get deeper into it even if its name is legitimate.

Benefits resources:

Finally, exam is not hard at all, getting familiar with Splunk & Kibana will help you very much. Examination methodology differs from person to person, my methodology was studying host by host. and from there I moved and expanded hosts.

Good luck and if you have any question, you can ask me anytime.