Premise:
In this video walkthrough, we covered the basic functions in Splunk such as the apps and the search feature. We also covered to build queries and investigate events. This room is part of the cyber defense pathway from TryHackMe.
Challenge Introduction:
This room is a general overview of Splunk and its core features. Having experience with Splunk will help your resume stick out from the rest.
Splunk was named a “Leader” in Gartner’s 2020 Magic Quadrant for Security Information and Event Management.
Per Gartner, “Thousands of organizations around the world use Splunk as their SIEM for security monitoring, advanced threat detection, incident investigation and forensics, incident response, SOC automation and a wide range of security analytics and operations use cases.“
Navigating Splunk
- The instructor walks through the Splunk dashboard and its components, including the Splunk bar (which contains system messages, settings, and administration options).
- They also cover how to access the monitoring console, which provides metrics about Splunk’s performance on the current machine, including CPU and memory usage.
Splunk Apps
- Splunk apps are extensions that expand the platform’s capabilities. The video explains how to view, manage, and add new apps.
- Apps can be added manually by uploading their files, which is demonstrated with a Microsoft Sysmon add-on. The add-on is used to monitor and report on system events.
Adding Data to Splunk
- The video transitions to adding data, a core function of Splunk. The instructor explains how to upload log files to Splunk for analysis.
- They provide a practical example using web server logs and SSH logs, which are uploaded to Splunk for further investigation.
- The instructor explains how to use the upload function to manually add logs, as well as other methods like monitoring local machines or forwarding logs from various sources.
Exploring Uploaded Data
- Once the logs are uploaded, the instructor demonstrates how to explore the data by accessing the search and reporting dashboard.
- They show how to adjust the time range to display logs for a specific period, monitor the number of events being processed, and review the logs in detail.
Splunk Queries
- The final part of the video covers Splunk’s search functionality. The instructor introduces the search bar and how to perform queries to extract meaningful data from the logs.
- They show how to filter logs based on specific criteria (like host or source type) and explain how to use the fields provided by the log files for deeper analysis.
Answers
What is the Version?
Upload the Splunk tutorial data on the desktop. How many events are in this source?
Note: Make sure you upload the data once only.
What is the sourcetype?
In the search result, look at the Patterns tab.
What is the last username in this tab?
Search for failed password events for this specific username. How many events are returned?
Use the Github Sigma repo. What is the Splunk query for ‘CACTUSTORCH Remote Thread Creation’?
What is the highest EventID?