Premise:
In this video walkthrough, we covered the basic functions in Splunk such as the apps and the search feature. We also covered to build queries and investigate events. This room is part of the cyber defense pathway from TryHackMe.
Challenge Introduction:
This room is a general overview of Splunk and its core features. Having experience with Splunk will help your resume stick out from the rest.
Splunk was named a “Leader” in Gartner’s 2020 Magic Quadrant for Security Information and Event Management.
Per Gartner, “Thousands of organizations around the world use Splunk as their SIEM for security monitoring, advanced threat detection, incident investigation and forensics, incident response, SOC automation and a wide range of security analytics and operations use cases.”
Answers
What is the Version?
Upload the Splunk tutorial data on the desktop. How many events are in this source?
Note: Make sure you upload the data once only.
What is the sourcetype?
In the search result, look at the Patterns tab.
What is the last username in this tab?
Search for failed password events for this specific username. How many events are returned?
Use the Github Sigma repo. What is the Splunk query for ‘CACTUSTORCH Remote Thread Creation’?
What is the highest EventID?
Challenge Link:
https://tryhackme.com/room/splunk101