We covered an introduction to Splunk Search Processing Language (SPL) and discussed the basic commandsand various types of functions used in comparison, boolean and logical operations. Splunk Search Processing Language is used to execute commands and functions to extract useful insights from the logs ingested into the SIEM. These insights help cyber security analysts and incident responders to paint a picture around what happened and the nature of the cyber incident. This was part of TryHackMe Splunk: Exploring SPL room.
Splunk SIEM Full Course with Practical Scenarios
Highlights
Splunk is a powerful SIEM solution that provides the ability to search and explore machine data. Search Processing Language (SPL) is used to make the search more effective. It comprises various functions and commands used together to form complex yet effective search queries to get optimized results.
Splunk Search Processing Language is the language used to perform search operations in Splunk. SPL or Splunk processing language consists of keywords, quoted phrases, Boolean expressions, wildcards,parameter/value pairs, and comparison expressions.
Unless you’re joining two explicit Boolean expressions, omit the AND operator because Splunk assumes the space between any two search terms to be `AND
Room Answers
What is the name of the host in the Data Summary tab?
cyber-host
In the search History, what is the 7th search query in the list? (excluding your searches from today)
index=windowslogs | chart count(EventCode) by Image
In the left field panel, which Source IP has recorded max events?
172.90.12.11
Based on the list of log formats in this task, what log format is used by the log fHow many events are returned when we apply the time filter to display events on 04/15/2022 and Time from 08:05 AM to 08:06 AM?
134
How many Events are returned when searching for Event ID 1 AND User as *James*?
4
How many events are observed with Destination IP 172.18.39.6 AND destination Port 135?
4
What is the Source IP with highest count returned with this Search query?
Search Query: index=windowslogs Hostname=”Salena.Adam” DestinationIp=”172.18.38.5″
172.90.12.11
In the index windowslogs, search for all the events that contain the term cyber how many events returned?
0
Now search for the term cyber*, how many events are returned?
12256
What is the third EventID returned against this search query?
Search Query: index=windowslogs | table _time EventID Hostname SourceName | reverse
4103
Use the dedup command against the Hostname field before the reverse command in the query mentioned in Question 1. What is the first username returned in the Hostname field?
Salena.Adam
Using the Reverse command with the search query index=windowslogs | table _time EventID Hostname SourceName – what is the HostName that comes on top?
James.browne
What is the last EventID returned when the query in question 1 is updated with the tail command?
4103
Sort the above query against the SourceName. What is the top SourceName returned?
Microsoft-Windows-Directory-Services-SAM
List the top 8 Image processes using the top command – what is the total count of the 6th Image?
196
Using the rare command, identify the user with the least number of activities captured?
James
Create a pie-chart using the chart command – what is the count for the conhost.exe process?
70
Video Walkthrough
