We explained the process of installing and configuring Splunk by showing the steps that involve choosing the role of Splunk whether it will be main server or a forwader, configuring the forwaders to collect logs and create the indexes that store the collected logs. We demonstrated one practical scenario that involves manually uploading web server logs to a main instance of Splunk. This was part of TryHackMe Splunk: Setting up a SOC Lab which is part of the TryHackMe SOC Level 2 track.
This post also includes the answers for TryHackMe Splunk: Dashboards and Reports and TryHackMe Splunk: Data Manipulation rooms.
Splunk SIEM Full Course with Practical Scenarios
Highlights
Splunk is a powerful SIEM solution that provides the ability to search and explore machine data. Search Processing Language (SPL) is used to make the search more effective. It comprises various functions and commands used together to form complex yet effective search queries to get optimized results.
Splunk supports all major OS versions, has very straightforward steps to install, and can be up and running in less than 10 minutes on any platform.
Logs can be ingested into Splunk with three methods:
- Manual Upload
- Forwarder Agent
- Through a TCP IP/Port
Room Answers | TryHackMe Splunk: Setting up a SOC Lab
What is the default port for Splunk?
8000
In Splunk, what is the command to search for the term coffely in the logs?
./bin/splunk search coffely
What is the default port, on which Splunk Forwarder runs on?
8089
Follow the same steps and ingest /var/log/auth.log
file into Splunk index Linux_logs. What is the value in the sourcetype field?
syslog
Create a new user named analyst using the command adduser analyst
. Once created, look at the events generated in Splunk related to the user creation activity. How many events are returned as a result of user creation?
6
What is the path of the group the user is added after creation?
What is the default port Splunk runs on?
8000
Click on the Add Data tab; how many methods are available for data ingestion?
3
Click on the Monitor option; what is the first option shown in the monitoring list?
Local Event Logs
What is the full path in the C:\Program Files where Splunk forwarder is installed?
C:\Program Files\SplunkUniversalForwarder
What is the default port on which Splunk configures the forwarder?
9997
While selecting Local Event Logs to monitor, how many Event Logs are available to select from the list to monitor?
5
Search for the events with EventCode=4624. What is the value of the field Message?
An account was successfully logged on.
In the lab, visit http://coffely.thm/secret-flag.html; it will display the history logs of the orders made so far. Find the flag in one of the logs.
{COffely_Is_Best_iN_TOwn}
Room Answers | Splunk: Dashboards and Reports
Which search term will show us results from all indices in Splunk?
index=*
Create a report from the network-server logs host that lists the ports used in network connections and their count. What is the highest number of times any port is used in network connections?
5
While creating reports, which option do we need to enable to get to choose the time range of the report?
time range picker
Create a dashboard from the web-server logs that show the status codes in a line chart. Which status code was observed for the least number of times?
400
What is the name of the traditional Splunk dashboard builder?
classic
What feature can we use to make Splunk take some actions on our behalf?
trigger actions
Which alert type will trigger the instant an event occurs?
Real-time
Which option, when enabled, will only send a single alert in the specified time even if the trigger conditions re-occur?
throttle
Room Answers | Splunk: Data Manipulation
How many Python scripts are present in the ~/Downloads/scripts
directory?
3
Which stanza is used in the configuration files to break the events after the provided pattern?
BREAK_ONLY_AFTER
Which stanza is used to specify the pattern for the line break within events?
LINE_BREAKER
Which configuration file is used to define transformations and enrichments on indexed fields?
transforms.conf
Which configuration file is used to define inputs and ways to collect data from different sources?
inputs.conf
If you create an App on Splunk named THM, what will be its full path on this machine?
/opt/splunk/etc/apps/THM
Which configuration file is used to specify parsing rules?
props.conf
What regex is used in the above case to break the Events?
(DISCONNECT|CONNECT)
Which stanza is used in the configuration to force Splunk to break the event after the specified pattern?
MUST_BREAK_AFTER
If we want to disable line merging, what will be the value of the stanza SHOULD_LINEMERGE?
false
Which stanza is used to break the event boundary before a pattern is specified in the above case?
BREAK_ONLY_BEFORE
Which regex pattern is used to identify the event boundaries in the above case?
[Authentication]
Which stanza is used to break the event after the specified regex pattern?
MUST_BREAK_AFTER
What is the pattern of using SEDCMD in the props.conf to mask or replace the sensitive fields?
s/oldValue/newValue/g
Extract the Username field from the sourcetype purchase_logs we worked on earlier. How many Users were returned in the Username field after extraction?
14
Extract Credit-Card values from the sourcetype purchase_logs, how many unique credit card numbers are returned against the Credit-Card field?
16
Video Walkthrough | TryHackMe Splunk: Setting up a SOC Lab