We explained the process of installing and configuring Splunk by showing the steps that involve choosing the role of Splunk whether it will be main server or a forwader, configuring the forwaders to collect logs and create the indexes that store the collected logs. We demonstrated one practical scenario that involves manually uploading web server logs to a main instance of Splunk. This was part of TryHackMe Splunk: Setting up a SOC Lab which is part of the TryHackMe SOC Level 2 track.

This post also includes the answers for TryHackMe Splunk: Dashboards and Reports and TryHackMe Splunk: Data Manipulation rooms.

Splunk SIEM Field Notes

Splunk SIEM Full Course with Practical Scenarios

Highlights

Splunk is a powerful SIEM solution that provides the ability to search and explore machine data. Search Processing Language (SPL) is used to make the search more effective. It comprises various functions and commands used together to form complex yet effective search queries to get optimized results.

Splunk supports all major OS versions, has very straightforward steps to install, and can be up and running in less than 10 minutes on any platform.

Logs can be ingested into Splunk with three methods:

  • Manual Upload
  • Forwarder Agent
  • Through a TCP IP/Port

Room Answers | TryHackMe Splunk: Setting up a SOC Lab

What is the default port for Splunk?

8000

In Splunk, what is the command to search for the term coffely in the logs?

./bin/splunk search coffely

What is the default port, on which Splunk Forwarder runs on?

8089

Follow the same steps and ingest /var/log/auth.log file into Splunk index Linux_logs. What is the value in the sourcetype field?

syslog

Create a new user named analyst using the command adduser analyst. Once created, look at the events generated in Splunk related to the user creation activity. How many events are returned as a result of user creation?

6

What is the path of the group the user is added after creation?

What is the default port Splunk runs on?

8000

Click on the Add Data tab; how many methods are available for data ingestion?

3

Click on the Monitor option; what is the first option shown in the monitoring list?

Local Event Logs

What is the full path in the C:\Program Files where Splunk forwarder is installed?

C:\Program Files\SplunkUniversalForwarder

What is the default port on which Splunk configures the forwarder?

9997

While selecting Local Event Logs to monitor, how many Event Logs are available to select from the list to monitor?

5

Search for the events with EventCode=4624. What is the value of the field Message?

An account was successfully logged on.

In the lab, visit http://coffely.thm/secret-flag.html; it will display the history logs of the orders made so far. Find the flag in one of the logs. 

{COffely_Is_Best_iN_TOwn}

Room Answers | Splunk: Dashboards and Reports

Which search term will show us results from all indices in Splunk?

index=*

Create a report from the network-server logs host that lists the ports used in network connections and their count. What is the highest number of times any port is used in network connections?

5

While creating reports, which option do we need to enable to get to choose the time range of the report?

time range picker

Create a dashboard from the web-server logs that show the status codes in a line chart. Which status code was observed for the least number of times?

400

What is the name of the traditional Splunk dashboard builder?

classic

What feature can we use to make Splunk take some actions on our behalf?

trigger actions

Which alert type will trigger the instant an event occurs?

Real-time

Which option, when enabled, will only send a single alert in the specified time even if the trigger conditions re-occur?

throttle

Room Answers | Splunk: Data Manipulation

How many Python scripts are present in the ~/Downloads/scripts directory?

3

Which stanza is used in the configuration files to break the events after the provided pattern?

BREAK_ONLY_AFTER

Which stanza is used to specify the pattern for the line break within events?

LINE_BREAKER

Which configuration file is used to define transformations and enrichments on indexed fields?

transforms.conf

Which configuration file is used to define inputs and ways to collect data from different sources?

inputs.conf

If you create an App on Splunk named THM, what will be its full path on this machine?

/opt/splunk/etc/apps/THM

Which configuration file is used to specify parsing rules?

props.conf

What regex is used in the above case to break the Events?

(DISCONNECT|CONNECT)

Which stanza is used in the configuration to force Splunk to break the event after the specified pattern?

MUST_BREAK_AFTER

If we want to disable line merging, what will be the value of the stanza SHOULD_LINEMERGE?

false

Which stanza is used to break the event boundary before a pattern is specified in the above case?

BREAK_ONLY_BEFORE

Which regex pattern is used to identify the event boundaries in the above case?

[Authentication]

Which stanza is used to break the event after the specified regex pattern?

MUST_BREAK_AFTER

What is the pattern of using SEDCMD in the props.conf to mask or replace the sensitive fields?

s/oldValue/newValue/g

Extract the Username field from the sourcetype purchase_logs we worked on earlier. How many Users were returned in the Username field after extraction?

14

Extract Credit-Card values from the sourcetype purchase_logs, how many unique credit card numbers are returned against the Credit-Card field?

16

Video Walkthrough | TryHackMe Splunk: Setting up a SOC Lab

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles