Premise

In this video walkthrough, we covered how to investigate web activity for users with Splunk. TryHackMe Splunk 2 100 series questions.

Splunk Study Notes

Splunk SIEM Full Course with Practical Scenarios

Introduction

The challenge involves an investigation of an employee, Amber Turing, who was involved in contacting a competitor after a failed acquisition attempt. The goal is to use Splunk to investigate logs and uncover key details about her activities.The investigation starts by analyzing Palo Alto firewall logs and other sources in Splunk.

Finding Amber Turing’s IP Address

The first step is to locate Amber Turing’s IP address by filtering the Palo Alto firewall traffic logs. By searching for her name in the logs, the investigator identifies her source IP address.

Identifying the Website She Visited

After obtaining Amber’s IP address, the investigator queries the HTTP logs in Splunk to find which websites she visited. By filtering through the HTTP logs using Amber’s IP, a list of websites is generated.To remove irrelevant results (e.g., Microsoft, Google, etc.), a filtering technique is applied using specific conditions to clean up the list and identify the competitor’s website.

Finding the Image File Containing Executive Contact Information

Amber was interested in contacting a specific executive from the competitor company. After identifying the website she visited, the investigation narrows down the logs to look for any image files that contain contact information.The relevant URI path (URL) containing the image file is found in the HTTP logs, indicating that she viewed an image with executive contact information.

Finding the CEO’s Name

To uncover the CEO’s name, the investigator switches to analyzing SMTP email logs in Splunk.By searching for Amber’s email address and filtering the logs for communication between her and the competitor company, the investigator looks for relevant emails that may contain the CEO’s name.

Conclusion

The video concludes with further analysis of email logs to complete the investigation and answer additional questions about the communication between Amber and the competitor.

TryHackMe Splunk 2 Boss of the SOC V2 | Room Answers

Answer the questions below
 
Amber Turing was hoping for Frothly to be acquired by a potential competitor which fell through, but visited their website to find contact information for their executive team. What is the website domain that she visited?
 

Amber found the executive contact information and sent him an email. What image file displayed the executive’s contact information? Answer example: /path/image.ext

 

What is the CEO’s name? Provide the first and last name.

 

What is the CEO’s email address?

 

After the initial contact with the CEO, Amber contacted another employee at this competitor. What is that employee’s email address?

 

What is the name of the file attachment that Amber sent to a contact at the competitor?

 

What is Amber’s personal email address?

 

Video Walk-through

,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles