Splunk | TryHackMe Walkthrough

Introduction:

Splunk is a leading cybersecurity software company that develops Web-based applications for researching, monitoring, and evaluating data generated from connected machines, it provides applications such as SIEM solutions and add-ons for many world-leading tech vendors such as Cisco, AWS, Palo Alto, and many others.

Splunk Enterprise Security:

One of the most famous Splunk applications is Splunk ES, it resolves a variety of security analytics and services including regular security monitoring, enhanced threat detection, compliance, incident reports, forensics, and incident response.
Splunk ES aims to resolve many common problems including:
  • alert fatigue: as it provides a high fidelity risk-alerting.
  • visibility: by bringing out data from different platforms using multi-cloud security monitoring.
  • flexibility: investigations can be an exhausting process when you face alerts from a variety of sources, Splunk ES enables you to carry out threat hunting across security, IT, and DevOps data sources.

Deployment:

Splunk ES is a premium product and it requires a paid license, but you can use the free trial for 60 days. - Start by downloading it from Splunk.com
There is also a ready VM by darkstar7471, you can find the ova file here.
- After the download's finished, open the file using your preferred hypervisor (Oracle VirtualBox is the one for me).
- Enter your preferred browser, go to localhost:8000 and that's it.

TryHackMe Splunk room Walkthrough:


Task 2 :

A short quiz over the base search commands that are useful for Splunk. All you'll need for this is the attached quick reference guide and possibly the magic of Google. Include all parts of the search query unless otherwise instructed.

# Try to do it by yourself first !!!

1- Splunk queries always begin with this command implicitly unless otherwise specified. What command is this? When performing additional queries to refine received data this command must be added at the start. This is a prime example of a slight trick question.

search

2- When searching for values, it's fairly typical within security to look for uncommon events. What command can we include within our search to find these?

rare

3- What about the inverse? What if we want the most common security event?

top

4- When we import data into splunk, what is it stored under?

index

5- We can create 'views' that allow us to consistently pull up the same search over and over again; what are these called?

dashboard

6- Importing data doesn't always go as planned and we can sometimes end up with multiple copies of the same data, what command do we include in our search to remove these copies?

dedup

7-Splunk can be used for more than just a SIEM and it's commonly used in marketing to track things such as how long a shopping trip on a website lasts from start to finish. What command can we include in our search to track how long these event pairs take?

transaction

8- In a manner similar to Linux, we can 'pipe' search results into further commands, what character do we use for this?

|

9- In performing data analytics with Splunk (ironically what the tool is at its core) it's useful to track occurrences of events over time, what command do we include to plot this?

timechart

10- What about if we want to gather general statistical information about a search?

stats

11- Data imported into Splunk is categorized into columns called what?

fields

12- When we import data into Splunk we can view its point of origination, what is this called? I'm looking for the machine aspect of this here.

host

13- When we import data into Splunk we can view its point of origination from within a system, what is this called?

source

14- We can classify these points of origination and group them all together, viewing them as their specific type. What is this called? Use the syntax found within the search query rather than the proper name for this.

sourcetype

15- When performing functions on data we are searching through we use a specific command prior to the evaluation itself, what is this command?

eval

16- Love it or hate it regular expression is a massive component to Splunk, what command do we use to specific regex within a search?

rex

17- It's fairly common to create subsets and specific views for less technical Splunk users, what are these called?

pivot table

18- What is the proper name of the time date field in Splunk

_time

19- How do I specifically include only the first few values found within my search?

head

20- More useful than you would otherwise imagine, how do I flip the order that results are returned in?

reverse

21- When viewing search results, it's often useful to rename fields using user-provided tables of values. What command do we include within a search to do this?

lookup

22- We can collect events into specific time frames to be used in further processing. What command do we include within a search to do just that?

bucket

23- We can also define data into specific sections of time to be used within chart commands, what command do we use to set these lengths of time? This is different from the previous question as we are no longer collecting for further processing.

span

24- When producing statistics regarding a search it's common to number the occurrences of an event, what command do we include to do this?

count

25- Last but not least, what is the website where you can find the Splunk apps at?

splunkbase.splunk.com

26- We can also add new features into Splunk, what are these called?

apps

27- What does SOC stand for?

security operations center

28- What does SIEM stand for?

security information and event management

29- How about BOTS?

boss of the soc

30- And CIM?

common information model

31- what is the website where you can find the Splunk forums at?

community.splunk.com

Comments

Post a Comment

Popular posts from this blog

OpenVas: Vulnerability Scanning | Installation Guide

Image
  Introduction: OpenVAS is a vulnerability scanner that analyzes endpoints and web apps to uncover and detect flaws. Corporations frequently employ it as part of their mitigation strategies to initially identify any weaknesses in their operational or testing servers and apps. This isn't an ultimate solution, but it can assist in the elimination of any common weaknesses that may have sneaked through the gaps. Installation: There are three methods to install GreenBone openVas: 1- Install from Kali/OpenVas repositories:  This way varies in difficulty because of the needed configurations, you can simply install it with apt. sudo apt-get update -y &&  sudo apt-get upgrade -y &&  sudo apt-get dist-upgrade -y sudo apt-get install openvas sudo gvm-setup sudo gvm-check-setup 2- Install from source (Manually): This way is not the best for beginners due to prerequisite installations and error handling can be challenging. github.com/greenbone/openvas-scanner 3- R...
Read more

Nmap | TryHackMe Walkthrough

Image
  An in-depth look at scanning with Nmap, a powerful network scanning tool. This room was created by DarkStar  and  MuirlandOracle , as it provides a great way to learn and start practicing nmap. I encourage you to give it a try by yourself since the hands-on practice will give you more understanding of the topic (take advantage of the manual page man nmap ). Task2: What networking constructs are used to direct traffic to the right application on a server? Ports How many of these are available on any network-enabled computer? 65535 [Research] How many of these are considered "well-known"? (These are the "standard" numbers mentioned in the task) 1024 Task3: What is the first switch listed in the help menu for a 'Syn Scan' (more on this later!)? -sS Which switch would you use for a "UDP scan"? -sU If you wanted to detect which operating system the target is running on, which switch would you use? -O Nmap provides a switch to detect the version of the...
Read more

Wireshark for Security Analysis | Customization & Common features

Image
1/ Introduction What is Wireshark? Wireshark is a network packet analyzer. A network packet analyzer presents captured packet data in as much detail as possible. You could think of a network packet analyzer as a measuring device for examining what’s happening inside a network cable, just like an electrician uses a voltmeter for examining what’s happening inside an electric cable (but at a higher level, of course). In the past, such tools were either very expensive, proprietary, or both. However, with the advent of Wireshark, that has changed. Wireshark is available for free, is open source, and is one of the best packet analyzers available today.  wireshark.org/docs/ Some intended purposes Here are some reasons people use Wireshark: Network administrators use it to troubleshoot network problems Network security engineers use it to examine security problems QA engineers use it to verify network applications Developers use it to debug protocol implementations People use it to learn n...
Read more