Room Link: https://tryhackme.com/room/splunk101
Learning Objectives and Pre-requisites
If you are new to SIEM, please complete the Introduction to SIEM. This room covers the following learning objectives:
- Splunk overview
- Splunk components and how they work
- Different ways to ingest logs
- Normalization of logs
Task 1 Introduction
Splunk is one of the leading SIEM solutions in the market that provides the ability to collect, analyze and correlate the network and machine logs in real-time. In this room, we will explore the basics of Splunk and its functionalities and how it provides better visibility of network activities and help in speeding up the detection.
Continue with the next task.
Task 2 Connect with the Lab
Room Machine
Before moving forward, deploy the machine. When you deploy the machine, it will be assigned an IP. Access this room in a web browser on the AttackBox, or via the VPN at http://MACHINE_IP. The machine will take up to 3-5 minutes to start.
Continue with the next task.
Task 3 Splunk Components
Q1 - Which component is used to collect and send data over the Splunk instance?
Answer: Forwarder
Splunk Forwarder
Splunk Forwarder is a lightweight agent installed on the endpoint intended to be monitored, and its main task is to collect the data and send it to the Splunk instance. It does not affect the endpoint’s performance as it takes very few resources to process. Some of the key data sources are:
- Web server generating web traffic.
- Windows machine generating Windows Event Logs, PowerShell, and Sysmon data.
- Linux host generating host-centric logs.
- Database generating DB connection requests, responses, and errors.
Task 4 Navigating Splunk
Q1 - In the Add Data tab, which option is used to collect data from files and ports?
Answer: Monitor
Task 5 Adding Data
Q1 - Upload the data attached to this task and create an index “VPN_Logs”. How many events are present in the log file?
Answer: 2862
Q2 - How many log events by the user Maleena are captured?
Answer: 60
Q3 - What is the name associated with IP 107.14.182.38?
Answer: Smith
Q4 - What is the number of events that originated from all countries except France? Remove the IP address from the query search bar that was added in the previous question. Scroll down the interesting fields panel on the left and click on source_country.
Answer: 2814
Q5 - How many VPN Events were observed by the IP 107.3.206.58?
Answer: 14
Task 6 Conclusion
In this room, we explored Splunk, its components, and how it works. Please check the following Splunk walkthrough and challenge rooms to understand how Splunk is effectively used in investigating the incidents.
- Incident Handling with Splunk
- Investigating With Splunk
- Benign - Challenge
- PoshEclipse - Challenge
