This topic includes a video lesson and an optional Immersive Lab.
SIEM (Security Information and Event Management) is an important part of any security strategy. In this video, you’ll learn how a SIEM can be used to gather and report on syslog data from all of your infrastructure devices.
Immersive Lab: Intro to Splunk
Splunk is an event collation and search tool often used for log analysis in SIEM environments. It harnesses machine data to record potential threats, system health, fraudulent activity and operational intelligence. In this lab you will learn how to navigate Splunk using its provided tutorial data.
This lab can be difficult so we’ve provided additional guidance. To start, read all the information in the Immersive Lab ‘info’ tab about Splunk.
Question 1 of 5
What’s the full website link (from HTTP to .com) with the word ‘buttercup’ in it?
Go ahead and follow the instructions to open Splunk on the virtual machine and then click ‘Search & reporting’ on the left hand side. A large dataset of events has been uploaded and in this lab, we’ll be analysing this dataset.
Question 1 asks you to find a website within the events which contains the word ‘buttercup’. The first thing to note, is that on the right hand side of the search bar, there is the option to change the time range. By default, this is set to April 2019. Go ahead and click the date range, then go to presets, then under ‘other’ select ‘all time’. See the screenshot below.
Try searching for ‘buttercup’. you’ll notice a suggestion pop up with a matching term. Go ahead and select the matching term and search. You’ll get something like this;
You can see the URL which is needed for Q1.
Question 2 of 5
User djohnson successfully opened an SSH session. What was the date and time (chronologically) of their first connection to the host ‘mailsv’? (As it appears in the log)
Start by searching for ‘Djohnson’. Logs are listed most recent first.
Secondly, filter the search by using the ‘host’ field on the left hand side. Click host and then select ‘mailsv’. You should now have 764 events.
You’ll also see some green bars above the list of events. This is a timeline and if you click on the bar on the left, that will show all of the earliest events. We need to find Djohnson’s first SSh connection to the Mailsv host.
Go to page two of the events and you’ll see the first SSH connection event. the format for the right answer is: ‘Mon Jan 01 2019 00:00:00’ so you can copy and paste the day and time from the event itself.
Question 3 of 5
Other than djohnson, which users have accessed a root account? (Enter as user1, user2)
There are two other users who have accessed a root account. Root is the superuser account in Unix and Linux operating systems (we’ll learn about those later). It is a user account for administrative purposes, and typically has the highest access rights on the system.
In Splunk, you can use the search bar to create advanced commands to filter logs. We’re going to use a simple search which is ‘USER=root’.
This search will bring up all events where someone has accessed a root account.
On the left hand side, there is a section called ‘Interesting Fields’. Go ahead and click the ‘PWD’ field and you will see a list of three users. The answer will be the two users which are not Djohnson. Enter the answer in the following format “User1, user2” and press enter.
Question 4 of 5
Select the filter ‘date_mday’ and select the value ‘3’, and include the username jboss – what is the IP address shown for the first ‘failed password’ entry on page one of the results?
Go ahead and follow the instructions in the question. Your search string will be: jboss date_mday=3
You can find the IP Address from the top event listed. The IP address is a series of numbers, such as 126.96.36.199. We’ll learn more about IP Addresses later in pre-course.
Question 5 of 5
Using the example query in the ‘searching for multiple keywords’ section, what is the log source of the first entry of the results?
Check the lab’s info tab to find the search query the question alludes to. enter the query and then in the first event listed, you’ll see a ‘source =’ on the second row of info. Go ahead and copy and paste that as your answer.