Cyber Analysis With Splunk | TryHackMe Cyber Defense Lab Splunk Room 2

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] what's good everybody what's going on jb here with another cyber insight live stream it's been a few videos since we've done any of the try hack me uh rooms whether in the pentest plus path or in the um cyber defense path so i figured why not get back into it and have a little bit more fun uh we had a lot of good feedback on doing the previous splunk room so i wanted to get uh into the second splunk room and some additional splunk rooms and uh normally when we do this stuff sometimes we have uh our friend khalila scott come on and uh she always has a good time with this and you guys like seeing her come on here so i figured why not invite her back on and we'll go through the try hack me splunk room 2. so let me go ahead and bring her on say a quick hello and then we'll jump over into the lab yo kiki what's up what's good hey hi everyone it's good to see everyone again um i am kalila scott aka kiki um founder of techsec chicks a women's organization that is definitely bringing women together i've met some of the most awesomeness women um during my journey we just support each other provide resources and we actually just launched something within our discord for the ladies where me and john are banding together to fund someone's next pentest plus exam and he's also going to uh gift the book the pintest blog plus a study book that he used to pass the beta exam um signed and dated by him and we'll send it to the next chick that is very lucky um and they will sign and date it when they pass it so we got a good thing going on um and i'm also newly um a a security compliance analyst um so that's pretty exciting i'm still in college uh i'm set to graduate in february from purdue um and also a purdue mom uh but yeah i'm just very excited for everyone and for myself so that's awesome yeah i'm looking forward to getting it's actually two different books it's the actual like material book and then there's a practice test book um which i just found out that i passed my pen test plus beta exam primarily using that and then the uh the try hack me room some of which that we've done together and some other ones that i have here on the channel so i think uh those three things kind of coupled together definitely will help out whoever in the tech chicks is gonna end up with uh with those books and uh yeah it'll be pretty awesome to uh see those passed on and kind of continue the tradition that uh you guys have as far as signing the books and passing it on once people pass the exam so i'm glad to be able to be a little part of that i think that's pretty cool absolutely uh we did the same thing for the security plugs and um i don't know if you remember you were the one that uh tagged me in that post for you um and so what ended up happening i was one of the people that won and i got the security plus study book um and i also was gifted the security plus uh voucher and i passed in january i signed it dated it and i sent it to the next chick and i think it's on like the fifth chick that is using that book to study for the security plus exam right now yep that is uh so we're gonna go ahead and uh and jump over into this um i'll do my normal spiel as always smash the like button subscribe share it with your friends all that stuff i mean if you're here you pretty much know that already i have a whole bunch of people that have dropped in the comments section saying hello so uh yeah appreciate everybody dropping in as always if you have any questions as we're kind of going along through this throw those in there and we'll throw them up on the screen and hopefully uh between the two of us come up with some type of halfway decent answer for whatever questions that you guys might have um let's see let's hop over into this room and we can kind of take um a look at this so i've already deployed uh the box and i believe kiki was mentioning earlier that she actually has had some background in using some of the data from this room where were you saying that you had you had seen that before um so i did uh tyrone wilson's sock analyst prep course and um within that course he gives us access to his splunk room and so basically within every splunk instance they have questions that you can kind of go through by via queries to answer those questions and some of those questions are within this splunk 2 room here and try hackney so that's pretty exciting cool cool so uh for those who don't know so the data set that's actually uh used in this is from something that they called uh boss of the sock and so the data sets were actually created by the splunk uh security specialist team it's kind of a combination of a whole bunch of different types of uh data sets from different types of devices within an enterprise environment so there's some windows stuff that's coming over from windows endpoint monitoring including full uh microsoft sysmon stuff kind of talked about sysmon before about the the importance of that and kind of the different types of events that you're able to get from that which you normally aren't able to get from normal windows event logging then they also have a firewall i think in this case it's a palo alto and they're using that for its normal firewall features and then also for web proxying and then they're using cerakata which is open source network-based ids so we will actually have a decent amount of different types of information that's in this room and i think kind of the layout of this is pretty much there's a scenario and different types of questions that we're going to kind of work through and try to dig through all of the different events that are in splunk to hopefully end up finding the answers uh to the questions that they have laid out um so starting with this um we already got the attack box already spun up i already have that open in another tab in my browser so we can go ahead and knock that off the easy part and uh if you have any any comments or anything like that as we're kind of going through this then go ahead and throw those out as well i think i'm just going to go ahead and load up splunk the url here over on the uh attack box okay um and then i can start reading um about what we're gonna get into yeah all right so um in this exercise you assume the persona of alice bluebird the analysts who successfully assisted wayne enterprises that is hilarious when rob bruce wayne and batman is hilarious and was recommended to grace hoppy at frockley a beer company to assist him with their recent issues what kind of events do we have the spl which is splunk search processing language um and to give a little context that if you are familiar with like sql html every everything has its own language where you can run queries and different things so well you can't do that with html but um you kind of get where i'm going with that um so it has that the spl command metadata can be used to search for the same kind of information that is found in the data set summary um with the bonus of being able to search within a specific index if desired all time values are returned in epoch time um so to make the output user readable the eval command should be used to provide more human friendly formatting so they kind of go on to detail a little bit about the example that they're showing um which is in this example we will search the box v2 index and return a listing of all the source types that can be found as well as count of uh events in the first time the last time seen um so they have some links on there as well so if you're doing this room along with us or you want to go back and watch the video later um and and re-watch it and and do this room some of these resources are pretty good because they actually have documentation written up um that will help you along you know getting through all of these series questions so uh for folks who aren't familiar epoch time i believe is like what from the the time that linux was created or something like that it's some weird type of random ass date from way back in the middle of nowhere that nobody really knows and so yeah kind of trying to align that to um utc or even just whatever time zone that you're in and the actual real dates will make it be a little bit as they put it human-friendly uh so i'm gonna take uh this metadata command and you can kind of just see what they wanted to do so if you remember uh within splunk once you get in you can go ahead and uh do the you can add your search commands in here we're going to move this over using the little copy section that they have here to allow us to go back and forth between the browser now the other important thing to realize when you're doing this here is make sure that you change this to all time because obviously if you go in the past 10 minutes or whatever and we're looking at a data set that has epoch time or something else or even even just in general uh when doing this room you just want to make sure that you're getting all of the data that's in the data set so uh really what it's doing is a source type we're looking within this index the boss of the sock version 2 and then kind of the time stamp stuff they were talking about and so when we run that then it's going to kind of just give us a whole bunch of different types of source types is what this is is showing in the total counts of the different events from the different source types um and as i mentioned we have a whole bunch of different types of devices within the environment so we're going to have some stuff that kind of correlates to windows types of things we're going to have some stuff coming from this pan stuff is from palo alto uh i also believe the stream stuff is either going to be from the palo alto or the sarakata i'm not exactly sure where they're sourcing that from and then there's some circular stuff so that was just kind of to show you that we have a whole bunch of different stuff within here before actually jumping into um the actual data and the actual questions i don't think that there was really anything else that we needed to hit on that so we can just go ahead and do complete anything else that you wanted to add before we move on to the questions um no uh basically in the 100 series questions it kind of gives you different tips and tricks that we can use um to get those answers so that's basically what this whole section is about so if you want we can kind of get started and then i can read some of the um objective objectives of the questions all right so yeah right before we do that let's just see if there's anything else and maybe throw some comments up here people just dropping in just so oh the folks watching can get a little bit of attention too some people hey hey endgame what's good i saw ellie drop in here somewhere yeah while back hey hey charles dropped in threw that up there appreciate all you guys dropping in it's awesome for the support for for both of us some other stuff it did the ini ines version too was that um is the same data sets or different data sets i was kind of interested in that but uh yeah i think we can go ahead and hop in if you want to start reading this and we can kind of start going through it okay um so the first question it asks uh amber tearing was hopping was hope hoping for frockley to be acquired by a potential competitor which fell through but visited their website to find con contact information for their executive team what is the website domain that she visited so going back up to question number one um the first objective is to find out what competitor website she visited which we already know that to be no we don't know what that is [Laughter] so oh go ahead no say so the first thing that we're going to be doing with that is pretty much we know the index that we're looking at and then we know like her name so i think that the whole point here is to figure out uh what her id address is first so we'll kind of uh take a look at the pan traffic and see if we can correlate anything to her um her name right so if we come back over here index equals and the nice thing is it will try to auto populate different things so i can actually click on that and then we can just type in amber yep and we can let it spin on this and we're going to have a whole bunch of different things here now uh what they were talking about was looking at pan logs which we're talking about palo alto logs we can go under source types and kind of see these are all the different things that we have logs coming in from that will match what our search query was so we can go and easily click on this and pan traffic to kind of narrow that down a little bit and we can kind of see it should show her ip address with the pan traffic i think that this could be it this 10.0.2.101 i mean we're assuming that it would probably be a a private address let's see and are they asking they're asking for what was the website they're going to first right so we should be able to take her address and then go source type stream http right so in doing the source type with the stream http pretty much that that's going to be looking for um what in essence i believe would be like web proxy logs um based off of her ip address so we should be able to go let's go didn't mean to highlight that we can also kind of click through should be able to see we scroll down through all these different things here we could also look for source ip that will show you that all of the logs that end up matching her her name plus coming from the pan uh log source is that ip address which we kind of pulled out a log so we should be pretty confident that that is actually what we're looking for okay so let's move that over and what was the syntax that they wanted us to go with on that it was so index equal with the bots uh v2 with the ip address source type equals stream um colon http 2.101 and then it was stream yep colon and then it's yeah http was that in quotes or no the stream http is yeah okay let me just say source oh it's source type green gotcha okay that's why it wasn't source type equals stream http right there we go and then we can search on that so we got the ip address source type equals okay okay and then what they're saying after that is uh because it's so many uh queries that have executed um to look at the additional fields sure so we could look at uh i don't know site would be yeah do they have a site field on there yep they do have a site field okay let's see what they were saying because i know a little further down they have it where you can change the query uh to add the keyword site um and uh pipe that to um whatever their keyword is okay so they want to go uh substitute keyword with splunk commands to remove duplicates and display uh display the output in a table format so i think we should be able to go let's see see if we can get cute with this uh and the keyword was uh d-dupe i think is one we can do site and then [Music] was it what's the other thing they said that we could do it was the needed site and put it in a table format see table let's try that so that's just getting rid of all of the different duplications of websites and then uh putting it into a table format and so what we're looking for is something that's looking for what something that's a competitor or something like that who doesn't work for and what industry is she in so she was hoping for frockley to be acquired by a potential competitor which fell through but visited their website to find contact information for their executive team and it asks what is the website domain that she visited and the industry that they're in is a beer company okay so we could hypothetically do a search with like a keyword for the industry which would be beer but even just looking at this we can see like there's something with beer right here so we can just just go with that and see if that's what the answer is okay so www dot burke beer.com got it bam okay uh let's see question two yep so amber found the executive contact information and sent him an email what image file displayed the executive's contact information example slash pass image.ext so what they're saying that we could do here uh based on question two we know it's image so you know the competitor's website so we can construct a more specific query isolating results just to http traffic from the competitor's website which would be www.burkbeer.com okay yeah so they're asking for like the index um equals the box b2 um and then the ip address and then source keeping her ip address and then the source stream and then okay yep stream http and then competitor website okay so again for an image dot ext file okay so we could probably look at the uri paths so that's gonna show like different you know websites or or uh things that she that was clicked on there so we do have uh images ceo burke.png okay never found executive contact and sent to me what image file displayed the executive's contact information so we would assume that that the image of the of the ceo would probably have his contact info on it maybe so let's give that a try yes images [Music] ceo burke.png okay bam awesome all right all right so the next question is what is the ceo's name provide the first and last name okay let's see you can draw your attention to email traffic but you need amber's email address okay so let's take a look and maybe go let's get rid of the ip address and maybe go source type smtp yes mtp what was that okay no go ahead i'm sorry and then maybe her her name maybe we'll see how yes let's see um it might be something that's reasonable within there are you looking for like her yeah email yeah i mean so okay here we go we got it here a turning at froth dot l-y so we should be able to take that and then actually use that search okay so amber turning okay and then let's do the competitor's website they said with that find the communication between that so burke beer yep once you find her address then you can build a search query to focus on her email address and the competitor's website there we go so we got we got four now we're down to four different events that have come in here so we should be able to identify that h uh bernard at burke beer is one and remember we're looking for the ceo's name the first and the last name yup and we can look at the raw text okay which i think we're going to end up having to do at some point to actually pull stuff out but um and we can actually like read you know we could pick through this if you needed to to actually get through the text but and what is what do we have looking for so again emberk see if they actually have anything more trying to see if there's anything we could do a search on m burke and maybe that would be good i'm pretty sure like the information is probably in here somewhere and we're just it's a lot of text to go through so let's let's see if we can use a search to help find that yeah ember gives us something we just need we know his last name was bert we just let's see so we'll go back into the raw text on that earthier let's get out of there food you are you seeing anything um i think i might okay um hold on just one second don't don't move the screen oh okay my bad my bad like i assume his signature has to be in like this and maybe it was in so maybe that other email that we had um to the other dude uh there maybe he mentioned like his name in that so maybe we're kind of like because she sent an email to mr bernard as well so maybe there's something in that stream that that actually has it and it's not actually in in these emails so we go take a look at that too okay so let's let's do that so that was uh oh do you got smtp um in there anywhere in your query yeah i do source stream okay beer.com yes let's see this one that's a lot of encoded traffic not seeing that there here we go this is another email not seeing that there let's take a look in this one so if we can't find it in here i actually do already know what the answer is because i actually already went through this the other day and i just can't remember how i found it but i did find it so worst case we can just move on with what that answer is although i really would like to i know i'm really i i can't remember how i found it either i know what the answer is as well but i definitely wanted to be able to pull it up like this is crazy to have well the answer you can see some of the message in the middle of it like i would also like to have bernard yeah you know what i mean the answer is martin burke yeah um which again you just see ember but you don't really see his name pop up yeah so we will just push on in the interest of time yes uh martin burke okay and then we already know what his email address is because we've been staring at it for the last 10 minutes um it was emberk at burkebeard.com right here yeah we've seen that a million times yep oh and it's funny because the next um question asked after the initial contact with the ceo amber contacted another employee at this competitor what is the mr bernard yeah were they asking her for his email address so it's like we we've knocked out all these other questions in just going through looking for just that one oh there it was okay i just saw it [Music] and scrolling through here i actually saw it pop out right here right here martin burke where john right here i'm highlighting it so there you go i knew it was in there somewhere all right this other person's email address yeah that was uh the h bernard yep and roll up to get that i saw h bernard more than i saw the the uh m burke yeah yeah right here h bernard h bernhard d burn hard let's go h burn hard at burkebeer.com okay and then what is the name of the file attachment that amber sent to a contact at the competitor we should be able to maybe no right here attach file name this is it okay yeah yeah yeah i see it so i am wondering if there was something else if we wanted to search for that a different way i'm just wondering if there's something else we could have clicked on that would have um given us that yeah in a in a faster way sure i mean we we could have probably done a search on uh just for kicks and giggles file name and then that would have narrowed it down to one one message that had it doesn't look like it pops up in any of the information here but then obviously you can hop into there and then it's right up and it highlights it right there file name so that would have been one way to go about it if we hadn't seen it right there okay so that is copied so we can move that in there cool and then what is amber's personal email address let's just take a look at the hint does anything look encoded well i kind of mentioned that before when we were looking at this this whole bunch of stuff here um i mean all of this for the most part looks encoded in base64 right so we can do a few different things here to kind of take some of that data and see if we're able to come up with any of it actually it might be instead of me moving around like that which is going to be a little bit more of a pain in the butt let's do it with it within here uh so that way we don't need to really go back and forth so we can decode here perfect yes we agree we all value the privacy all right um so looking at that we're looking for where it starts so we can kind of okay go down to here and see what we get okay and no come back i knew i was going to do that there we go and a code all right so email me from now on yeah amber's the best at something that ends up still being partly encoded there but at least we know it starts with amber's the best um you can also maybe try messing around with the the character sent there we got another base 64. kind of try and pull this it's a lot of stuff okay let's see i think that goes to there i have fun of decoding basically before it's definitely a lot of work a little but yeah it's enough all right [Music] so we got here we go something the amber parts kind of not there but at yeastybeasty.com yep okay amber's the best at east amber is the best at beastybeasty.com amber's the best oh is it amber's or amber is numbers okay it took amber is the best i'll get it okay all right that is series 100 down oh and i forgot to mention when we hopped on here we're only aiming to do 100 and 200 today because as you see just going through one of these series takes a bit of time uh so we're gonna hit up series 200 next knock those out and then we'll do another video later on to do 300 and 400 but uh yeah before we move on into series 200 does anybody have any questions or comments um before we do that and if not we can just hop into that okay so like saying who is that lady can you please who's that lady all right you wanna you wanna kick it off with the uh the next group of questions absolutely uh so question number one what version of tor browser did amber install to obfuscate uh her web browsing answer guidance numeric with one or more delimiter um so scrolling back up to question one um again it's got you going back to the end indexed uh box v2 um with the name amber tour and so once you do that it says that about 300 over 300 results a return uh you can reverse the order of results um i hope the first event is the tour installation and see the answer so we should be able to go so that comes up 300 something events if we go list i think that we know what is it format no what is the time can we click on time there was a way to oh it might have been yeah reverse i think and then uh what else was it saying it asks for the um version of the tour browser that she installed okay let's see and the keyword let's try i don't know version so right here 7.0.4 that sounds about right yeah okay um all right moving on to the next one one is the public ipv4 address of the server running www.brewertalk.com okay and [Music] first off you need to determine the public ip address for brewertalk.com um and the ip address performing a web vulnerability scan against it it says you should be able to tackle this one on your own [Music] i'm like yeah not private so it's gonna be either a 10 or a 192 or a 172. you are the network you got this let's see what we have different things so destination public ip address that's a public ip address let's see 54 42 208 228 give that a try 54 what was it 54 um well eight uh 228 28 okay if that's not it what did i do 54 oh 52 that's where i messed up there we go yep okay and all that we were doing there was really just looking at the destination ips that were associated with log events for brewertalk.com and then seeing if that was a public uh public one okay all right the next one um provide the ip address of the system used to run a web vulnerability scan against bureau talk.com um and the hint says which ip is hitting the hardest sure so we're gonna do a search to this ip address and then we should be able to [Music] yeah i was just looking at some of the options to see if we can click and narrow that down i could probably go by i ipstreams maybe and then maybe source ips maybe maybe it's 172 31 10.10 maybe no maybe not maybe not let's see let's get rid of that and get rid of that stream [Music] i think that's your cell phone yes yeah like my daughter just she was like mom sora needs to go i'm like take your brother out take your brother out he gotta poop so i'm not seeing that let's try okay let's see what does it have any okay it just says let's go brewertalk.com and then look at the um so i know we looked at the destination i p to get that and it's no way to reverse it to see i mean so this one has the most amount here so maybe see what else do we got let's see what else do we have oh let's look at let me look at the source instead of destination let's look at the source there we go okay so now we're looking at something like that's way over the top no go where we okay i just found the answer to it i tried those um so this one if you're looking at like the source ip and you look at the amount of traffic in the account that 45.77.65. is like way over the top yep okay let's try uh can i copy that okay [Music] go with that give that a try yep that's it cool all right so the ip address uh from question two is also being used by a likely different piece of software to attack a uri path what is a uri path include the leading forward slash in your answer do not include the query string or other parts of the uri example php info.php so what we're doing is we're going to do uh the bots and then the attacker ip which yes we already kind of have the source ip there so we should be able to do a query on that okay now we're talking about uris so we should be able to i would have been expecting for that to see that now as a tip it says change the sampling to 1 out of 100 or your query will auto cancel and throw errors oh okay fantastic let's do that then and hopefully that's not what's going on there and we might have froze it yeah i think um there's a chance yeah underneath it it says the number of events returned is over 18 000. how is that fine what yeah we might we might have hosed a splunk [Music] like it doesn't wanna it does not let's see we might have to uh we might have to reboot it let's see i'll just get rid of that okay so now at least we're back to a good to a good state so it was um let's see off let's change that sampling there it was one to a hundred yeah and then it was source ip yep equals source yeah underscore ip um equals quotes um whatever the attacker iep was which was you remember it was 45.77.65.211. 65.211. yeah and then we want to make sure we have all the time yep let's query away and then we are again looking for the uri path um including the forward slash and the answer okay so now we got uri paths popping up here um and from the look of that member.php seems to have a decent amount of count and that seems to be something that maybe someone would try to attack that seems like maybe a login page or something like that yeah so let's see let's see member.php okay that's correct and then the question was what is the what sql function is being abused on the uri path from the previous question yep uh form data field so if we go do something like that i don't know we'll see if this comes back let's take a look if we can actually look at the okay look at the actual content here so xml experience the internal sql error and cannot continue what is it expat syntax error it's uh where active is one and that some and update xml maybe that's what they're trying to take advantage of is the update xml command there i'll give that a try okay bam okay what is the value of the cookie that kevin's browser transmitted to the malicious url as part of the cross-site scripting attack answer guidance all digits not the cookie name or symbols uh like an equal sign so let's go up all right so what is it saying here for six and seven we've identified the tor browser we've identified the url the uri path and the sql function that was used to attack brew.com now we need to identify the cookie value that was transmitted as part of the cross-site scripting attack the user has been identified as kevin before diving in let's get some details on kevin okay for kicks and giggles i wonder if we could just add kevin into the search string since it's already there maybe well let's get rid of that sampling too oh yeah that definitely might change okay so that's something we did hit on a kevin uh uri path members yup and set cookie [Music] delicious so um the malicious url is included in this question so i don't know if we need that that you said the malicious url is included i think i had i see this is a raw text there's anything that might not be it we might not be let's take a step back from that and do just do what they were talking about doing and just going searching on kevin in general yeah so they start out with the kevin thing uh and then it just says time to figure out the cookie value from the cross uh scripting attack um so simple keyword search and then um so are they considering the uh update xml as the malicious u url or no that's that's a sql function so that wouldn't be it you didn't so let's do there knowing that it's associated with this http traffic so let's go kevin and then uh source stream http maybe okay yeah let's try that and then source source type source ip type well we don't have equals http let's see yeah so maybe that's not that's not going to be because it might not be associated with his ip we could find his ip and then maybe that would take a look at source type so if you do i guess if you do kevin and then the source type for the pan traffic i like how we started out with amber yeah we also can we also might be able to take uh his ip address here and then look for uh http traffic based off of that ip address let's try yeah okay source ip equals like that all right and then might be able to do source type i think was something that we were looking at we could do we could do the pan traffic give that a try okay and then again it's looking for the value of the cookie that kevin's browser transmitted i'm kind of surprised there isn't um let's try.com okay so his ip address to brewertalk.com we'll look at cookies yeah okay let's give that a try and [Music] let's go this here his last visit give that a try okay see how that looks bam and then what brewertalk.com username was maliciously created by a spearfishing attack okay the attacker stole kevin crf token and performed a trick from a domain squatters by using a homograph attack let's see what they say up here so we could potentially since we know the token yeah we could maybe search on that see what comes up see what comes up could also i don't know if there is a just wondering if there's anything that kind of jumps out from anything here now okay let's just do let's do that okay okay so in looking for that token then we end up finding this username here so we should be able to do that copy that and let's see bam there we go all right not too bad so we got the 100 series questions done the 200 series questions done in about an hour and 15 minutes it's pretty it's not easy upon these answers but i mean again it's it's good to kind of continue to walk through these though yep so yeah we will we will come back and definitely do um 300 series in the 400 series questions um another time but at least we got those two out there and done and hopefully that's you know give you a little bit of help walking through how to search for different types of uh information splunk especially when you have different types of data sources that they're coming in from whether it's firewall logs proxy logs sysmon stuff a bunch of different stuff so i'm gonna switch over back to the main view here um yeah if anybody has any questions or anything like that you can go ahead and throw those out now and if not then we can go ahead and and wrap stuff up kiki as always i appreciate you coming on especially now you got your new job you're super busy now so you know breaking off a little extra time to drop down i'll say yeah i'm the little grc princess right now yeah yeah awesome and to the guy that wanted that wanted you to name that lady i'm i'm kiki nice to meet you so i wasn't sure if he was talking about you or he was talking about the lady in the scenario that we were supposed to say what her name was but either way he he got me and amber there you go yeah all right well if nobody else has uh anything else to say or anything like that again appreciate everybody dropping in uh subscribe hit the like button share it with everybody all that good stuff um we'll come back and do uh the series three and series four questions sometime in the the near future especially since we kind of uh flexed our splunk muscles a little bit today so they're at least stretched out a bit for the next uh next two series of questions all right everybody have uh a good evening and we'll all chat soon all right take care have a good night [Music]

Info

Channel: CyberInsight

Views: 361

Rating: undefined out of 5

Keywords: tryhackme splunk, tryhackme splunk tutorial, comptia cysa+ lab, cysa+ splunk, tryhackme cysa+ splunk, cysa+ lab, cysa+ splunk lab, tryhackme blue team, splunk lab, cyberinsight, tryhackme splunk 2 walkthrough, cyber defense tryhackme, siem tutorial, splunk for devops, intro to splunk, free splunk training, splunk cyber defense, splunk cyber analyst, splunk blue team, sysmon splunk, suricata splunk, palo alto splunk, BOTSv2 walkthrough, BOTSv2 series 100, BOTSv2 series 200

Id: ARFnMkJhO6o

Channel Id: undefined

Length: 72min 30sec (4350 seconds)

Published: Thu Oct 28 2021