Splunk 101 | TryHackMe Cyber Defense Lab

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hey everybody what's good what's going on jb here with another cyber insight live stream video happy to have everyone back it's been a little bit we kind of started to get back in the swing of things a couple weeks ago we're doing a burp suite video i actually put out a question on twitter i think it was maybe a week or so ago asking about other types of content from the try hack me rooms that people would be interested in seeing and surprisingly a large majority of folks actually wanted to see more blue team related defense type of videos so that's what we're going to do today we're going to do an intro to splunk uh tryhackme actually does have a few different rooms that are specific to splunk and how it operates as a sim and different things that we can do as far as looking at alerting and different types of logs that are coming in and trying to identify different types of events within environments and so that's what we're going to do today is we're kind of going to just jump into that and get a little bit of a taste for what splunk is hopefully you know if you haven't had any background with it then this will be a useful video for you so before we jump into that as always make sure you smash like button subscribe share this with your friends who might find this helpful or useful if you want to say hi go ahead and drop a comment in the comment section and we can chat about this or whatever else is on your mind and we'll kind of just go from there so see some folks coming in here right now go ahead and throw those up real quick before we move over what's up eric what's good man yeah gonna be doing uh some blue team stuff brandon what's up man i'm surprised you're not in the gym right now uh all right so let me go ahead and we will hop over into my browser here um so still got some more folks coming in hey everybody what's good let's see all right so uh splunk if you're not familiar with what it is it's probably one of the most widely used sims that uh is out on the market um especially from the perspective of it being a paid sim now if you aren't familiar with what a sim is it's a security information and event management tool what does that mean well it means that it is a tool set that allows us to in essence collect different types of event logs from all the different devices in within our environment with all of those kind of consolidated in one place we can have different types of rules that we can set up some are come out of the box other ones that we can develop in-house that look for different types of security relevant uh events that happen and then based off of that are blue teamers or sock analysts or uh even our it engineers or ops technicians or whoever it is that's interested in this particular information dealing with these different applications and devices are able to kind of just have a very uh i hate using this term single pane of glass but uh can have a central place where they're able to look at uh the different types of security events that are happening within uh the environment so uh as i mentioned splunk you do actually have to pay for it once you get above kind of like their free use license i want to say i think it's 10 gigs of traffic a day you can do for free and anything above that you're going to end up paying there are other sims that a lot of different organizations will use depending upon their budget elk is another one that's very very popular and maybe we'll do some videos on that but uh yeah so let's just kind of go in and take a look kind of at the the background that they have on splunk i already spun up the the machine that comes along with this lab i think let's just take a quick look to see what we're going to be covering today just kind of a an intro to splunk single pane of gl yeah exactly uh let's see uh so we're gonna talk about kind of just moving around in splunk uh the different types of apps that you can have within there to be able to ingest and provide rule sets for different types of events that are coming in different ways that you can add data into splunk whether or not we're going to be talking about using forwarders which are agents that we can put on different devices or actually using syslog or uh actually manually ingesting uh log data and then splunk queries is kind of you know the what you do um as far as trying to identify uh different things out of those logs that are coming in looking for different events uh and kind of searching for specific types of information and splunk has its own uh querying language that we use to be able to do that then we're going to talk about some sigma rules dashboards and visualizations which is another big thing if you sit in a sock you're probably going to be dealing with a whole bunch of different dashboards alerting which is also another key thing that we're going to be able to do with splunk uh from the perspective of once you identify kind of these key security events what do you want to do with that information right do you want to send off uh alerts to your blue team or your sock analysts do you want to create alerts to have different thresholds things like that and then we'll go ahead and wrap it up so yeah let's see what they have to say about splunk and see how much of what i just spit out is actually uh what they're going to be saying so uh yeah typically when people think of a sim they think of splunk um it boasts 91 of the fortune 100 you splunk um yeah and all of those companies obviously have a lot of money which uh as i mentioned splunk does cost some money and the price goes up depending upon the usage of the amount of data that it's processing per day uh it's not only used for security you could use it for data data analysis devops for sure so not only security events but maybe it's operational events that are happening i've seen it used for monitoring different types of traffic used for different types of networking events so let's say different types of bgp events that might indicate some type of routing problem across the network you can definitely collect that type of information within splunk and send off the right type of alerts for that so kind of talking about what a sim is we're talking about central location able to collect log data from multiple sources and aggregate that and there's three critical capabilities of the sim threat detection investigation and time to respond so that's what it's really going to be helping you improve on compared to if you didn't have a tool that was able to centralize these and run rules against stuff if you're in an environment with more than a handful of devices then it sucks uh trying to do any of that honestly um one other thing i don't think they mention it in here but another term that you might be familiar with or you might have heard is a soar i believe it's s-o-a-r it's kind of like a sim but then it also kind of has some automated responses that you can do based off of different types of events or alerts that end up heading uh let's see some other sim features security monitor kind of talked about that threat detection depending upon the type of rule sets that you have within there forensics and incident response so ideally if you have all of your data going back to your sim and you're keeping it persisting it for a longer period of time that will help you in case you actually do have something bad go on in your environment and you need to kind of go back through different types of logs log collection normalization notifications alerts security incident detection yeah so all of kind of the things that we already talked about so as i mentioned we already spun up the machine it's already up over here so we can move on to task two i will mention for this one because it is a little bit different than some of the other try hackney rooms you actually don't need to start up an attack box for this everything that we're doing is just directly on the splunk machine that we start up here in task 1. so you don't need to have both the splunk machine and the attack box you just need to do the splunk box itself all right task two what do we got going on so when we access splunk this is kind of going to be our default screen here kind of going to go through the different sections here to get a little bit of a feel for it you can see system level messages they're going to be up at the top splunk interface settings progress of jobs help and a search feature for find the ability to switch back and forth between different types of apps is done through the app panel we're going to take a look at that the default one that all of these have right off the box is a search and reporting app let's see so if we kind of go just over into this real quick we can see we have no messages settings we have a bunch of different stuff so these are going to be system specifics uh settings um knowledge based stuff data inputs we're going to hit on that a little bit later when we're talking about the different types of logs that we're inputting how we're receiving them um the different indexes that you can point those two i don't think that this uh room necessarily goes too much into the architecture of splunk but that's definitely something that's worth checking out as far as understanding the the different components especially if you're working more on like the security engineering side you might be responsible for uh maintaining uh some splunk architecture then you're really gonna be dealing with like search heads uh which is what really is gonna be uh doing the actual searches and index servers and fords uh the forwarding servers and things like that um kind of good to get your uh your arms wrapped down those different component parts i think pretty much if you go to like the the splunk web page they're going to have some pretty good architecture breakdowns on ways to do it and kind of the different type of scaling requirements you need depending upon the amount of data that you have coming in you can get a free version of this and you can stand it up on one box you can even use it as a vm or uh even so i've had splunk before installed on my imac and runs perfectly fine because i don't really have a lot of data going to it um user and authentication yeah if you're doing some administrative stuff on there then it's good to know about that stuff all right so let's see what they were wanting us to do the next section is the explore splunk and that's going to be add data splunk apps and some documentation and then on the home dashboard there's no dashboards that are displayed because we haven't built any out yet i think if we go and take a look at that we just kind of like click into this here we haven't selected any they have a whole bunch of different pre-built ones that you can use although um you're probably going to end up either developing some in-house or pulling down some other ones that are kind of templated that are more specific especially to security related things so let's go ahead and take a look at what splunk apps are we'll kind of dive into that a little bit so any questions so far before we jump into splunk apps if not then i will go ahead and continue here but you can always just throw it in the comment section and we'll hit those up as we go through so um as i mentioned the previous task of search and reporting is a splunk app that's installed by default it's also referred to as a search app um and this is where i kind of had mentioned before about queries and how you look through different types of data this is actually where you're going to be doing your querying so if we go and click on the apps over here it's going to bring this up now we aren't going to be able to do anything here because we actually don't have any data that's been ingested yet an interesting thing to kind of just point out here you have a few different options that kind of are worth noting as far as uh the different time frames that you can use if you want to look at events over the past 24 hours or all time past month all these different time things are valuable especially if you know the specific time frames that you're looking for certain things and they just have a lot more options when it comes to those types of search specifics another thing here that's worth noting is the event sampling if you want to see everything then you're going to want to go no event sampling if you go any of these and it's kind of like if you've ever done any uh sampling of like netflow data then really you're only going to be getting you know one out of every 10 events or one out of every 100 events for what we're going to be doing we want to see everything so we're going to leave it that way let's see so uh talked about the queries each app will have its own navigation menu so once you do that and add in other apps then you're going to want to go through and navigate that so if we go back to the splunk homepage in the apps panel there's a cog icon by clicking on the cog icon you'll be directed to the manage apps page from this page you can change various settings properties for the installed apps let's look at the properties for the search and reporting app so we go back here and we click on this cog wait for that to load and kind of see with it we have a whole bunch of of different apps that are already here built in what they were talking about is looking at the search and reporting one we're going to edit properties something else worth noting here once you actually have this in operational environment and you have a whole bunch of different users and different groups and things like that sometimes you might run into a case where a certain user isn't able to actually access an app that other people have depending upon the group that they're in and things like that one thing you might want to take a look at is the permissions for the app to make sure that that user or that group has permissions to actually do stuff with that app and to view it let's see search and reporting we're talking about edit properties and so you can see and this is kind of what they wanted us to take a look at um it's not really too much there as far as what we can do with that just change the name look for for updates for the app if the app is visible or not so we can also uh if you want to change the particular app that you land into when you log in then you can actually do that under a user preference config file this is a windows box so this is where uh that file is uh one thing with that i think it gets overwritten whenever you do new updates so i think that you're actually supposed to um put that in a different folder so that it doesn't get overwritten whenever you do updates uh let's see okay here best practices for any modifications to the splunk uh configs you should create a directory and place custom configs there so if we wanted to see that real quick let's see let's see if we can pop into that so it was under c program files splunk etsy apps user prefs etsy apps user prefs default and just saw that question come in is this all taking place in try hack me site correct yep it is they have a virtual splunk instance uh within that room that you spin up let's see userprefs.com we'll use notepad perfect and here you go and we can see that do not edit this file right so they tell you um ideally where to place a copy of this um if you are gonna change anything and your app order see they have search be the default one there so if you wanted to make it be something else you could do that all right for uh any preference changes that you make you you're gonna need to restart the service simple enough and you can install other apps to expand the capabilities so we can click on find more apps or the splunk apps to explore what we have there now i think let's see if this will work or not i i don't know that their vm actually has access to the internet and it might not and if it doesn't then we're probably not going to be able to see this come up at all which based off of it spinning like that makes me feel that is the case um so if we go manage apps let's see what else had uh what did they want us to do so you can if you can either uh pull it from a splunk base or you can uh let's see directly install it pull it from splunk base and manually upload it which then you would use kind of this section here if we were going to install it from a file right you can also download the app unzip it put it in yep okay and now there's a splunk add-on on the desktop upload this add-on to splunk instance and restart splunk when prompted so if we choose this file splunk add-on this is going to be for microsoft sysmon okay and you see that that has now been added into the apps it didn't make us actually restart anything and didn't ask us to um the question was what is the folder name for the add-on and we can see that it is ta microsoft uh sysmon if you're not familiar with sysmon it is a a tool set or type of logs within uh microsoft that actually lets you see a lot of important stuff that's going on behind the scenes i think there's a few other i think if we've hit that in any of the windows labs i think it was in some of the red team labs that was going to be coming up soon but i don't think that we've uh we've really hit that yet so let's see ta microsoft sysmon okay so drop that in there cool and what was the version the version was 10.62 all right let's move on to task four dealing with adding data so we've added an app now we're going to look at maybe adding in some log data so splunk can just ingest any data as per splunk documentation when data is added to splunk the data is processed and transformed into series of individual events you can get a whole bunch of different types of event logs as i talked about you can either use forwarders that you can put on different types of devices or you can send via syslog or you can actually pull it locally or upload the files themselves so here's a kind of a a list of different things that we can see as far as data sources so things such as snmp events uh nagios cisco logs aws logs database logs things from different types of anti-virus edrs active directory different types of operating stuff vmware i mean pretty much anything that you can think of within an it environment pretty much are going to be able to ingest it into splunk so as i as we kind of looked at that app i mentioned that it was for sysmon logs so that's what we're going to be doing here is actually focusing on sysmon logs um if we look at the add data link from the home page let's go back to the home page right here so we have a few different options that they have um here on this box and then i think they're going to show us a few other ones as well but so i was mentioning having a forwarder that sends stuff to it you can actually monitor stuff on box if we wanted to do that so specific to this splunk server or we can manually upload files we do have a few other options as i mentioned up here but um the splunk instance attached yeah will only show the upload monitor and forward so that's kind of what we're dealing with since we want to look at windows event logs and sysmon logs from this whole system we want to monitor and there's going to be some options that we can look at here so they're going to kind of have us look at this but it's not going to be available and we're going to have to do something else but we'll walk through it so if we want to do that then we're going to go monitor and these are a whole bunch of different things that they kind of already have built out for us to be able to take a look at local event logs remote event logs if we want to set up syslog registry monitoring active directory monitoring there's a whole bunch of different stuff so we were talking about local event logs and then different types of windows event logs and we wanted to do sysmon but you see there is no sysmon in there so what are they going to have us do we see no powershell we see no sysmon another way that we can do it is going under the settings and data inputs now as i'm clicking back and forth and you're you can kind of see what i'm going to be doing but if you do want to go back on this page and look at this they kind of do have like a little video here that's kind of showing you in essence what i'm doing as well so if you do miss that you can check this out on here so we're going to go under settings data inputs and then do windows microsoft sysmon so let's go it was under settings and data inputs data data inputs and then it was going to be local event log collection and we're going to go under edit and i think it was microsoft let's see keep scrolling down microsoft windows i think it was sysmon there's a whole bunch of power shell almost there sysmon operational all right so we're going to save that okay everything there is good so obviously if there's different types of logs that you are going to be expecting then you're going to need to kind of make sure that you're going to be able to collect these in different types of ways there's obviously best practices and other types of documents that are out there that can kind of walk you through what it is you should be turning on or not turning on so but this is a process that you would want to go through with that so now let's go back and we will actually manually upload some sysmon logs that we have we go upload make sure that we are doing that correctly here that's your turn to add some splunk yup okay add it to there and we have the tutorial data here this is on the desktop and then we're gonna go next and all of that is fine we just leave that the way that it is and submit and we can go to start searching so that is going to take us to the search page that we were talking about before we have a whole bunch of events coming in you can see that they're populating as they're going through let's see oh and so this asterisk here i was just doing that it's going to show all of the events that are there and we kind of see uh how it comes in um as the various different event logs with time stamps a whole bunch of different information they have interesting fields that come up here but let's answer this question first i think the question was how many events are in this source so one 142 571. 42. did i do that wrong i think we had that right let me see make sure let's take a look if i had that um the correct answer with that i'm trying to see hey thanks eric i'll catch you later appreciate you dropping in so the correct answer on this i'm trying to see where we are getting that from upload the sprung to how many events are in this source and that might be the issue is the uh source let's see the correct answer is going to be nine eight six four i'm not quite sure see yeah i'm not quite sure what i'm missing with that though as far as why that's differing from 140 to 571 i must have some additional data added in there but i'm not going to play around too much with that we can kind of press on and start digging through these different event logs let's see it's talking about doing the queries in this so we have uh the app added on we have a data source in there now we're going to query the data we're talking about some windows event logs and system rooms that we haven't done yet at least on the channel but if you have then you might be kind of familiar with using event viewer actually i want to say in some of the windows ones that we have done we've dug into event viewer a bit so we want to take a look uh we're using the asterix as i was mentioning before and change it from 24 hours to all time which i think we kind of already did let's see i'll let that populate okay and if we want to focus on a particular source or source type we can kind of do that through through the search bar so source type being different types of particular event logs right so we could actually go source and you see we can kind of match these based off of the different ones that are already there within this particular index so we have those there and then we're kind of looking at source and source type as well as being another way where if you aren't exactly sure you could click down into these and see what's there and if you wanted to see specifics of those it's nice that they kind of give you account and percentage as well that's also a good way to uh be able to see what type of events you you know maybe you have a large amount of a certain type of event coming in but if we wanted to see that specifically then we could just click on that like that and then it will just show those particular logs and from the above image we see the names of each source and the number of events and percentage yep just mentioned that top 10 values are visible let's start our uh our query with sysmon as the source so let's go back to this and we're gonna do the sysmon one and hit the little magnifying glass okay so we had that come in uh you select uh the first event that appeared uh expanding on the event the details are more readable let's make sure that that is let's see show all 23 lines i'm kind of able to see some more some more data with that it's kind of showing all of those different areas there once you expand that vector we can adjust our query just to go with the source and then event id 12. let's see see if those are there event id equals 12. yeah it looks like it didn't ingest the data all the correct way because that should be it should be coming up and should be visible so let's go let's do that again real quick just make sure that we have that in there let's go back to the main page a little splunk troubleshooting uh on a live stream why not let's make sure that it did that properly no let's go i don't think that that is i think that's what we want i don't think there was a a different thing there operating structured i don't think so i think just using automatic should be fine on that let's try that again create new index review should be good and we will just make sure that the data inputs was there because we did that before should have because we were seeing that selected logs default yep and that was all good there okay let's try that again search and reporting and let's make sure that we have data sets i'm just poking around here for a second and we'll figure it out [Music] data imports hmm let me turn that one more time i did that do that again next automatic cool uploading start searching okay at least we have that there now we wanted to go uh it was source let's try that there we go and then it was event type or event id i think it was 12. let's try that we might have been on the wrong no xml win event log let's see if my syntax is off here somewhere source and then it was oh event id capital e event id equals 12. let's give that a try fingers crossed there we go okay sorry about that uh i need to brush up on my uh my splunk query language i needed to capitalize that okay so now we have uh we've we're trying to do a search to try to identify objects uh from the the system on logs that we had and then narrow that down further to a particular event id which is event id12 dealing with the creation and deletion of registry events and you see right here if we if i had kept on reading there we would have seen that uh if you do it in lower case it will not work for you so uh yeah there's there's the lesson of the day you can also search using keywords so we could go and look for in this case google update.exe so let's go google update.exe and we see that we have that hitting here so these are all of the events that were matching under uh sysmon logs that had the text google update.exe within them uh and unlike fields keywords are not case sensitive cool so instead of manually keying in the keyword the keyword can also be added by clicking the value you would like to add to the existing query so if we went like well let's see uh i'm trying to find where that is in here i mean even if we wanted to just include that we could add it to the search so that's to talk about you can click on the different fields it allows you to add it to the search and now we're searching for something within the sysmon logs that has um both googleupdates.exe and matches this as well syswire 64. okay there's multiple keywords in your query and there's an implicit and between them which is what we just did so if we wanted to in this case just go google update exe and chrome installer exe so let's go chrome installer.exe that was oh uh chrome underscore installer and then we go we have the google update.exe and chrome installer there yep see so it's matching both of those and again we can click on it and add it to the search if we wanted to a keyword doesn't have to be a word necessarily but can be a phrase so we're going to search on this uh failed password for sneezy so the user sneezy so let's go and do that so again this kind of makes sense if you uh knew a certain user account was failing all the time or you you were looking for something specific to a specific user then if you kind of know the string that you want to match on then you could do that for sneezy do that just hit enter and we can see how that kind of hit on all of these different logs coming from these web logs uh so let's get back to the sysmon logs and look at google update again so uh we're doing uh source sysmon and google update.exe and within that we're going to look at the interesting field sidebar and these are all uh different fields within these logs and you can actually um i think what they're going to have us do here in looking at these is look at there's the different values that come up for those different fields right so unique values and then again we can add those into the query as well so if we wanted to hypothetically go rule name it's going to bring up all of these a few different things if we hit the selected on this then that should end up popping that up here now so it's like identified within the event log we can see what it is um and then also we could as i mentioned you could click on these and it can add that up to the search as well so now we're looking in sysmon logs that's also matching on the string google update exe and hitting this particular rule so you can kind of see how you can kind of stack these different search terms on top of themselves and the other useful thing with that is it's not only being able to do research to be able to dig into things to end up finding things within your environment you can also then end up taking a similar type of approach to creating different types of rules for different types of events when they come in that that are meaningful to you um so you can kind of see when we did that it ended up adding the rule name and i kind of pointed that out added the rule name yep okay so now we're going to kind of do answer a few questions here so uh we're going to look for a failed password so we're just going to go okay so that is a lot and the question was what is a source type and the source type we can see that there's only one source type that came up matching that is ww1 forward slash secure okay in the search result look at the patterns tab and we can see three different patterns based off of a sample of uh 11 000 events and so these are kind of like uh ones that we're seeing more frequently i guess is kind of what they're getting at with that what is the last username in this tab uh myuan no where did the m go there we go and then we can then pivot with that and look for how many uh failed login events with that particular username password and then we should be able to go m-y and so for that looks like 48. cool no let's see what did i mess up on there uh maybe it's different types password or was that asking let's see hmm search for failed password events for the specific username see why that's kind of thrown off there hosts source type 48 hmm they want i wonder if they give a search for fail password event for this specific i mean i don't know why that's not coming up before that's coming up as 48 when i do it that way unless i'm missing something i failed password or failed login yeah failed password right and hmm the correct answer i'm looking at something else is 16. i'm not quite sure why it's 16 though i'm must be messing something up but we'll just put in 16 is what they're looking for just to keep moving on but you can see with that unless i'm misunderstanding what the question is um we got 48 events that are there for that so what can you do all right um we are almost done i do sigma rules any questions uh up to this point love splunk cut my teeth on it yeah i mean it's one of those things where you just got to get in and kind of mess around with it most of the stuff that i've done with it in the past has been a bit more uh on the i.t operational side than on the security side but once you kind of have your dashboards set up and you know what it is you're looking for it's it's a pretty awesome tool so what is sigma sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner [Music] the rule format is flexible easy to write and applicable to any type of log file so pretty much again they're going to have these sigma rules and then you can actually take those and there's a tool we're going to look at where it can write those into different types of searches for different types of sims and that's what we're going to do i feel like the search language is pretty easy to pick up pretty expensive to deploy maintain though yes um i mean it does help you out a bit i mean so it does try to uh you know fill in the blanks on some stuff so at least you aren't completely left in the dark but yeah it definitely takes using it for a bit to kind of get familiar with things um so as far as uh sharing different types of queries between different sims that can be kind of difficult so uh this tool will allow you to kind of uh create queries in a sigma format that can be shared with uh different teams that maybe don't use don't use splunk and for instance if the rules are written and signaling can be transferred back and forth then it can be shared along with uh indicators of compromise and yara rules for threat intelligence purposes so talking about the different sims that it supports and then different projects and and uh products that that use it misp is a very well known one and there's also an app for it sigma searches sigma rules are written in yaml if you followed any of the devops stuff that we did specifically like with the juniper stuff uh when was that end of last year then uh you remember us talking about xml and json and yaml um so this will look somewhat familiar to you when we pull up what the what the rule looks like but yaml's super super human friendly way of being able to standardize data from a programming language perspective so let's take a look at this the tool is uncoder.io kind of already have that here so what we're pretty much going to do is you select whatever the particular rule is or you search for different types of rules it will pop it up as what it is written in any of these different languages or tool sets and then allow you to pick another one to translate it into so in this case we're going to be translating from sigma to splunk and you have splunk alert or splunk some other stuff that you can do arcsight carbon black corelight crowdstrike i mentioned elasticsearch fireeye i mean they have a lot of different things sysmon powershell um so a lot a lot of different options so this is a pretty cool tool that will allow you to kind of standardize different types of search queries that you'll be doing across different platforms so let's go and do users added to local administrators is converted here into splunk query so that's pretty straightforward sigma let's get rid of that users added to local administrators this is kind of going to give you a sigma rule it's going to tell you what that it's going to be triggering on the log source what it's using for its detection so in this case it's it's hitting on event id 4732 and matching the group name administrators right and then so if we wanted to see that as a splunk rule then this is kind of like what we would want to do as far as taking this and um using it to query whatever logs we have within the environment so let's actually run through these questions here uh so kind of doing the same exact process it's we're going to just be looking for apt-29 or the sigma rule for that so sigma apt-29 [Music] and splunk translate um and so this is detecting suspicious powershell they put a reference in here which is cool some tags for it the log source again and then actually what the detection is actually matching on so um that's really the string that it's looking for coming from um coming from powershell um within a windows box so the question was what is the splunk query for that so we're just going to take that and copy that over [Music] and there we go and use github sigma repo what is a splunk query for uh cactus torch remote thread creation let's see so that is going to be let's see i don't know if they actually want us to go actually to the repo for that on github uh we're not gonna take the time to do that so we'll just press on uh i guess we could just google it real quick let's see and the question was they were looking for what is the splunk query for that i think that looks like that is going to be let's see i won't spend too much time on this yeah okay well i found the answer doing some other searches so we'll just put that in there and move on um because we are almost at the end and want to wrap it up so we're talking about dashboards um our panels displaying different data visualization in one view uh you can kind of take the data uh the raw data and put it into different ways to visualize it obviously so it could be a chart or other types of graphics if you've been inside of a sock or even just a type of monitoring environment for it operations normally there'll be different types of tool sets that will have some type of graphical views depicting large amounts of pertinent data right so just kind of easy to look at things uh kind of get a snapshot and be able to understand you know what's going on at a very very high level uh so let's see so we're going to create a dashboard but first we're going to create a search query for that so it's going to be the sysmon stuff again let's remember source xml that and then i think we're gonna pipe it top limit equals five so the five top five and then by event id top equals five uh event id i think we got that right top limit equals five event id okay sweet query that and then we kind of have this broken down into the different event ids the amount for each of those event ids and then a percentage so we could take this and we could turn this into a graph well we should we could take this and turn this into a dashboard i should say which will present it as a graph in different ways so what we are going to want to do with that is look at visualizations there and visualizations so we can kind of see that it's a nice way to do that okay that's pattern statistics okay then we're going to go save as dashboard panel and we can call it whatever we want to call it we can go uh tryhackme dashboard thm dashboard and was there anything else we need to change with this again you can get into some permission stuff there inline search no action column chart yeah okay we should be able to do that now we have a dashboard and obviously you can take and add additional types of information into your dashboards you can put multiple things but this is just kind of a very very basic way for you to be able to take a whole lot of different log events create a query based off of the things that are important to you in this case we want to see the top five sysmon events and then we want to kind of be able to look to see which ones uh are most pertinent which ones are happening more often than not and then another thing with that we could set it as a home dashboard and now on the front page we now have a dashboard that's coming up here um so yeah and we could we can go back and we can modify um we can modify this a few different ways we can open it within the search right so that's kind of good if we want to actually see the particular events then we can drill down into that and now we're back here where we can do other types of searches so that's kind of how you would use the dashboard in a way where you're able to visualize things see things that's important and then [Music] drill back down into the the log event data and then yeah i'll be happy hey crystal what are you talking about as far as case sensitivity which uh which one you talk about the the uh search strings as far as uh when we were doing uh like here with event id and stuff like that i think that was it for that what is the highest event id well we have that let's go back to dashboards the highest event id is 11. all right has the most all right we are almost at the end this next one for alerts sadly we aren't able to do this based off of uh the version of of splunk that we have here so um we're just going to kind of talk through this real quick as far as what the alerting workflow would be so if you want to uh trigger alert based office specific types of conditions so it's almost very similar to um your queries that you have you're kind of just doing that and then attaching a particular alert based off of those things what do you want to track in this case we're talking about like let's say it's an external ip brute forcing a web page we want to be alerted whenever this ip's actively attacking our stuff so how often do we want to be aware of this well you can do a few different things here you can do a scheduled alert so maybe you schedule it to only go off once a day or something like that but in this case it is a little bit more pertinent so we probably want to do it in real time whenever it happens problem with that is let's say they're attacking us a lot we don't want to just be over inundated or even cause denial of service attack on ourselves by getting too many emails so we can do a trigger condition and throttling so uh you know if it is a certain amount of failed password events in under a minute then we can generate the alert um we also can suppress new alerts for a certain period of time so that would be suppressed triggering right so that way it's not just continuous alerts firing off um and then what ends up happening uh with this whenever this happens it's gonna be your alert action in most cases that's going to be email or it could even be firing off some type of message whether it's this log or something else to another type of application that you might be waiting to get certain types of messages from so pretty kind of straightforward it's too bad in this free version we can't do that um you can with the free trial uh if you want to do that or the 60 day trial but like i said really the main thing with that is making sure that you have your queries straight as far as what is that you're looking for and then uh coming up with a good methodology as far as what's what's really uh something that's going to be useful to yourself or your team without over inundate over and w let's try this again without over inundating them uh with too many email alerts which i think is something that we all do and have all happened in the past so we want to try and be a little bit more cognizant of of being effective with this um all right so that is that let's see we covered that and then in conclusion uh yeah so that's the splunk 101 room there's another one uh for sure that's a little bit more advanced that we're gonna do we can do next if you guys like this you found this you know useful we can definitely hit those up um and then they have a few other rooms i don't know if these are in the cyber defense learning path uh but i know that this particular room we did today and another one that i was looking at are within the cyber defense path so let's see all right so uh anybody have any questions comments on any of that before we wrap it up i appreciate everybody hanging out and throwing comments in the chat asking questions hopefully this was useful to you um oh thanks for the super chat appreciate that um appreciate that i think uh you know we learned a few things with that obviously uh we kind of or i got derailed there for a good five minutes or so with the uh the case sensitivity and stuff like that uh on those queries so that's a good lesson that hopefully uh you won't make yourself when you're going back through this or doing this in an operational environment uh let's see anything else i think that's about it make sure you smash the share the video with other folks uh i'm gonna keep doing some more uh blue team stuff with this for sure still gonna circle back and hit a few more red team stuff because i think we're probably about um i don't know 75 percent of the way through um the pen test plus learning path so we're pretty much almost done with stuff but it would be kind of cool to get into a little bit more of the defensive stuff so maybe i'll just keep going back and forth every week between red and blue team stuff so all right if nobody else has any other uh comments or questions then i hope everybody has a good week uh take care of yourself study up go have some fun and we will talk soon all right bye

Info

Channel: CyberInsight

Views: 977

Rating: undefined out of 5

Keywords: tryhackme splunk, tryhackme splunk tutorial, comptia cysa+ lab, cysa+ splunk, tryhackme cysa+ splunk, cysa+ lab, cysa+ splunk lab, tryhackme blue team, splunk for beginners, splunk tutorial, splunk lab, cyberinsight, tryhackme splunk 101 walkthrough, cyber defense tryhackme, siem tutorial, splunk 101, splunk for network engineers, splunk for devops, intro to splunk, free splunk training, splunk cyber defense, splunk cyber analyst, splunk queries 101, splunk blue team

Id: i3CpIDRfv0Y

Channel Id: undefined

Length: 80min 7sec (4807 seconds)

Published: Fri Aug 20 2021