Splunk SIEM Basics For Beginners | TryHackMe Splunk: Basics

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's going on YouTube today we're going to talk about Splunk Basics and previously I have uploaded many videos about Splunk to cover all of these scenarios not all of the scenarios most of the scenarios that you can that you may face as a security analyst investigating random words apts web attacks FTP attacks USB attacks you can see all of them in this playlist if you are new to Splunk I recommend you guys to watch introduction to Splunk for cyber security I will put the link of this playlist in the video description but how about we get back to the very first square of how to uh work with the Splunk so basically all these videos contain practical scenarios okay this is the only video where you can get an intro about Splunk in this playlist but today I will give you a more simplistic view about Splunk even more beginner friendly there in the introduction video so if you haven't watched any of these videos if you are very new to Splunk then hold on and watch this video so today I'm going to talk about the basics starting from what is Splunk how it works how to get it up and running and how to do basic search okay so first let's understand what is Splunk so Splunk basically guys as you know it's a seam tool that's it if he watched my previous videos about introduction to seem you will have become more familiar of what is same security information and event management so Splunk into words it's a seam tool so what's the concept of Splunk the concept of Splunk is the same as the concept of a seam collecting first okay after collecting normalizing and third analyzing at the end alerting that's the concept of every seam tool available out there they'll all work under this concept collecting normalizing analyzing and alerting so what they collect they collect basically locks so we collect locks collect logs from different sources from endpoints or hosts or from other network devices and again guys I explained all of this in the latest video I published okay now Eric before starting uh Splunk or before watching this video If you haven't watched or if you are not familiar with the same the concept of sim I recommend you guys to go back to this video I'll watch before going ahead with this video okay so now let's talk about Splunk so Splunk being a simple it collects normalizes analyzes and creates alerts now we also said in the previous video that the the component or the stage of the stage 3 analyzing and alerting it all depends on the configurations of the rules you put in this theme tool so without configuration without rules analyzing and alerting it's not going to work you will do have to do the work yourself so automatically the Sim tool collects and normalizes all of the logs in one place okay so you can do your search on these locks if you want to analyze manually okay now let's talk about the components of Splunk so what are the components of Splunk and how Splunk collects analysis locks that's useful if you want to deploy it on a machine so spunk consists of three components one we have the indexer okay two we have the forwarder and three we have the search and the search head these are the components search head I wrote search lead I have to correct this okay the search head so let's talk about the function of every single component of this so the indexer or let's talk about them in other order so first we start with the forwarder the forwarder guys is the agent the agent tool that you install on the hosts and devices from which you will collect the locks and the forwarder will collect all the logs from the machines and devices it is installed on to say you want to deploy Splunk you want to work with slug first you will get the forwarder and say you want to uh collector locks from two machines Linux machine and plus Windows machine okay so what you will do you will install the forwarder in Linux and in Windows for where they will collect the logs from Windows and Linux so windows we have wound event logs um system logs and if there are any web server installed it will collect the web server logs same here with Linux it will collect all of the locks the next machine May generate and they are revised kernel logs um web server locks the authentication logged so on and so forth it will collect all these locks okay now the next component is the indexer so what happens what happens here the forwarder has collected the logs now the indexer it will do the guess what it will do the processing so it processes the collected logs by the forwarder and stores them so how the processing happens all of the logs that are collected from the machines and other network devices they are processed and normalized normalized into a specific format the format is like this the data is normalized and processed into field value pairs for example IP addresses IP field and the actual IP address here ports here are the ports host names here the hosting develop the hostnaves so field value field value that's how it works that's the data format uh Splunk uses to process the data okay now we come to the last component which is the search head the search it is the component that enables you to search through the processed blocks okay now without the search head you will not be able to analyze and extract meaningful insights from the collected and analyzed data the search hood is a very important component all of them they are they work together actually okay the failure of a single component will affect the entire function of Splunk okay now having become familiar with Splunk or the concept of working with Splunk let's now go ahead and deploy the machine attached to this instance so I'm going to deploy the machine here start okay let's talk about now the main interface of Splunk so that's what you will see when I first uninstall a Splunk you will access through the IP address of your machine if you are working on your machine it's going to be localhost so as you can see this is the Splunk bar here we get the notifications through the messages and we configure the settings the Verizon settings in Splunk here's the current jobs in progress uploading data processing data and here's the help menu order documentation on the left pane you will see the applications installed and you can install more apps as you progress through working with a Splunk by clicking on find more apps once you install an app it will be listed on the left pane on here you can see how there are some sort shortcuts for the most used functions in Splunk adding data the applications and a documentation now let's proceed and see what are the different methods of adding data to Splunk so if we click we click on add data as you can see here we have three methods upload monitor or forwards now most of the time you will work if you want to deploy Splunk on an Enterprise level to monitor machines and our devices you will go with the forward or with monitor so basically with four words you will have a basic agent file you will install this file on the machines and devices you wish to monitor monitor here you will forward all of the logs from different machines by making Splunk listening on a specific Port like it is a web server or it is uh some sort of it's going to be a server on which or by which it will receive all the logs by opening a specific port or if you got the data uh extracted from a specific machine or specific Network device and you want to specifically analyze this data you can extract it from the source and upload it to Splunk and that's what we will do here we will go with this option upload since we don't have any uh environment set up yet to receive the logs through the forward or the monitor we will go with upload so by clicking on upload we'll start uploading the data so right now we are taking the role of the forwarder we collected the data and right now we want to upload the data so that the indexer will process the data select find the file that you will find in this machine guys is located under runes Splunk basic VP unlocks so next okay here we set the source type so we select which is the source of this data we can select it from here application database email log structured as you can see when we uploaded the file Splunk has automatically detected the type of data and it is telling you it is a Json so if it is automatically detected leave it as is and proceed next here we Define the hostname so the host field value normally it is the host name of the machine or the device from which you have extracted and accelerated the logs and of course important to log to Splunk so normally we put here the name of the machine but we since we don't have you know the name of the machine yet we don't have information about the source we're going to say VPN connection the index here we create the index okay the index is very important because the index it is the by which we will uh we'll use the index to search in Splunk okay so it's very important to create an index and give it a meaningful name we will use that index in this search so let's say it is VPN underscore locks once it's created we're gonna have to select it from here and we go to review here we review all the information we have selected in the process and click on submit once submitted we have a couple options we can build dashboard okay which you will do in a later stage of working with Splunk or we can immediately start analyzing now the scenario of analyzing the logs yourself most uh more uh most probably is when you have an incident okay and you want to analyze the related logs or the locks collected about the incident you want to have more insights about what happened what kind of incident and you want to investigate more so we will start searching immediately okay then now you come to the stage of analyzing the data now the working with the the logs the search here there are specific syntaxes we have to understand as part of the Splunk search processing language so basically you can on the internet there are many cheat sheets about how to use the syntaxes for me if I have created one node file this Note file have operational it has operational nodes about Splunk for example how to parse HTTP traffic how to search HP traffic how to analyze Network traffic here sysmon events fortunate firewall logs USB attacks basically for the rice scenarios now this file doesn't serve as a cheat sheet to teach you how to use the basic syntaxes I will add I will add the basic syntaxes to this file but this file is operational file it will help you to uh analyze scenarios okay the next event always query events detecting for example print nights sorry print nightmare vulnerability when event logs or Office 365 semantic endpoint protection events it will its scenario based okay scenario paste but by understanding these scenarios you will be able to eventually understand how to use the Splunk search processing language okay let's go back so as you can see when I start searching this command is by default written and it specifies the current syntax so basically as you can see the source is defiled I have uploaded the hostname is the hosting I specified the index I have configured and the source type now these this syntax is very necessary and important with every single syntax you will write during the analysis analysis phase so say for example you want to work with the filters or the fields on the left the fields on the left help you tremendously in narrowing down your search so let's take a scenario here and the questions we have the first question upload the data attached to this task and create an index VPN underscore logs how many events are present in the log file that's the first question so the number of events as you can see here it's displayed on the left we have 2862 events total events that are witnessed or processed under the file we uploaded that's the number of events the next question we have how many log events by the user Melina are captured right now as I said earlier we can work with this Splunk processing language to search through the events or you can get assistance by the fields on the left so we want to find out the number of events okay related to a specific user let's look at the left see if any field can can indicate or can help us search based on the users as you can see we have a username field here username as you can see here we have all these and names that are uh witnessed in this log file we have Simon James and we have Molina as you can see on the right we have the count of the events for each for every single one of these users so Molina it has 60 users as you can see using the fields on the left I found out the answer without using the search but it doesn't mean that you will be able to fit all the scenarios based on the interesting Fields here on the left sometimes you will need to play with the search syntax but for now this is an intro video and we will stick with the basics so we have six events what's the name associated with the IP address let's copy the IP address okay and let's see if any field here again that can help us filter by the IP address we have one Source IP as you can see we have more than 100 IP addresses it's not gonna it's gonna be overwhelming searching so everything everything every single one of these IP addresses okay we have one IP address and we want to find out the name or the username associated with this IP address so one of the 100 IP address and we have 51 single username so uh the the the fields on the left kinda will not help us pretty much in this task so what we're going to do we copied the IP address okay we will paste the IP address here so pasting the IP address it will search of the logs for all the occurrences of this IP address I will leave the syntax heat as is because it's very basic search as you can see we have 26 events where this IP address is mentioned so how do I find out what name is real what name is associated with this IP address you're not going to go through all of these logs right because it's not practical and sometimes you will get more than 26 events you're not going to spend your time uh finding out what's the name although in this scenario we are dealing with you can so as you can see you have username Smith for all the logs we have either name Smith and we have Smith but say that the uh suppose that event number here is more than 26 say it's 76 or 100. are you going to go through all of these logs here like that no you have to use the filters so basically right now we put the IP address let's see on the left side before we play with the syntax again let's go to the left side and see the username field let's see how many usernames we have associated with the IP address as you can see if you look at the field here username we have only one and the count indeed is 26 which means all of the logs here all the events we have uh with this IP address they have or they are associated with the username Smith so that's the name associated with this IP address and that answers this question next what's the number of events that originated from all countries except France okay let's get back and let's remove or reset the search so back we have 2862 let's go to the left and find if there is a field for the countries Source country as you can see for every single control we have the number of events now how can you find out the total number of events except France yeah you can add these together and accept and exclude France but that is not practical as I said before let's now rely on the search syntax okay so what I'm going to do I'm going to use not not is a logical operator in the search processing language which means I want to exclude a value the value I want to exclude here is the country name fras so what I'm going to do I'm going to type the name of the field source country it's written and specify the value to be France that's the value I want to execute okay from all of the events under this file so when I click search as you can see I have 2814 these are the number of events okay associated with all countries except France so 2814 and that's the answer for this question how many VPN events were observed by the IP let's copy the IP let's see how many events observed by this IP address let's reset the search and go to IPS okay more than 100 plus IP address okay we can search here since we have 10 top 10 values we can search with the IP address we want is as you can see and it ends with 58 let's see if we have IP answer 58 here 58 58 no there is no so we have to search use the search criteria here the search syntax okay so let's define this the the field the field is Source IP or you can paste the IP address immediately so we have 14 events alternatively you can use the field itself so Source underscore IP it is the recommended method actually to use the fields along with the values and we get the same answer 14. that answers the other question so this covers the task part now these are the basics guys all what all you have to do here is to just become familiar with the Splunk processing language learning how to search through the events and eventually you will be able to deal with more complicated scenarios I hope you like that and I will see you in the next video

Info

Channel: Motasem Hamdan

Views: 34,374

Rating: undefined out of 5

Keywords:

Id: Wd0uHZL1L1U

Channel Id: undefined

Length: 24min 3sec (1443 seconds)

Published: Sun Nov 06 2022