Splunk | Log Analysis | Adding Data | Searching / Querying | Incident Investigation | Dashboards & Reports | TryHackMe's Room Tasks

Splunk is one of the leading SIEM solutions in the market that provides the ability to collect, analyze and correlate the network and machine logs in real-time. It helps aggregate data from different data sources in the enterprise environment to help enhance security monitoring.

Overview:

In this project I will share how I used and learned Splunk during TryHackMe''s SOC L1 learning path. TryHackMe is a platform that provides hands-on Cybersecurity challenges and labs for learning and practicing various hacking and security-related skills. It's a legal and ethical platform designed for educational purposes, allowing users to develop their skills in a controlled environment. There were different rooms in which I performed many tasks utilizing Splunk such as how to ingest logs, analyze logs, querying data, how to perform investigation and creating dashboards

Terminologies Used:

Splunk Forwarder: Splunk Forwarder is a lightweight agent installed on the endpoint intended to be monitored, and its main task is to collect the data and send it to the Splunk instance. It does not affect the endpoint's performance as it takes very few resources to process.

Splunk Indexer: Splunk Indexer plays the main role in processing the data it receives from forwarders. It takes the data, normalizes it into field-value pairs, determines the datatype of the data, and stores them as events. Processed data is easy to search and analyze.

Search Header: Splunk Search Head is the place within the Search & Reporting App where users can search the indexed logs as shown below. When the user searches for a term or uses a Search language known as Splunk Search Processing Language, the request is sent to the indexer and the relevant events are returned in the form of field-value pairs.

Log Collection / Ingestion

TASKS GIVEN BY TRY HACK ME: Download the attached log file "VPN_logs" and upload this file into the Splunk instance with the right source type and answer the following questions.

I played the role of forwarder/agent and uploaded VPN log's file in Splunk utilizing Splunk's Add Data option and answered questions by performing further operations, querying and analyzing logs.

1. Select Source -> Where I selected the Log source. 

2. Select Source Type -> Selected what type of logs are being ingested. When I uploaded the file Splunk automatically detected the type of data i.e json.

3. Input Settings ->Selected the index where these logs will be dumped and host name to be associated with the logs. 

Host name is the name of the machine from which logs are extracted. In my case I was not sure about the host name as the log file was provided by THM, So, I entered VPN Connection as the host name.

Selected vpn_logs as an index.

4. Review -> Reviewed all the information.

5. Final step, where the data is uploaded successfully and ready to be analyzed.

Querying Data & Log Analysis

Using Splunk's Search Header: 

I found the no of events associated with the IP address (given in the question) using following query:

source="VPNlogs.json" host=""VPN_Connections" index="vpn_logs" sourcetype="_json" 107.14.182.38

 I also found the no. of events originated from all countries except France using following query:

source="VPNlogs.json" host=""VPN_Connections" index="vpn_logs" sourcetype="_json" 107.14.182.38 NOT Source_Country="France"

Using Fields: 

I found the name associated with the given IP address using fields.

I also found the number of events related to the specific user (given in the question).

Incident Investigation using Splunk:

Given Scenario:

SOC Analyst Johny has observed some anomalous behaviours in the logs of a few windows machines. It looks like the adversary has access to some of these machines and successfully created some backdoor. His manager has asked him to pull those logs from suspected hosts and ingest them into Splunk for quick investigation. Our task as SOC Analyst was to examine the logs and identify the anomalies.

Step # 1. No. of events:

I started my investigation by finding the total no. of events collected and ingested in the index main.

by using query  index=main  in the Splunk Search Header.

Step # 2. Username of the infected host:

I found the new username of the infected hosts 'A1berto' where the adversary was successful in creating a backdoor user using query  index=main EventID=4720 

When a user account is created in Active Directory, event ID 4720 is logged. That's why I searched using this id.

Step # 3. Path of the updated registry key:

I found the full path of the registry key ''HKLM\SAM\SAM\Domains\Account\Users\Names\A1berto'  using the query index=main Category="Registry object added or deleted (rule: RegistryEvent)" A1berto  This key was also updated on the infected host regarding the new backdoor user.

 Step # 4. Log Analysis:

I examined the logs and identified the user "Alberto" that the adversary was trying to impersonate.

Step # 5. Log Analysis:

I found the command used by adversary to add a backdoor user from a remote computer which is "C:\windows\System32\Wbem\WMIC.exe" /node:WORKSTATION6 process call create "net user /add A1berto paw0rd1" 

Step # 6. Infected Host:

I found the name of the infected host 'James.browne' on which suspicious Powershell commands were executed.

    Reports in Splunk:

Created a report for network server logs that lists the ports used in network connections and their count using query host="network-server" | stats count by port .

Dashboards in Splunk:

 Created a dashboard from the VPN logs that show the status codes in a line chart.