TryHackMe - Splunk 101 | IAANSEC
Introduction to Splunk
Typically when people think of a SIEM, they think of Splunk, and rightly so. Per the Splunk website, they boast that 91 of the Fortune 100 use Splunk.
Splunk is not only used for security; it’s used for data analysis, DevOps, etc. But before speaking more on Splunk, what is a SIEM exactly?
A SIEM (Security Information and Event Management) is a software solution that provides a central location to collect log data from multiple sources within your environment. This data is aggregated and normalized, which can then be queried by an analyst.
As stated by Varonis, there are 3 critical capabilities for a SIEM:
- Threat detection
- Investigation
- Time to respond
Some other SIEM features:
- Basic security monitoring
- Advanced threat detection
- Forensics & incident response
- Log collection
- Normalization
- Notifications and alerts
- Security incident detection
- Threat response workflow
This room is a general overview of Splunk and its core features. Having experience with Splunk will help your resume stick out from the rest.
Splunk was named a “Leader” in Gartner’s 2020 Magic Quadrant for Security Information and Event Management.
Per Gartner, “Thousands of organizations around the world use Splunk as their SIEM for security monitoring, advanced threat detection, incident investigation and forensics, incident response, SOC automation and a wide range of security analytics and operations use cases.”
Room Machine
Before moving forward, deploy the machine. If you want to RDP into the machine yourself:
- Machine IP:
IP ADDRESS
- User name:
administrator
- User password:
letmein123!
Open Chrome and navigate to the Splunk instance (http://127.0.0.1:8000). You may need to refresh the page until Splunk loads.
Note: Splunk can take up to five minutes to fully load.
If you want to install Splunk on your own machine, follow Splunk’s official installation notes here.
Splunk Apps
Q. What is the ‘Folder name’ for the add-on?
Answer: TA-microsoft-sysmon
Q. What is the Version?
Answer: 10.6.2
Adding Data
Q. Upload the Splunk tutorial data on the desktop. How many events are in this source?
Note: Make sure you upload the data once only.
To add the tutorial data, start by:
- Clicking “Add Data” on the homepage.
- Click “Upload”.
- Click “Select file” or drag and drop the “tutorialdata” zip from the desktop into Splunk.
- Click “Next” to proceed to “Input Settings”.
- Leaving everything as default in “Input Settings” and click “Review”.
- Click “Submit”.
- Click “Start Searching”.
- Lastly wait Splunk to load all the events.
Answer: 109,864
Splunk Queries
Q. What is the sourcetype?
- Start by searching “failed password” in the search field.
- The sourcetype can be found in the bottom right corner of each of the events.
Answer: www1/secure
Q. What is the last username in this tab?
- After heading over to the “Patterns” tab the last pattern mentions the username “myuan”.
Answer: myuan
Q. Search for failed password events for this specific username. How many events are returned?
- While still under the “Patterns” tab, add the username that was found to the search query. After doing so, the events will be filtered to match the query.
Answer: 16
Sigma Rules
Q. Use the Select document feature. What is the Splunk query for ‘sigma: APT29’?
- Head over to Uncoder.io
- In the “Select document” bar start typing “apt” and select APT29
- Select Splunk and translate, the splunk rule will be displayed in the box to the right.
Answer: CommandLine="-noni -ep bypass $
Q. Use the Github Sigma repo. What is the Splunk query for ‘CACTUSTORCH Remote Thread Creation’?
- Head over to the Sigma github repo.
- Navigate to *rules > windows > create_remote_thread > sysmon_cactustorch.yml.
- Copy and paste the yml rule into Uncoder.io and translate it to Splunk.
Answer: SourceImage=“\System32\cscript.exe" OR SourceImage="\System32\wscript.exe” OR SourceImage=“\System32\mshta.exe" OR SourceImage="\winword.exe” OR SourceImage=“\excel.exe") AND TargetImage="\SysWOW64\*” AND NOT StartModule="
Dashboards & Visualizations
- Add the tutorialdata to Splunk and query for * | top limit=5 EventID
- From there follow the diagrams provided in the Dashboards & Visualizations and you should be able to get the graph to display.
Connect With Me 
TryHackMe - Splunk 101 | IAANSEC
Introduction to Splunk
Typically when people think of a SIEM, they think of Splunk, and rightly so. Per the Splunk website, they boast that 91 of the Fortune 100 use Splunk.
Splunk is not only used for security; it’s used for data analysis, DevOps, etc. But before speaking more on Splunk, what is a SIEM exactly?
A SIEM (Security Information and Event Management) is a software solution that provides a central location to collect log data from multiple sources within your environment. This data is aggregated and normalized, which can then be queried by an analyst.
As stated by Varonis, there are 3 critical capabilities for a SIEM:
Some other SIEM features:
This room is a general overview of Splunk and its core features. Having experience with Splunk will help your resume stick out from the rest.
Splunk was named a “Leader” in Gartner’s 2020 Magic Quadrant for Security Information and Event Management.
Per Gartner, “Thousands of organizations around the world use Splunk as their SIEM for security monitoring, advanced threat detection, incident investigation and forensics, incident response, SOC automation and a wide range of security analytics and operations use cases.”
Room Machine
Before moving forward, deploy the machine. If you want to RDP into the machine yourself:
IP ADDRESSadministratorletmein123!Open Chrome and navigate to the Splunk instance (
http://127.0.0.1:8000). You may need to refresh the page until Splunk loads.Note: Splunk can take up to five minutes to fully load.
If you want to install Splunk on your own machine, follow Splunk’s official installation notes here.
Splunk Apps
Q. What is the ‘Folder name’ for the add-on?
Answer: TA-microsoft-sysmon
Q. What is the Version?
Answer: 10.6.2
Adding Data
Q. Upload the Splunk tutorial data on the desktop. How many events are in this source?
Note: Make sure you upload the data once only.
To add the tutorial data, start by:
Answer: 109,864
Splunk Queries
Q. What is the sourcetype?
Answer: www1/secure
Q. What is the last username in this tab?
Answer: myuan
Q. Search for failed password events for this specific username. How many events are returned?
Answer: 16
Sigma Rules
Q. Use the Select document feature. What is the Splunk query for ‘sigma: APT29’?
Answer: CommandLine="-noni -ep bypass $
Q. Use the Github Sigma repo. What is the Splunk query for ‘CACTUSTORCH Remote Thread Creation’?
Answer: SourceImage=“\System32\cscript.exe" OR SourceImage="\System32\wscript.exe” OR SourceImage=“\System32\mshta.exe" OR SourceImage="\winword.exe” OR SourceImage=“\excel.exe") AND TargetImage="\SysWOW64\*” AND NOT StartModule="
Dashboards & Visualizations
Connect With Me