Cyber
Incidentes de ciberseguridad
Incidentes de ciberseguridad
  • Practica1.1 Retos de cifrado simetrico y asimetrico
  • Practica1.0 Busqueda de leaks
  • Practica1.2 Envio email cifrado con thunderbird
  • Practica1.3 Phising y otras estafas
  • opcional sakura_room
  • opcional WebOsint
  • Practica2.1 Generacion de elementos
  • Practica2.2.2 Entrenamiento con phising email
  • practica2.2 gophish
  • Practica 3 2 Volumenes en docker
  • Practica 3 3 Profundizacion Syslog ng
  • Practica 3 4 Port Knocking
  • Practica 3 5 Montaje SOC con ELK
  • Practica4_2 Investigacion defacement
  • Practica4_3 Splunk
  • Practica 4_1 Investigacion elastic
  • Slingshot
  • Wazuh
  • AWS
  • Opcional1.0 Phising
  • Practica 4_4 Splunk exploring spl
  • Practica4_4_1 Splunk Dashboards
  • wireshark
Powered by GitBook
On this page

Practica 4_4 Splunk exploring spl

PreviousOpcional1.0 PhisingNextPractica4_4_1 Splunk Dashboards

Last updated 1 year ago

TASK 2

Vamos a comenzar entrando a la maquina:

Clickamos en search and reporting:

Y como nos dice tryhackme trabajaremos sobre el index=”windowslogs” , aquí ya podemos ver el nombre del host.

TASK 3

Vamos a comenzar yéndonos al serach history que esta al principio y buscamos el séptimo filtro que se utilizo quitando los dos primeros que escribi yo:

Para saber que ip es la que mas eventos genero :

Como podemos ver fue la 172.90.12.11 , ya que las primeras no cuentan por que es mi propia maquina.

Para la siguiente maquina vamos a poner el filtro de tiempo que nos dicen en tryhackme y ver el numero de eventos que se generaron:

TASK 4

(info de marcadores para splunk)

Comparison Operators

These operators are used to compare the values against the fields. Some common comparisons operators are mentioned below:

Field Name

Operator

Example

Explanation

Equal

=

UserName=Mark

This operator is used to match values against the field. In this example, it will look for all the events, where the value of the field UserName is equal to Mark.

Not Equal to

!=

UserName!=Mark

This operator returns all the events where the UserName value does not match Mark.

Less than

<

Age < 10

Showing all the events with the value of Age less than 10.

Less than or Equal to

<=

Age <= 10

Showing all the events with the value of Age less than or equal to 10.

Greater than

>

Outbound_traffic > 50 MB

This will return all the events where the Outbound traffic value is over 50 MB.

Greater Than or Equal to

>=

Outbound_traffic >= 50 MB

This will return all the events where the Outbound traffic value is greater or equal to 50 MB.

Lets use the comparison operator to display all the event logs from the index "windowslogs", where AccountName is not Equal to "System"

Search Query: index=windowslogs AccountName !=SYSTEM

Boolean Operators

Splunk supports the following Boolean operators, which can be very handy in searching/filtering and narrowing down results.

Operator

Syntax

Explanation

NOT

field_A NOT value

Ignore the events from the result where field_A contain the specified value.

OR

field_A=value1 OR field_A=value2

Return all the events in which field_A contains either value1 or value2.

AND

field_A=value1 AND field_B=value2

Return all the events in which field_A contains value1 and field_B contains value2.

To understand how boolean operator works in SPL, lets add the condition to show the events from the James account.

Search Query: index=windowslogs AccountName !=SYSTEM AND AccountName=James

Wild Card

Splunk supports wildcards to match the characters in the strings.

Wildcard symbol

Example

Explanation

*

status=fail*

It will return all the results with values like

status=failed

status=failure

In the events, there are multiple DestinationIPs reported. Let's use the wildcard only to show the DestinationIP starting from 172.*

Search Query: index=windowslogs DestinationIp=172.*

Para el primer ejercicio nos pide cuantos eventos hay con el eventid = 1 y el nombre “*James*” , CUIDADO CON LAS MAYUSCULAS AL PRINCIPIO DE CADA FLAG!!!!:

Luego nos piden los eventos con una ip y un puerto concreto :

A continuación dada una query ya por thm , ver que source ip tiene mas counts:

Luego nos piden el numero de eventos que contengan el nombre cyber:

Respueta 0

Pero con cyber*:

TASK 5

Fields

Command

fields

Explanation

Fields command is used to add or remove mentioned fields from the search results. To remove the field, minus sign ( - ) is used before the fieldname and plus ( + ) is used before the fields which we want to display.

Syntax

| fields <field_name1> <field_name2>

Example

| fields + HostName - EventID

Let's use the fields command to only display host, User, and SourceIP fields using the following syntax.

Search Query: index=windowslogs | fields + host + User + SourceIp

Note: Click on the More field to display the fields if some fields are not visible.

Search

Command

search

Explanation

This command is used to search for the raw text while using the chaining command |

Syntax

| search <search_keyword>

Example

| search "Powershell"

Use the search command to show all the events containing the term Powershell. This will return all the events that contain the term "Powershell".

Search Query: index=windowslogs | search Powershell

Dedup

Command

dedup

Explanation

Dedup is the command used to remove duplicate fields from the search results. We often get the results with various fields getting the same results. These commands remove the duplicates to show the unique values.

Syntax

| dedup <fieldname>

Example

| dedup EventID

We can use the dedup command to show the list of unique EventIDs from a particular hostname.

Search Query: index=windowslogs | table EventID User Image Hostname | dedup EventID

Rename

Command

rename

Explanation

It allows us to change the name of the field in the search results. It is useful in a scenario when the field name is generic or log, or it needs to be updated in the output.

Syntax

| rename <fieldname>

Example

| rename User as Employees

Let's rename the User field to Employees using the following search query.

Search Query: index=windowslogs | fields + host + User + SourceIp | rename User as Employees

Para el primer ejercicio que te pide el event id de la 3 linea dada el filtro en thm:

4103

Para el segundo ejercicio te dice que de la query anterior antes del reverse le hagas un dedup Hostname y digas el nombre del primer hostname:

Salena.adam

TASK 6

SPL provides various commands to bring structure or order to the search results. These sorting commands like head, tail, and sort can be very useful during logs investigation. These ordering commands are explained below:

Table

Explanation

Each event has multiple fields, and not every field is important to display. The Table command allows us to create a table with selective fields as columns.

Syntax

| table <field_name1> <fieldname_2>

Example

| table

| head 20 # will return the top 20 events from the result list.

This search query will create a table with three columns selected and ignore all the remaining columns from the display.

Search Query: index=windowslogs | table EventID Hostname SourceName

Explanation

The head command returns the first 10 events if no number is specified.

Syntax

| head <number>

Example

| head # will return the top 10 events from the result list

| head 20 # will return the top 20 events from the result list

The following search query will show the table containing the mentioned fields and display only the top 5 entries.

Search Query: index=windowslogs | table _time EventID Hostname SourceName | head 5

Tail

Explanation

The Tail command returns the last 10 events if no number is specified.

Syntax

| tail <number>

Example

| tail # will return the last 10 events from the result list

| tail 20 # will return the last 20 events from the result list

The following search query will show the table containing the mentioned fields and display only 5 entries from the bottom of the list.

Search Query: index=windowslogs | table _time EventID Hostname SourceName | tail 5

sort

Explanation

The Sort command allows us to order the fields in ascending or descending order.

Syntax

| sort <field_name>

Example

| sort Hostname # This will sort the result in Ascending order.

The following search query will sort the results based on the Hostname field.

Search Query: index=windowslogs | table _time EventID Hostname SourceName | sort Hostname

Reverse

Explanation

The reverse command simply reverses the order of the events.

Syntax

| reverse

Example

<Search Query> | reverse

Search Query: index=windowslogs | table _time EventID Hostname SourceName | reverse

Nos piden el nombre del hostname de hacerl el reverse a la query que nos da thm:

Ahora te piden que a la primera query le hagas un tail y digas el ultimo eventid:

4103

Y por ultimo que hagas un sort en el sourcename:

TASK 7

Transformational commands are those commands that change the result into a data structure from the field-value pairs. These commands simply transform specific values for each event into numerical values which can easily be utilized for statistical purposes or turn the results into visualizations. Searches that use these transforming commands are called transforming searches. Some of the most used transforming commands are explained below.

General Transformational Commands

Top

Command

top

Explanation

This command returns frequent values for the top 10 events.

Syntax

| top <field_name>

| top limit=6 <field_name>

Example

top limit=3 EventID

The following command will display the top 7 Image ( representing Processes) captured.

Search Query: index=windowslogs | top limit=7 Image

Rare

Command

rare

Explanation

This command does the opposite of top command as it returns the least frequent values or bottom 10 results.

Syntax

| rare <field_name>

| rare limit=6 <field_name>

Example

rare limit=3 EventID

The following command will display the rare 7 Image (Processes) captured.

Search Query: index=windowslogs | rare limit=7 Image

Highlight

Command

highlight

Explanation

The highlight command shows the results in raw events mode with fields highlighted.

Syntax

highlight <field_name1> <field_name2>

Example

highlight User, host, EventID, Image

The following command will highlight the three mentioned fields in the raw logs

Search Query: index=windowslogs | highlight User, host, EventID, Image

STATS Commands

SPL supports various stats commands that help in calculating statistics on the values. Some common stat commands are:

Command

Explanation

Syntax

Example

Average

This command is used to calculate the average of the given field.

stats avg(field_name)

stats avg(product_price)

Max

It will return the maximum value from the specific field.

stats max(field_name)

stats max(user_age)

Min

It will return the minimum value from the specific field.

stats min(field_name)

stats min(product_price)

Sum

It will return the sum of the fields in a specific value.

stats sum(field_name)

stats sum(product_cost)

Count

The count command returns the number of data occurrences.

stats count(function) AS new_NAME

stats count(source_IP)

Splunk Chart Commands

These are very important types of transforming commands that are used to present the data in table or visualization form. Most of the chart commands utilize various stat commands.

Chart

Command

chart

Explanation

The chart command is used to transform the data into tables or visualizations.

Syntax

| chart <function>

Example

| chart count by User

Search Query: index=windowslogs | chart count by User

Timechart

Command

timechart

Explanation

The timechart command returns the time series chart covering the field following the function mentioned. Often combined with STATS commands.

Syntax

| timechart function <field_name>

Example

| timechart count by Image

The following query will display the Image chart based on the time.

Search Query: index=windowslogs | timechart count by Image

Cual es el top 6 de imágenes y di el numero ce counts:

196

En el siguiente ejercicio nos piden el usuario con menos counts por medio del comando rare :

James

Y para el ultimo:

Head