1

Lab Book Checkpoint 2

Stephanie Abeyie

Maryville University

ISYS 680: SECURITY LOG MANAGEMENT & ANALYSIS

Prof Randall Magiera

October 9, 2023
 2

Lab Book Checkpoint 2

Virtual Machine Setup

Access CentOS Linux VM

 Open an SSH built-in terminal for using Linux.

 Use the provided IP address or hostname to connect to the CentOS VM.

 Log in with your credentials.

 To gain root access, use the sudo command followed by the desired command (e.g., sudo

su).
 3

Access Windows Server VM

 Use a Remote Desktop Protocol (RDP) client like Microsoft Remote Desktop.

 Enter the IP address or hostname of the Windows Server VM.

 Log in with your Windows credentials.

Splunk Installation

Splunk is a powerful platform with a variety of capabilities and concerns that go beyond

installation that is designed for searching, monitoring, and analyzing machine-generated data.

Notably, Splunk Enterprise Free is available for free, but it has restrictions on the amount of data

that can be indexed daily, thus understanding licensing is essential for larger-scale data analysis

projects (Subramanian et al., 2020). The deployment choices for Splunk span from on-premises

to cloud settings, and setting up a Splunk cluster is advised for scalability and high availability in

big or scattered installations. Splunk's adaptability is demonstrated by its capacity to ingest data

from a variety of sources, such as logs, databases, and APIs, as well as by its customization

possibilities for data parsing according to your requirements. For obtaining worthwhile insights,
 4

knowledge of Splunk's search language, SPL, is necessary. Additionally, Splunk's vast

ecosystem of applications and add-ons on Splunkbase increases its capability for particular use

cases. Splunk is excellent for managing sensitive data and assisting in regulatory reporting since

it has strong security features and compliance assistance. Individuals can pursue formal training

and certification to fully utilize Splunk's capabilities (Mehta et al., 2021). They can also take

advantage of an active user community and official support channels for troubleshooting and

maximizing Splunk deployments. Splunk is a flexible platform that may be used in a variety of

disciplines, including data analytics, security, and business intelligence. Its capabilities go far

beyond installation.

Download Splunk Package

Use the wget command to download the Splunk package from the official Splunk

website.

wget -O splunk-9.1.1-64e843ea36b1-Linux-x86_64.tgz

https://download.splunk.com/products/splunk/releases/9.1.1/linux/splunk-9.1.1-64e843ea36b1-

Linux-x86_64.tgz. This command will retrieve the Splunk package and save it with the specified

filename (splunk-9.1.1-64e843ea36b1-Linux-x86_64.tgz) in the current directory.

 5

Extract Splunk Package

After downloading the package, extract its contents using the tar command: tar -xzvf splunk-

9.1.1-64e843ea36b1-Linux-x86_64.tgz

Install Splunk

Navigate to the extracted directory: cd splunk-9.1.1-64e843ea36b1-Linux-x86_64

Run the Splunk installation script: sudo ./splunk start --accept-license

 6

Access Splunk Web Interface

Splunk should now be running, and you can access the Splunk Web Interface using a web

browser: http://localhost:8000

Splunk Education courses,

Navigating the Splunk Web Interface

The Splunk Web Interface is the main interface for utilizing all of Splunk's capabilities. It

offers a user-friendly setting for effectively managing and deriving insights from your machine-

generated data. Let's examine its essential parts in more detail:

Navigation Menu

The Navigation Menu, which is on the left, serves as Splunk's command center. It

provides quick access to a wide range of features and apps, each designed for a particular

purpose (Mehta et al., 2021). For instance, you may visit different applications made for certain

use cases like security or IT operations, browse pre-built dashboards in the "Dashboards" app, or

go to the "Search & Reporting" app to analyze data.

Search & Reporting Bar

The Search & Reporting Bar is your entryway to searching and perusing data within

Splunk and is conspicuously located at the top. The rich query language of Splunk is used here

for search query input (Subramanian et al., 2020). You may get the data you need exactly by

using these queries, which might vary from straightforward keyword searches to intricate data

transformations and statistical analysis.

 7

App Selector

You may move between many Splunk apps, each of which is designed for a certain

purpose, using the App Selector, which is normally accessible next to the Search & Reporting

Bar. With the help of this feature, you can be sure you have access to the tools and visualizations

you need to achieve your objectives quickly (Sigman et al., 2016). Choosing the right software

streamlines your productivity, whether you're checking system logs, looking into security events,

or producing bespoke reports.

 8

Search Results

Your search results are shown in the interface's main section. You'll discover a plethora

of data here that corresponds to your search terms. The organized and tabular presentation of

data by Splunk makes it simple to review, filter, and analyze. Depending on the situation, you

may examine particular occurrences, use filters, and even display data using charts and graphs.

Searching and Filtering Data in Splunk

Searching and filtering data effectively in Splunk is fundamental to uncovering insights

from your machine-generated data. Here's a more detailed explanation of these essential skills:

Basic Search

In the Search & Reporting Bar, compose your search query. For instance, you can search

for specific data by using criteria like index=your_index sourcetype=your_sourcetype. This

query filters the data based on the index and sourcetype attributes.
 9

Filters and Time Range

Enhance the precision of your search results using filters and time range settings:

Filters

Applying filters in Splunk enables you to dig deeper into your data. To dynamically add

filters, click on certain fields or values in the search results. (Sigman et al., 2016 If you are

looking for logs and wish to focus on a certain source or IP address, for example, clicking on that

source or address will add a filter to your search that will only display information relevant to

that selection.
 10

Time Range Picker

When working with time-sensitive data, you should change the time range selector to

concentrate on particular intervals. To evaluate data from a certain timeframe, you may choose

from predefined time ranges (such as the most recent 24 hours or seven days) or create custom

time ranges.
 11

Splunk BOTSv3

Splunk BOTSv3, an advanced iteration of the Boss of the SOC series, encompasses

intricate security scenarios and involves the installation and sophisticated search operations

within the Splunk environment. The installation phase is a crucial first step because it establishes

the groundwork for participants to interact with actual security situations.

Installation of BOTSv3

To build a realistic Security Operations Center (SOC) environment, the BOTSv3

installation entails creating a dedicated Splunk instance and deploying the essential data sources

and apps. Splunk Enterprise Security (ES), a feature-rich program designed for security use

cases, is frequently included in this arrangement. Participants learn about the difficulties of

integrating Splunk technologies for security analytics as they work through this installation

procedure. In this stage, the value of a good setup is emphasized, and the foundation for further

hands-on activities is laid.

cp -r botsv3_app/ $SPLUNK_HOME/etc/apps

Search Operations in BOTSv3

After the installation, participants dive into the advanced search processes at the heart of

BOTSv3. These exercises test participants' use of their Splunk expertise to recognize and address

security events by simulating real-world settings (Subramanian et al., 2020). The search

questions developed for the BOTSv3 activities cover a wide range, from straightforward

searches to intricate correlation.

 12

index=main sourcetype=authentication action=failure

| stats count by user

| where count > 3searches.

Participants use the capability of Splunk's search processing language (SPL) to comb

through enormous datasets, spotting abnormalities and spotting possible security issues. The

tasks in BOTSv3 frequently combine several data sources, encouraging participants to build

correlated searches that highlight patterns and connections in the data.

The BOTSv3 search operations also demonstrate Splunk's adaptability in managing

various log sources, databases, and APIs. The participants' abilities to create efficient search
 13

queries, as well as to evaluate and act upon the results, are both examined. This real-world use of

search operations highlights how crucial Splunk is for security analytics and incident response.
 14

References

Mehta, D., & Mehta, D. (2021). An Overview of Splunk. Splunk Certified Study Guide: Prepare

for the User, Power User, and Enterprise Admin Certifications, 3-26.

Subramanian, K., & Subramanian, K. (2020). Introducing the Splunk Platform. Practical Splunk

Search Processing Language: A Guide for Mastering SPL Commands for Maximum

Efficiency and Outcome, 1-38.

Sigman, B. P., & Delgado, E. (2016). Splunk Essentials. Packt Publishing Ltd.