Lab Book Checkpoint 2
Lab Book Checkpoint 2
Stephanie Abeyie
Maryville University
October 9, 2023
2
To gain root access, use the sudo command followed by the desired command (e.g., sudo
su).
3
Use a Remote Desktop Protocol (RDP) client like Microsoft Remote Desktop.
Splunk Installation
Splunk is a powerful platform with a variety of capabilities and concerns that go beyond
installation that is designed for searching, monitoring, and analyzing machine-generated data.
Notably, Splunk Enterprise Free is available for free, but it has restrictions on the amount of data
that can be indexed daily, thus understanding licensing is essential for larger-scale data analysis
projects (Subramanian et al., 2020). The deployment choices for Splunk span from on-premises
to cloud settings, and setting up a Splunk cluster is advised for scalability and high availability in
big or scattered installations. Splunk's adaptability is demonstrated by its capacity to ingest data
from a variety of sources, such as logs, databases, and APIs, as well as by its customization
possibilities for data parsing according to your requirements. For obtaining worthwhile insights,
4
ecosystem of applications and add-ons on Splunkbase increases its capability for particular use
cases. Splunk is excellent for managing sensitive data and assisting in regulatory reporting since
it has strong security features and compliance assistance. Individuals can pursue formal training
and certification to fully utilize Splunk's capabilities (Mehta et al., 2021). They can also take
advantage of an active user community and official support channels for troubleshooting and
maximizing Splunk deployments. Splunk is a flexible platform that may be used in a variety of
disciplines, including data analytics, security, and business intelligence. Its capabilities go far
beyond installation.
Use the wget command to download the Splunk package from the official Splunk
website.
wget -O splunk-9.1.1-64e843ea36b1-Linux-x86_64.tgz
https://download.splunk.com/products/splunk/releases/9.1.1/linux/splunk-9.1.1-64e843ea36b1-
Linux-x86_64.tgz. This command will retrieve the Splunk package and save it with the specified
After downloading the package, extract its contents using the tar command: tar -xzvf splunk-
9.1.1-64e843ea36b1-Linux-x86_64.tgz
Install Splunk
Splunk should now be running, and you can access the Splunk Web Interface using a web
browser: http://localhost:8000
The Splunk Web Interface is the main interface for utilizing all of Splunk's capabilities. It
offers a user-friendly setting for effectively managing and deriving insights from your machine-
Navigation Menu
The Navigation Menu, which is on the left, serves as Splunk's command center. It
provides quick access to a wide range of features and apps, each designed for a particular
purpose (Mehta et al., 2021). For instance, you may visit different applications made for certain
use cases like security or IT operations, browse pre-built dashboards in the "Dashboards" app, or
The Search & Reporting Bar is your entryway to searching and perusing data within
Splunk and is conspicuously located at the top. The rich query language of Splunk is used here
for search query input (Subramanian et al., 2020). You may get the data you need exactly by
using these queries, which might vary from straightforward keyword searches to intricate data
App Selector
You may move between many Splunk apps, each of which is designed for a certain
purpose, using the App Selector, which is normally accessible next to the Search & Reporting
Bar. With the help of this feature, you can be sure you have access to the tools and visualizations
you need to achieve your objectives quickly (Sigman et al., 2016). Choosing the right software
streamlines your productivity, whether you're checking system logs, looking into security events,
Search Results
Your search results are shown in the interface's main section. You'll discover a plethora
of data here that corresponds to your search terms. The organized and tabular presentation of
data by Splunk makes it simple to review, filter, and analyze. Depending on the situation, you
may examine particular occurrences, use filters, and even display data using charts and graphs.
from your machine-generated data. Here's a more detailed explanation of these essential skills:
Basic Search
In the Search & Reporting Bar, compose your search query. For instance, you can search
query filters the data based on the index and sourcetype attributes.
9
Enhance the precision of your search results using filters and time range settings:
Filters
Applying filters in Splunk enables you to dig deeper into your data. To dynamically add
filters, click on certain fields or values in the search results. (Sigman et al., 2016 If you are
looking for logs and wish to focus on a certain source or IP address, for example, clicking on that
source or address will add a filter to your search that will only display information relevant to
that selection.
10
When working with time-sensitive data, you should change the time range selector to
concentrate on particular intervals. To evaluate data from a certain timeframe, you may choose
from predefined time ranges (such as the most recent 24 hours or seven days) or create custom
time ranges.
11
Splunk BOTSv3
Splunk BOTSv3, an advanced iteration of the Boss of the SOC series, encompasses
intricate security scenarios and involves the installation and sophisticated search operations
within the Splunk environment. The installation phase is a crucial first step because it establishes
Installation of BOTSv3
installation entails creating a dedicated Splunk instance and deploying the essential data sources
and apps. Splunk Enterprise Security (ES), a feature-rich program designed for security use
cases, is frequently included in this arrangement. Participants learn about the difficulties of
integrating Splunk technologies for security analytics as they work through this installation
procedure. In this stage, the value of a good setup is emphasized, and the foundation for further
cp -r botsv3_app/ $SPLUNK_HOME/etc/apps
After the installation, participants dive into the advanced search processes at the heart of
BOTSv3. These exercises test participants' use of their Splunk expertise to recognize and address
security events by simulating real-world settings (Subramanian et al., 2020). The search
questions developed for the BOTSv3 activities cover a wide range, from straightforward
Participants use the capability of Splunk's search processing language (SPL) to comb
through enormous datasets, spotting abnormalities and spotting possible security issues. The
tasks in BOTSv3 frequently combine several data sources, encouraging participants to build
various log sources, databases, and APIs. The participants' abilities to create efficient search
13
queries, as well as to evaluate and act upon the results, are both examined. This real-world use of
search operations highlights how crucial Splunk is for security analytics and incident response.
14
References
Mehta, D., & Mehta, D. (2021). An Overview of Splunk. Splunk Certified Study Guide: Prepare
for the User, Power User, and Enterprise Admin Certifications, 3-26.
Subramanian, K., & Subramanian, K. (2020). Introducing the Splunk Platform. Practical Splunk
Search Processing Language: A Guide for Mastering SPL Commands for Maximum
Sigman, B. P., & Delgado, E. (2016). Splunk Essentials. Packt Publishing Ltd.