Security Operations & Monitoring -- Splunk

[WDavid404]

Splunk Components

Three main components:

• Forwarder
• Indexer
• Search Head

Splunk Forwarder

Splunk Forwarder is a lightweight agent installed on the endpoint intended to be monitored, and its main task is to collect the data and send it to the Splunk instance. It does not affect the endpoint's performance as it takes very few resources to process. Some of the key data sources are:

• Web server generating web traffic.
• Windows machine generating Windows Event Logs, PowerShell, and Sysmon data.
• Linux host generating host-centric logs.
• Database generating DB connection requests, responses, and errors.

Splunk Indexer

Splunk Indexer plays the main role in processing the data it receives from forwarders. It takes the data, normalizes it into field-value pairs, determines the datatype of the data, and stores them as events. Processed data is easy to search and analyze.

Search Head

Splunk Search Head is the place within the Search & Reporting App where users can search the indexed logs as shown below. When the user searches for a term or uses a Search language known as Splunk Search Processing Language, the request is sent to the indexer and the relevant events are returned in the form of field-value pairs.

Navigating Splunk

Splunk Bar

Splunk Dashboard

By default, no dashboards are displayed. You can choose from a range of dashboards readily available within your Splunk instance.

Adding Data

The data sources can be event logs, website logs, firewall logs, etc. Data sources are grouped into categories.

[WDavid404]

Splunk 2 -- 100 series questions

BOTSv2 Github: https://github.com/splunk/botsv2 A sample security dataset and CTF platform for information security professionals, researchers, students, and enthusiasts.

Case1:

其他： 搜索跟beer公司相关邮件记录：index="botsv2" sourcetype="stream:smtp" berkbeer.com