Typically when people think of a SIEM, they think of Splunk,

and rightly so. Per the Splunk website, they boast that 91 of
the Fortune 100 use Splunk.

Splunk is not only used for security; it's used for data
analysis, DevOps, etc. But before speaking more on Splunk,
what is a SIEM exactly?

A SIEM (Security Information and Event Management) is a

software solution that provides a central location to collect
log data from multiple sources within your environment. This
data is aggregated and normalized, which can then be queried
by an analyst.

As stated by Varonis, there are 3 critical capabilities for a

SIEM:

 Threat detection
 Investigation
 Time to respond

Some other SIEM features:

 Basic security monitoring

 Advanced threat detection
 Forensics & incident response
 Log collection
 Normalization
 Notifications and alerts
 Security incident detection
 Threat response workflow

This room is a general overview of Splunk and its core

features. Having experience with Splunk will help your resume
stick out from the rest.

Splunk was named a "Leader" in Gartner's 2020 Magic

Quadrant for Security Information and Event Management.

Per Gartner, "Thousands of organizations around the world use

Splunk as their SIEM for security monitoring, advanced threat
detection, incident investigation and forensics, incident
response, SOC automation and a wide range of security
analytics and operations use cases."
Navigating Splunk

When you access Splunk, you will see the default home screen
identical to the screenshot below.

Let's look at each section, or panel, that makes up the home

screen. The top panel is the Splunk Bar (below image).

In the Splunk Bar, you can see system-level messages

(Messages), configure the Splunk instance (Settings), review
the progress of jobs (Activity), miscellaneous information
such as tutorials (Help), and a search feature (Find).

The ability to switch between installed Splunk apps instead of

using the Apps panel can be achieved from the Splunk Bar, like
in the image below.

Next is the Apps Panel. In this panel, you can see the apps
installed for the Splunk instance.

The default app for every Splunk installation is Search &

Reporting.
The next section is Explore Splunk. This panel contains quick
links to add data to the Splunk instance, add new Splunk apps,
and access the Splunk documentation.

The last section is the Home Dashboard. By default, no

dashboards are displayed. You can choose from a range of
dashboards readily available within your Splunk instance. You
can select a dashboard from the dropdown menu or by visiting
the dashboards listing page.
Splunk Apps

As mentioned in the previous task, Search & Reporting is a

Splunk app installed by default with your Splunk instance.
This app is also referred to as the Search app. If you click
on the Search & Reporting app, you will be redirected to
the Search app (see image below).

The Search app is where you will enter your Splunk queries to
search through the data ingested by Splunk. More on Splunk
queries later.

The above image is the navigation for the Search app. Each app
will have its own navigation menu. This menu is different from
the menu/navigation within the Splunk bar, accessible
throughout your entire Splunk session.

Let's draw our attention back to the Splunk Home page. In the
Apps panel, there is a cog icon. By clicking the cog, you will
be redirected to the Manage Apps page. From this page, you can
change various settings (properties) for the installed apps.
Let's look at the properties for the Search & Reporting app by
clicking on Edit properties.

You can change the app's display name, whether the app should
check for updates, and whether the app should be visible in
the Apps panel or not.
Tip: If you want to land into the Search app upon login
automatically, you can do so by editing the user-
prefs.conf file.

 Windows: C:\Program Files\Splunk\etc\apps\user-prefs\default\user-

prefs.conf
 Linux:/opt/splunk/etc/apps/user-pref/default/user-prefs.conf

Before:

After:

Note: The above paths' base location will be different if you

changed your Splunk install location.

Tip: Best practice is for any modifications to Splunk confs,

you should create a directory and place custom conf settings
there. When Splunk is upgraded the defaults are overwritten.
For this room editing the defaults is OK.

In order for the user preferences changes to take effect,

the splunkd service has to be restarted from a command-line
prompt, using the following two commands: net stop splunkd and net
start splunkd.
Lastly, you can install more Splunk apps to the Splunk
instance to further expand Splunk's capabilities. You can
either click on + Find More Apps in the Apps panel or Splunk Apps in
the Explore Splunk panel.

To install apps into the Splunk instance, you can either

install directly from within Splunk or download it
from Splunkbase and manually upload it to add it to your
Splunk instance.

Note: You must have an account on Splunk.com to download and

install Splunk apps.

If you wish to install the app manually, click the Install app
from file button.

Just browse to the location of the app and upload it.

You can also download the app (tgz file) from Splunkbase. You
then unzip the file and place the entire directory into the
Apps location for your Splunk instance.

Note: If you performed the install steps from the Linux

section within this room and manually copied an App to the
Apps location for your Splunk instance, you might need to
change the file ownership and group to splunk or else your
Splunk instance might not restart properly.

Back to Windows, if you wish to remove an app (or an add-on),

you can do so via the command-line.

Below is the command to perform this task on Windows.

C:\Program Files\Splunk\bin>splunk.exe remove app app-name -auth splunk-

username:splunk-password

Note: The syntax is similar on Linux machines.

If the command were successful, you would see the following

output: App 'app-name' removed

Refer to the following Splunk documentation here for more

information about managing Splunk apps.

Now time to upload an add-on into the Splunk instance.

There is a Splunk add-on on the desktop. Upload this add-on

into the Splunk instance. Restart Splunk when prompted to.
Adding Data:
Splunk can ingest any data. As per the Splunk documentation,
when data is added to Splunk, the data is processed and
transformed into a series of individual events.

The sources of the data can be event logs, website logs,

firewall logs, etc.

Data sources are grouped into categories. Below is a chart

listing from the Splunk documentation detailing each data
source category.

Please refer to the Splunk documentation here for more

information regarding the specific data source you want to add
Splunk.

In this room, we're going to focus on Sysmon Logs.

When we click on the Add Data link (from the Splunk home
screen), we're presented with the following screen.
Looking at the guides, if we click on Operating System, we
should see Windows event logs. But the only option available
is Forward data to Splunk indexers. This is not what we want.

Let's ignore the guides and look at the bottom

options: Upload, Monitor, and Forward.

Note: The above screenshot is what you'll see if you installed

Splunk locally on your end. The Splunk instance in the
attached room will only show Upload, Monitor, and Forward.
(see below)
Since we want to look at Windows event logs and Sysmon logs
from this host system, we want Monitor.

There are many options to pick from on the following

screen. Local Event Logs is the one we want.

Look at the list of Available item(s). Do you see PowerShell logs

listed? How about Sysmon? I didn't either.

Another way we can add data to the Splunk instance is

from Settings > Data Inputs.
As you can see, there are A LOT more logs we can add to the
Splunk instance.

Now it's your turn to add some data to the Splunk instance so
we can start querying them.
Splunk Queries:

By now, you should have installed the Splunk app/add-on and

added a data source to Splunk.

Now is the fun part, querying the data that is now residing in
Splunk.

If you have completed the Windows Event Log and Sysmon rooms,
you can remember that you queried the various logs using
either Event Viewer, the command-line, or PowerShell and used
filtering techniques to narrow down the information we're
looking for.

Thankfully, with a SIEM (such as Splunk), we can create

queries to find the data we're looking for across various data
sources in one tool.

Enter an asterisk * in the Search bar and change the timeframe

to search from Last 24 hours to All time. This will retrieve all
the historical data within Splunk.

Even though we haven't discussed Filters yet but

essentially Last 24 hours and All time are filters. We're
instructing Splunk to output all the events from the
historical data within the last 24 hours from the point in
time we submit our query.

Click on the magnifying glass to initiate the search.

Note: The output you see might be different for you.

If you want to focus on a specific source or sourcetype, you
can specify that within the Search bar. (see below image)

This information is also available if you click

on source or sourcetype under Selected Fields.
Let's look at source.

From the above image, we see the names (values) of each source
and the number of events (count), and the percentage value (%)
of all the events for each source.

In the above image, the top 10 values are visible.

Let's start our query with Sysmon as the source. The query
will look like this:

source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"

We'll use this one, instead of WinEventLog:Microsoft-Windows-

Sysmon/Operational, since it has more events we can sift
through.
I'll select the first event that appeared for me for
demonstration purposes. Expanding on the event, the details of
the event are more readable.

Before:

After:
Some of these fields are specific to Sysmon. Refer to the
Sysmon room if you are not familiar with Sysmon Event IDs.

Note: The fields will be different depending on the

source/sourcetype.
Back to our query, we can adjust our query to show events with
Event ID 12, RegistryEvent (Object create and delete).

Fields are case-sensitive. If you attempt to query for EventID

in all lowercase, no results will be returned.

You can also search by keywords. Using the same event from
above, I'll adjust the query and manually enter
'GoogleUpdate.exe.'

Unlike fields, keywords are not case-sensitive.

Instead of manually keying in the keyword, the keyword can

also be added by clicking the value you would like to add to
the existing query (Add to search) or start a new query (New
search).

In the above image, I clicked on 'GoogleUpdate.exe,' and the

options appeared.

Note: If you click on the icon to the far right for each
choice, it will open the query in a new window.
In the example below, I selected to Add to search.

You can use multiple keywords in your query. Splunk will use
an implicit AND operator between each keyword.

Example: * GoogleUpdate.exe chrome_installer.exe

Note: You can try this query in the THM Splunk instance.

The above query will search across all the events (according
to the timeframe specified) and return all the events with
GoogleUpdate.exe AND chrome_installer.exe.

A keyword doesn't have to be a 'word' necessarily, but it can

be a phrase.

To search for a phrase, you need to surround the phrase with

quotes. See the example below.

Example: * "failed password for sneezy"

The above query will return any events that contain the exact
phrase.

Note: You can try this query in the THM Splunk instance. (Make
sure you imported tutorialdata.zip into the Splunk instance
first)
Moving along. Let's go back to the Sysmon logs and look at
GoogleUpdate.exe again.

Draw your attention to the Interesting Fields sidebar. This

information is useful and can help adjust your query and
narrow down your search results even more.

Let's look at RuleName and see what the 8 values are.

We can further expand on our query with one of these values.

Note: If you click on any of the Interesting Fields sidebar

values, it will be automatically added to the existing query.

Another thing to note regarding Interesting Fields. Let's say

we would like to see the RuleName appear for each event, just
like the host, source, and sourcetype fields (the default
fields for every event).

You can change the value of Selected from No to Yes. This is

visible in the above image. The value in the image is set to
No.

Let's change the value of Selected to Yes for RuleName.

Before:

After:

The Selected Fields sidebar reflects the change.

Refer to the following Splunk documentation for more

information on searching in Splunk.

 https://docs.splunk.com/Documentation/Splunk/8.1.2/
SearchTutorial/Aboutthesearchapp
 https://docs.splunk.com/Documentation/Splunk/8.1.2/
SearchTutorial/Startsearching
 https://docs.splunk.com/Documentation/Splunk/8.1.2/
SearchTutorial/Aboutthetimerangepicker
 https://docs.splunk.com/Documentation/Splunk/8.1.2/
SearchTutorial/Usefieldstosearch
 https://docs.splunk.com/Documentation/Splunk/8.1.2/
SearchTutorial/Usefieldlookups
 https://docs.splunk.com/Documentation/Splunk/8.1.2/
SearchTutorial/Searchwithfieldlookups
 https://docs.splunk.com/Documentation/Splunk/8.1.2/
Knowledge/AboutSplunkregularexpressions