Homework - Let's go Splunking

Homework: Let’s go Splunking! Step 1: The Need for Speed • • Upload the following file of the system speeds around the time of the attack. • Speed Test File Using the eval command, create a field called ratio that shows the ratio between the upload and download speeds. • source="server_speedtest.csv" host="DDoS" sourcetype="csv" | eval ratio =UPLOAD_MEGABITS / DOWNLOAD_MEGABITS • Create a report using the Splunk's table command to display the following fields in a statistics report: • • • • • _time IP_ADDRESS DOWNLOAD_MEGABITS UPLOAD_MEGABITS Ratio source="server_speedtest.csv" host="DDoS" sourcetype="csv" | eval ratio =UPLOAD_MEGABITS / DOWNLOAD_MEGABITS | table _time IP_ADDRESSDOWNLOAD_MEGABITS UPLOAD_MEGABITS ratio • Answer the following questions: • Based on the report created, what is the approximate date and time of the attack? The attack was launched on 2020-02-23 14:30:00 • How long did it take your systems to recover? The attack lasts about 8 hours (from 14:30:00 through 22:30:00) Step 2: Are We Vulnerable? Task: Create a report determining how many critical vulnerabilities exist on the customer data server. Then, build an alert to notify your team if a critical vulnerability reappears on this server. • • Upload the following file from the Nessus vulnerability scan. • Nessus Scan Results Create a report that shows the count of critical vulnerabilities from the customer database server. • • The database server IP is 10.11.36.23. The field that identifies the level of vulnerabilities is severity. source="nessus_logs.csv" host="Nessus_Scanner" sourcetype="csv" dest_ip="10.11.36.23" severity="*" | stats count by severity | sort severity_id • Build an alert that monitors every day to see if this server has any critical vulnerabilities. If a vulnerability exists, have an alert emailed to soc@vandalay.com. Step 3: Drawing the (base)line Task: Analyze administrator logs that document a brute force attack. Then, create a baseline of the ordinary amount of administrator bad logins and determine a threshold to indicate if a brute force attack is occurring. • • Upload the administrator login logs. • Admin Logins When did the brute force attack occur? • • • • The attack started from 2020-02-21 8:30 through 2020-02-21 2:00pm Determine a baseline of normal activity and a threshold that would alert if a brute force attack is occurring. 25 attempt logins per hour would be a good baseline to determine brute force attacks. I will also set 25 logins as a threshold that would alert security team Design an alert to check the threshold every hour and email the SOC team at SOC@vandalay.com if triggered.