Homework: Let’s go Splunking!
Step 1: The Need for Speed
•
•
Upload the following file of the system speeds around the time of the
attack.
• Speed Test File
Using the eval command, create a field called ratio that shows the ratio
between the upload and download speeds.
•
source="server_speedtest.csv" host="DDoS" sourcetype="csv"
| eval ratio =UPLOAD_MEGABITS / DOWNLOAD_MEGABITS
•
Create a report using the Splunk's table command to display the following
fields in a statistics report:
•
•
•
•
•
_time
IP_ADDRESS
DOWNLOAD_MEGABITS
UPLOAD_MEGABITS
Ratio
source="server_speedtest.csv" host="DDoS" sourcetype="csv"
| eval ratio =UPLOAD_MEGABITS / DOWNLOAD_MEGABITS | table
_time IP_ADDRESSDOWNLOAD_MEGABITS UPLOAD_MEGABITS ratio
•
Answer the following questions:
• Based on the report created, what is the approximate date and time
of the attack?
The attack was launched on 2020-02-23 14:30:00
•
How long did it take your systems to recover?
The attack lasts about 8 hours (from 14:30:00 through 22:30:00)
Step 2: Are We Vulnerable?
Task: Create a report determining how many critical vulnerabilities exist on the
customer data server. Then, build an alert to notify your team if a critical
vulnerability reappears on this server.
•
•
Upload the following file from the Nessus vulnerability scan.
• Nessus Scan Results
Create a report that shows the count of critical vulnerabilities from the
customer database server. •
•
The database server IP is 10.11.36.23.
The field that identifies the level of vulnerabilities is severity.
source="nessus_logs.csv" host="Nessus_Scanner" sourcetype="csv"
dest_ip="10.11.36.23" severity="*" | stats count by severity | sort
severity_id
•
Build an alert that monitors every day to see if this server has any critical
vulnerabilities. If a vulnerability exists, have an alert emailed to
soc@vandalay.com.
Step 3: Drawing the (base)line
Task: Analyze administrator logs that document a brute force attack. Then, create
a baseline of the ordinary amount of administrator bad logins and determine a
threshold to indicate if a brute force attack is occurring.
•
•
Upload the administrator login logs.
• Admin Logins
When did the brute force attack occur?
•
•
•
•
The attack started from 2020-02-21 8:30 through 2020-02-21 2:00pm
Determine a baseline of normal activity and a threshold that would alert if
a brute force attack is occurring.
25 attempt logins per hour would be a good baseline to determine brute
force attacks. I will also set 25 logins as a threshold that would alert
security team
Design an alert to check the threshold every hour and email the SOC
team at SOC@vandalay.com if triggered.