Cyber Incident Investigation with Splunk | TryHackMe Investigating with Splunk

Introduction

This tutorial guides you through the process of investigating a cyber incident using Splunk, a powerful tool for analyzing machine-generated data. By the end, you will understand how to identify attack artifacts on compromised Windows machines and effectively utilize Splunk for incident analysis.

Step 1: Setting Up Splunk

• Install Splunk: Download and install Splunk from the official website. Ensure you have the necessary permissions and system requirements.
• Create an Account: Sign up for a Splunk account if required and log in.
• Configure Data Inputs:
  • Navigate to the "Data" section.
  • Select "Add Data" and choose the source type, which in this case will be Windows event logs.

Step 2: Collecting Windows Event Logs

• Enable Windows Event Logging: Make sure that the Windows machines you are investigating have event logging enabled.
• Set up Forwarding:
  • Use the Splunk Universal Forwarder on each Windows machine to send logs to your Splunk instance.
  • Follow the setup guide provided by Splunk to configure forwarding.

Step 3: Searching for Cyber Incident Indicators

• Access the Search Interface: Go to the "Search & Reporting" app in Splunk.
• Use Search Queries:
  • Begin with basic queries such as:

    index=your_index_name sourcetype=WinEventLog:Security
    

  • Refine your search by focusing on specific events, for example, Event ID 4624 for logon events.

Step 4: Analyzing Events

• Identify Suspicious Activities:
  • Look for unusual logon times, failed logon attempts, and logons from unusual locations.
  • Use the stats command to summarize events:

    stats count by user, src_ip
    

• Review Event Details:
  • Click on individual events to view detailed information.
  • Pay attention to fields such as User Name, Source IP, and Logon Type.

Step 5: Investigating Attack Artifacts

• Check for Malware Indicators:
  • Search for known malware hashes or signatures within your logs.
• Examine File Changes:
  • Investigate any unexpected file modifications or creations, particularly in system directories.
  • Use the following search query to find changes:

    index=your_index_name sourcetype=WinEventLog:FileSystem
    

Step 6: Documenting Findings

• Create a Report: Document your findings, including:
  • Summary of identified threats.
  • Steps taken during the investigation.
  • Recommendations for remediation.
• Use Splunk Dashboards:
  • Create visualizations to represent your findings effectively.
  • Use charts and graphs to summarize data for stakeholders.

Conclusion

By following these steps, you can effectively investigate cyber incidents using Splunk. Always ensure your event logs are properly configured and regularly monitored for anomalies. For further learning, explore Splunk's training resources and practice with real-world scenarios to enhance your skills.