Splunk SIEM Tutorial | Most Popular Cybersecurity Tool
Today we’re coming back to try to solve some cyber mysteries using one of the mostly widely used cybersecurity tools (especially for those working in SOCs as cyber analysts). Splunk is a Security Information and Event Management (SIEM) tool that provides a central location to collect log data from multiple sources within your environment. This data is aggregated and normalized, which can then be queried by an analyst. Splunk is not just for cyber folks; it’s used for data analysis, DevOps, etc.
In this video, we walk through the TryHackMe Splunk 2 lab that is part of their Cyber Defense Learning Path. This lab includes data that was generated in August of 2017 by members of Splunk’s Security Specialist team (BOTSv2). Within the environment there is a good mix of different enterprise devices which means we get access to a great collection of logs. There are a few Windows endpoints instrumented with the Splunk Universal Forwarder and Splunk Stream. The forwarders are configured with best practices for Windows endpoint monitoring, including a full Microsoft Sysmon deployment and best practices for Windows Event logging. The environment also includes a Palo Alto Networks next-generation firewall to capture traffic and provide web proxy services, and Suricata to provide network-based IDS.
In this video we’re covering the Series 300 and Series 400 questions.
To see the walkthrough for questions 100 and 200:
https://youtube.com/live/ARFnMkJhO6o
TryHackMe Splunk Room 2
https://tryhackme.com/room/splunk2gcd5
00:00 – TryHackMe Splunk2 BOTSv2 Series 300 and 400
04:03 – Series 300 Question 1: Finding Encrypted File
11:32 – Series 300 Question 2: Finding Game of Thrones Encrypted File
14:43 – Series 300 Question 3: Identify Malware USB Device Vendor
38:22 – Series 300 Question 4: What is the Malware’s Programming Language
38:51 – Series 300 Question 5: When was the Malware First Seen?
39:18 – Series 300 Question 6 and 7: What are the DNS names of the C&C Servers?
43:17 – Series 400 Question 1: Find Malicious Attachment
46:06 – Series 400 Question 2: What is the Malicious File Password?
46:58 – Series 400 Question 3: What is the APT’s SSL Issuer?
50:28 – Series 400 Question 4: What is the Unusual File?
1:03:25 – Series 400 Question 5: What is the Name Associated with PowerShell Empire File?
1:05:06 – Series 400 Question 6: What Kind of Points do you get?
1:05:44 – Series 400 Question 7: What C2 Webpage is the Scheduled Task Beaconing to?
Music provided by: https://mccoybeats.com/
#splunk #tryhackme #cyber
**Below you’ll find what are known as affiliate links. These are links to things that I actually use and recommend. If you buy them, I will receive a super small kickback that helps support this channel and the giveaways I do on social media. Thanks!!**
(YouTube Gear, IT Devices, Books, Pre-workout I use…STUFF I 100% RECOMMEND)
Here is the Azure Networking fundamentals book I used to help pass the AZ-700 (Affiliate Link): https://amzn.to/3lPb4na
Here is the Comptia Pentest+ training book bundle I used to pass the new PenTest+.
(Affiliate Link) – https://amzn.to/3A9X8Hx
Network+ Study Guide that I co-authored: https://amzn.to/2vTODU2
ECAMM Live Recording Software : https://www.ecamm.com/mac/ecammlive/?fp_ref=john57
Amazon Affiliate Store: https://www.amazon.com/shop/jbizzle703
—————————————————————————————————————————————-
Subscribe to our monthly newsletter and blog notifications
https://mailchi.mp/e7b56addb7fc/cybersightblog
C—–Y—–B—–E—–R—–I—–N—–S—–I—–G—–H—–T
J.B.C.’s Site ️https://www.jbcsec.com/insights
Swag Store ️ https://www.teepublic.com/user/jbc
Twitter ️ http://www.twitter.com/JBC_SEC
Author ️ https://twitter.com/JBizzle703
—————————————————————————————————————————————-
Comments are closed.