Splunk Apps
What is the ‘Folder name’ for the add-on?
Answer: TA-microsoft-sysmon
Context: Follow the steps of this section of the room to install the app. After installing the app you will find the column “Folder name” next to the installed plugin as well the version column for the next question.
What is the Version?
Answer:10.6.2
Adding Data
Upload the Splunk tutorial data on the desktop. How many events are in this source?
Answer: 109,864
Context: Upload the zip file and leave all settings as default for the steps that follow. Once the upload is completed. Splunk will automatically run a search and under the search bar the total number of events will be shown.
Splunk Queries
What is the sourcetype?
Answer: www1/secure
Context: Look at the results under the fields for sourcetype or on the results
What is the last username in this tab?
Answer: myuan
Context: Read the the 3 lines provided by Patterns you will see that the third line states “Failed password for myuan…”
Search for failed password events for this specific username. How many events are returned?
Answer: 16
Context: You will need to include the username myuan on your search.
Sigma Rules
Use the Select document feature. What is the Splunk query for ‘sigma: APT29’?
Answer: CommandLine=”-noni -ep bypass $” AND source=WinEventLog:*
Context: In the uncoder.io tool search for Sigma: APT29 and translate it to splunk
Use the Github Sigma repo. What is the Splunk query for ‘CACTUSTORCH Remote Thread Creation’?
Answer: ((SourceImage="\System32\cscript.exe" OR SourceImage="\System32\wscript.exe" OR SourceImage="\System32\mshta.exe" OR SourceImage="\winword.exe" OR SourceImage="\excel.exe") AND TargetImage="\SysWOW64\" AND NOT StartModule="") AND source=WinEventLog:*
Context: First, locate CACTUSTORCH Remote Thread Creation by searching the GH repo, copy the contents of the rule(see here), paste in the uncoder.io tool and translate to splunk.
Dashboards & Visualizations
What is the highest EventID?
Answer: 11
Context: Look at the chart created as per the instructions of the lesson and hover over the largest bar.