With all this information we can solve the challenges attached to this task. Paying attention to the email conversation by looking at the content_body header reveals his full name Martin Berk. Try this command index="botsv2" sourcetype="stream:SMTP" AMBERS_EMAIL COMPETITOR_WEBSITE. We have the last name of the CEO and Amber’s email, to get his full name however we need to focus on the email traffic between Amber and the CEO. Try index="botsv2" sourcetype="stream::SMTP" *amber*, giving us as her email. Now we need Amber’s email to look at the SMTP traffic between her and the CEO of berkbeer. Try index="botsv2" IPADDR sourcetype="stream:HTTP" COMPETITOR_WEBSITE /images/* | table uri_path to get /images/ceoberk.png. Index="botsv2" IPADDR sourcetype="stream:HTTP" COMPETITOR_WEBSITEĮxpand on this command to get the specific field we want and output it in table format as previously With this knowledge it is easy to construct a new query to narrow down Amber’s HTTP traffic to the competitor website. Based on question 2, it has to be an image. We now know that Amber found the executive contact information and sent him an email. You can even narrow it down further index="botsv2" IPADDR sourcetype="stream:HTTP" *INDUSTRY* | dedup site | table site giving us Question 2-7: With this search it should be easy to find the website Amber connected to, just think about which company Amber works for and in which industry branch. Let’s try narrowing it down a bit further by making use of the site field and displaying the output in a table like so index="botsv2" IPADDR sourcetype="stream:HTTP" | dedup site | table site. However, this still produces a lot of results to go through just to find the website of the competitor she was looking at. Given this information we can build new search queries and focus on her HTTP traffic like this index = "botsv2" IPADDR sourcetype="stream:HTTP". However, to get her IP easily try this index = "botsv2" sourcetype="pan:traffic" amber. This command will produce a lot of events though you can find her IP in the first page. Begin with the following command to search for Amber’s IP address index="botsv2" amber. Our focus is a person called Amber Turing and her communication with a competitor.įind out what competitor website she visited. Task 3: 100 series questionsįor now we focus on BOTSv2 questions 100-104. | metadata type=sourcetypes index=botsv2 | eval firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S") | eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S") | eval recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | sort - totalCount Question 2Ĭlick the Completed button. The following example searches the botsv2 index and returns a listing of all the source types that can be found as well as a count of events and the first time and last time seen. Since all time-values are EPOCH time we also need the eval command to provide more human-friendly formatting. To find out what events we are dealing with use the metadata command to search for the same kind of information found in the Data Summary, while also being able to search within a specific index. We are roleplaying as Alice Bluebird, an analyst who successfully assisted Wayne Enterprises and was recommended to Grace Hoppy at Frothly to assist them with their recent issues. This room works with data generated by members of Splunk’s Security Specialist team based on version 2 of the Boss of the SOC (BOTS) competition by Splunk.ĭeploy the attached VM and connect to it via Then click the Completed button. Now it’s time to tackle som real challenges! Task 1: Deploy! In Splunk 101 we were taught the very basics of how to install and use Splunk. This write up refers to the Splunk 2 room on TryHackMe.
0 Comments
Leave a Reply. |