LinkedInX (ex-Twitter)

06-SPLUNK

DISCLAiMER: this part was write before the project comes. Maybe you will have to make somes minors changes

SPLUNK REQUIREMENTS

SIZING

To help you to define the sizing of your Splunk Server, you can use Splunk Sizing on AppSpot.

SYSTEM REQUIREMENTS

The official documentation give you the system requirment for Splunk Enterprise on-premises here

PORTS

Don't forget to open ports on your firewall. The default ports needed are :

  • 9997 for forwarders to the Splunk indexer.

  • 8000 for clients to the Splunk Search page

  • 8089 for splunkd (also used by deployment server).

if needed more chech this

PERSONNAL RECOMMENDATION

HARDENING

Your Splunk server will received a lot of important data for your enterprise. I really recommend you to hardened it.

NOTES

After 60 days you can convert to a perpetual free license.

INSTALLATION OF SPLUNK (WINDOWS)

For the training we gonna install Splunk on a Windows Server 2022 virtual machine.

  • Go to the Splunk Site

  • Create an account

  • Download the MSI installer

  • Read the Licence Agreement I know, this seem useless and no one will do, be YOU need ton read it and understand it. It will containt all your enterprise information. You need to know what will be done with your data"

  • Accept the Licence Agreement

  • For the training we gonna customize options, so press "Customize Options" even if we gonna left default configuration.

  • Select where you want to install Splunk

  • Install Splunk as a local System

  • Set the credentials

  • Launch this install and waiting

CHECK THE SPLUNK INSTALLATION

After the job is done, try to connect on it : https://127.0.0.1:8000

Congratulation, you have installed Splunk !

SUPERVISION

If you go to services.msc you will find a "Splunkd Service" wich have a startup type "automatic" and it must be in running status. You can monitor this service and status to check your Splunk state.

INSTALLATION OF SPLUNK (LINUX)

For this part i will use a Ubuntu 22.04 Desktop computer. It will work with others distributions and a server one, but since i used the VM for other things it will be easier.

WITH GUI

  • Go to the Splunk Site

  • Create an account

  • Download the .deb file

  • Go to your Downloads folder

  • Right Click on it > Open with Other Applications > Software Install

Click on "Install" button and wait.

WITH CLI

  • Go to the Splunk Site

  • Create an account

  • When you try to download it, check the right upper corner

  • Click on "Command Linux Wget", it will give you the command you need to download it.

  • For this section i will use the tgz format

  • Open your terminal

  • Go to your installation folder (/opt for me)

  • Paste the command given few steps ago

  • Add "sudo" if needed

  • Go to root user

  • Extract it with : tar xvzf splunk-9.0.1-82c987350fde-Linux-x86_64.tgz

  • Launch it : /opt/splunk/bin/splunk start --accept-license

  • Answer the questions

  • Try to connect to the link given

CHECK THE SPLUNK INSTALLATION

By default, Splunk on linux don't run at the system startup. To make it start, run this command in root : /opt/splunk/bin/splunk enable boot-start

Restart and check the status : /opt/splunk/bin/splunk status

SEND WINDOWS LOGS ON IT

INSTALL SPLUNK UNIVERSAL FORWARDER

For the training, we gonna install the universal forwarder in default configuration.

  • Go to the Windows computer

  • Download the setup

  • Read the Splunk General Terms

  • Download the MD5

  • Open the md5 file to have the checksum : at this time is : 183a09c64537832701320609e665e3e7

  • Check your MD5 (Get-FileHash .\splunkforwarder-9.0.0.1-9e907cedecb1-x64-release.msi -Algorithm md5) to confirm you've got the right installer.

  • Launch the setup

  • Read the Licence Agreement

  • Accept the Licence Agreement

  • Select "an on-premises Splunk Enterprise instance" because we have install Splunk on an on-premise server.

Once again, we use the default configuration. Maybe in your company you will use a service account to run the Universal Fowarder.

  • Give a username to Universal Forwarder.

  • Give the server IP or Hostname and the port to the receiving indexer. I use the IP because i have no DNS in my lab. We don't have change any configuration during Splunk installation so the port used is 9997

Why give ip in receiving indexer and not in deployment server ? Because we don'"t have a Deployment server. A deployment server is the server that can send a configuration for your universal forwarder.

  • Launch the install

CHECK UNIVERSAL FORWARDER FOR WINDOWS INSTALLATION

  • Go to services.msc

  • Check if "SplunkForwarder Service" is up.

  • Check if communication are open with Powershell (Test-NetConnection -Computername Splunk_IP -port 9997)

Congratulation, you have installed Splunk !

CHECK ON SPLUNK

  • Go to your Splunk Server

  • Go to Settings > Forwarder management

You must see your Windows Computer on this page.

if you don't see your computer after minutes, try to restart the Splunk Universal Forwarder service, check if the the connection between client and server are ok.

ADD DATA TO SPLUNK

In Splunk you can add data by differents ways. Here we gonna see by the forwarder installed on the Win10 computer and with th upload of a log file.

ADD DATA FROM FORWARDER

  • Go to Settings > Add Data

  • Select "Forward" at the bottom

  • Add the computer to the selected host and give it a Server Class Name

  • Press "Next"

  • Select what you want to monotore, in this case we want to collect te local event log from this computer.

    • Select wich log you want

  • Press "Next"

  • Select the index where the logs need to be put.

    • I choose to create a new one named "WinLog_clients"

      • for this, click on "create a new Index"

  • Press Review to check and then submit.

now, you can press "start searching" to try to find your last connection on the client computer.

CHECK YOUR INDEXES

  • Go to Settings > Indexes

  • Search the index you create previously

like you see there is no incomming event, you gonna configure it now

ADD RECEIVER

  • Go to Setting > Forwarding and reveiving

  • Click to add new receiving

  • Add the 9997 port (it's the default one, remember the beggining)

  • Wait a few minutes and check your indexes again, you will see new values

  • Try a quick search ;)

ADD DATA FROM UPLOADED LOGS

  • Go to Settings > Add Data

  • Select "upload" in the bottom left corner

  • Push the file you want to upload, then press "Next"

  • Check how Splunk will read your file, then press Next if everythings is ok

  • Select a host field value if needed, and the index wich is gonna be used (left default in the exercice)

  • Continue to the end, and start searching on it ;)

SEARCHES

Let take a tour on the Search page.

Like you see, there are lot of informations to understand, let's try to clarify them.

TRAPS AND TIPS

  • Field names are case sensitive

  • Field value are not case sensitive

  • Wilcard is available (used *)

  • You can use operators such as AND, OR, NOT

DATE SELECTION

The first thing to do is to select the data range.

From here you can chose :

  • Presets (today, last week, last year, last 24 hours, etc.)

  • Relative (beginning of hour, X minutes ago, X weeks ago, etc.)

  • Real-time

  • Date range (between 00:00 DD/MM/YYYY and 24:00 DD/MM/YYYY)

  • Date & time range (same but you can choose hour)

TIMELINE

When you perform a search, Splunk display a Timeline

SEARCH MODE

There are three mode, you will use mostly the Smart Mode.

SEARCH BAR

This is where you make your request.

Like i say previously, you can use wildcard character ("*") and operators. You can mix all !

  • You search for username with "Je" on it ? Try Username=Je* You will find username like Jeanne, Jean, etc.

  • You search for connection on the computer named computer1 ? Try eventid=4624 AND computername=computer1

  • You search for every connection on computer except the domaincontroller ? Try eventid=4624 NOT computername=domaincontroller

  • Remember to use "Search History" ;)

FIELDS

Fields are availables on the left. Here you have each fields available in your search.

Select on field to have informations about it.

SAVE AS

In this menu you can choose to save your request as a report, alerte or dashboard.

REPORTS

WHAT IS REPORT

Bassicly, reports are saved searches results. Reports can be scheduled or can be execute when needed.

EXERCICE

For this part, we gonna used a simply request to find connections failed with account that contain admin My request is : source="WinEventLog:*" index="winlog_clients" EventCode=4625 AND Nom_du_compte=Admin

Maybe you need to change the "Nom_du_compte" to "accountname".

  • Try your request in search bar

  • Go to Save As menu and select

  • Give a title and a description of your report

  • Save and Go to View

EDIT OR DELETE AN EXISTING REPORT

  • From the Search App, Go to Reports sections

Here you can find all existing reports.

  • Select the report created few minutes ago.

From here you can see informations about your report.

  • Select the Edit button

EXERCICE

We gonna schedule this report for everyday at 08AM to have the connections failed yesterday.

  • Select "Edit Schedule"

  • Check "Scedule Report"

  • Configure it.

_In this exercice you don't used trigger actions, but I invited you to check what you can when your report is generated (like send an email, launch a script, etc.)

  • Save and check again informations about your report.

ALERTS

WHAT IS ALERT

Alerts are a saved searches than trigger when certain conditions are met. They can be scheduled or in real-time. In that case, becarefull to not overload your Splunk server.

EXERCICE

Use the same request as report section and save it as an alert.

Like you see, you have more informations to give than a simple report. You will need to give the kind of alerte (scheduled or in real-time), when it must be run (if you have more than 35 connections failed for exemple), and the action.

DASHBOARD

Dashboard is nothing more than ... a dashboard. From here you can find lot of information you need.

You can make one for analyst, on for your customers, with differents informations. If you used always the same requests, need always the same informations, making a Dashboard is a good idea.

EXERCICE

Use the same command has previously and save it as a New Dashboard called "SOC L1". Because it's for all people in SOC, you must shared it.

Here we have only one panel, but you can add other panel to this dashboard

CHECK SPLUNK HEAL STATUS

When your connected to Splunk, click near the Administrator menu

On the left control panel you have the status of each part of Splunk Server. on the right control panel you have the explaination of each signal.

SECURITY REQUEST

Splunk give you some security request to used to detect things like brute-force. Simple Go to Splunk Security Essential aka SSE

MANAGING USERS

ROLES

By default Splunk give you some roles, to find or create a new role, go to Settings > Roles

From here you can edit or add a new role. A role can give you permission on Splunk server, splunk request, on wich events ou can see or not, etc.

USERS

When you installed it, Splunk give you only one user, wich is admin. A good practice is to create an other administrator account and use admin only in emergency case. This way, if you see admin connection you can see there is a problem ;).

To find the users list and create new one, go to Settings > Users.

Every user must have a role.

PASSWORD MANAGEMENT

When you installed Splunk, they only ask for a 8 characters password, no matter the complexity. You can modify it on Settings > Password management

Previous05-CROWDSECNextIR playbook

Last updated