TryHackMe: Complete Beginner (Supplements)
- author:: Nathan Acks
- date:: 2021-11-09
Can You Dig It?
Mostly this section is just looking things up in the Splunk Quick Reference Guide.
Splunk stores imported data in “indexes”; log timestamps are stored in the
bucket command can be used to group results by time or other metrics during processing. However, chart processing uses the
span directive instead.
- SOC: Security Operations Center
- SIEM: Security Information and Event Management
- BOTS: Boss of the SOC (some kind of Splunk competition)
- CIM: Common Information Model
Various Splunk apps (extensions, really) can be found at https://splunkbase.splunk.com. Forums and the like can be found at https://community.splunk.com.
Halp, I’m Drowning in Logs!
The cyber killchain:
- Command & Control
- Actions on Objectives
Advanced Persistent Threat
In Splunk, searching for
* matches any non-null string. This is particularly useful when combining data sources, doing lookups, etc., as adding a subsearch like
| search field_name=* will ensure that only rows that actually matched are returned.
Because Splunk aggregates logs from multiple sources, field names might not always be named consistently Because of this, a common pattern is to include searches like
(field_1="term" or field_2="term"). Note that it’s also possible to leave the field specification off entirely, in which case the provided “term” will be searched for in all fields.
Sysmon records a program starting up using the EventDescription of “Process Create” and an EventCode of 1.
In Splunk, “source” and “destination” refer to the initiator and receiver of a network connection, not individual packets of data. So normally a web server would only be a “destination”, even though it can respond to the “source” with quite a lot of data.
Possibly useful sites for getting OSINT domain information: