Open in app

Sign in

Write

Sign in

Perform Queries with Splunk & Chronicle

Cavan Fowler
4 min readJul 9, 2023

Splunk Walkthrough

Scenario

You are a security analyst working at the e-commerce store Buttercup Games. You’ve been tasked with identifying whether there are any possible security issues with the mail server. To do so, you must explore any failed SSH logins for the root account.

Given the scenario, I uploaded the sample log data into Splunk Cloud for me to view:

I evaluated the fields that Splunk creates when it indexes ingested data. The fields become searchable:

The default selected fields:

  • host: Specifies the name of the network host from which the event originated
  • source: Indicates the file name from which the event originates
  • sourcetype: Determines how data is formatted. You should observe three sourcetypes

“Interesting Fields” can be selected to appear in the “Selected Fields” section to then appear in the Events.

Then, I narrowed down the search to be for events generated by the mail server by querying with “index=main host=mailsv fail* root”.

This queries the logs for ANY (*) mention of failed SSH login attempts:

Chronicle Walkthrough

Scenario

You are a security analyst at a financial services company. You receive an alert that an employee received a phishing email in their inbox.

You review the alert and identify a suspicious domain name contained in the email’s body: signin.office365x24.com.

You need to determine whether any other employees have received phishing emails containing this domain and whether they have visited the domain.

To start, I searched for the malicious domain that appeared in the employee's email inbox:

Then I evaluated the results of the domain search:

  • VT CONTEXT: Provides available VirusTotal information for the domain
  • WHOIS: Summary of information about the domain using WHOIS, a free and publicly available directory that includes information about registered domain names, such as the name and contact information of the domain owner
  • Prevalence: A graph which outlines the historical prevalence of the domain
  • RESOLVED IPS: Insight card that provides additional context about the domain, such as the IP address that maps to signin.office365x24.com, which is 40.100.174.34
  • SIBLING DOMAINS: Additional context about the domain. Sibling domains share a common top or parent domain
  • ET INTELLIGENCE REP LIST: Threat intelligence information, such as other known threats related to the domains using ProofPoint’s Emerging Threats (ET) Intelligence Rep list
  • TIMELINE: Information about the events and interactions made with this domain
  • ASSETS: List of the assets that have accessed the domain

I clicked on VT CONTEXT to analyze the available VirusTotal information about the domain, which there wasn’t much information on (only 1 vendor marked this domain):

Then I looked at VT CONTEXT for the top private domain to analyze the VirusTotal information, which resulted in finding 4 vendors marking the domain as malicious:

For this domain, under ET INTELLIGENCE REP LIST, I was able to identify the category and severity of the domain. This domain is used as a “drop site for logs or stolen credentials”:

Under the TIMELINE tab, I was able to identify the POST request which means data was sent to the malicious domain, and suggests a possible successful phish:

Checked the RESOLVED IP of 40.100.174.34 and found that 3 employees/assets have sent POST requests suggesting that they have also been successfully phished:

Project Reflection

In these activities, I used Splunk and Chronicle to perform a search and investigation on failed SSH login attempts, and investigate a suspicious domain used in a phishing email sent to an email.

Using Splunk and Chronicle’s domain search, I was able to:

  • Search through indexed data
  • Evaluate queried Splunk results
  • Identify different data sources
  • Locate failed SSH login attempts for the root account on the mail server
  • Access threat intelligence reports on a malicious domain
  • Identify assets that accessed the domain
  • Evaluate HTTP events associated with the domain
  • Identify which assets submitted login information to the domain
  • Identify additional malicious domains

--

--

Cavan Fowler

Written by Cavan Fowler

3 Followers

https://www.linkedin.com/in/cavan-fowler59/

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams