TryHackMe: Splunk: Exploring SPL
When entering into the cybersecurity field there are many new programs to learn. One of the more prominent programs listed under skills in many job postings is Splunk. Splunk is not a skill, but it is software for searching, monitoring, and analyzing machine-generated data via a web-style interface, and the “skill” the employer is referring to is YOUR ability to navigate it!
As with any SIEM interface, Splunk has a plethora of features and can be quite useful when monitoring events. One of the most powerful tools in Splunk is the search tool. This allows you to grab events based on many attributes, and since each event is likely to have dozens of identifying attributes (and many different events sharing those same attributes) it is most helpful to be able to sort event logs quickly and efficiently.
This is where Search Processing Language, or SPL, comes in handy. SPL was designed by Splunk for use with Splunk software. SPL encompasses all the search commands and their functions, arguments, and clauses. Its syntax was originally based on the Unix pipeline and SQL. The scope of SPL includes data searching, filtering, modification, manipulation, insertion, and deletion.
For this TryHackMe room, myself and my classmates, Cloee Kunstek and Tristan Vicente wanted to focus on learning the basics of SPL to ensure our foundation in all things Splunk was solid. This room is a step-by-step walkthrough, which on the surface sounds easy, but, as with most new softwares, is harder than it seems. This walkthrough was created to help new users feel confident in their abilities with Splunk and SPL by giving them the opportunity to understand how to craft an effective query, and to give a visual guide to how to complete these tasks.
Enjoy!
Zach, Cloee, and Tristan
https://www.linkedin.com/in/zach-boram/
https://www.linkedin.com/in/cloee-kunstek-044b63209/
https://www.linkedin.com/in/tristan-vicente-653005275/
Task 1: Introduction
1.1 NO ANSWER NEEDED
Task 2: Connect with the lab
2.1 NO ANSWER NEEDED
2.2
First the user will want to access the search bar, and then you will access the data summary tab and there you will access the host option and there you will find the host name.
Task 3: Search & Reporting App Overview
3.1
To find the answer to this questions You will first access the search history and then adjust the result per page to 50, make sure you exclude today’s searches!
3.2
First you will select index=”Windowslogs”
Then you will select source ip, source, and sourcetype
Finally you can click on source IP
172.90.12.11 will be your answer
3.3
I found this task to be the most simple, All you have to do is configure date ranges and time to the given time frame and you will then see the number of events that took place
Task 4: Splunk Processing Language Overview
4.1
For the EventID portion of the query, the formatting is pretty simple, but I couldn’t figure out how to properly format the user search. However, when I was typing it out, it auto filled as “Cybertees\\James”, if you input “James” normally, it does not work.
Altogether, the query can be entered as:
EventID=“1” User=“Cybertees\\James”
When you plug this in, you can see 4 events have been logged with the requested data.
4.2
Once again, the query for this question was rather simple, but introduces the Boolean function “AND” which requires both qualifications to be present.
So simply put: DestinationIp=“172.18.39.6” AND DestinationPort=“135”
After this query is submitted, there are 4 returned events with the requested data.
4.3
The query is provided with this question, so you are required to find the Source IP address with the highest count.
After inputting the provided search query:
index=windowslogs Hostname=”Salena.Adam” DestinationIp=”172.18.38.5"
Select the largest bar on the graph and scroll down till you see the Source IP.
The Source IP with the highest count for the requested data is 172.90.12.11.
4.4
For the query, input: index=“windowslogs” cyber
This returns 0 event results because none of the window logs contain just “cyber”.
4.5
For this query, add an asterisk wildcard to the end of “cyber” making the new query:
index=“windowslogs” cyber*
Now the query results responds with 12,256 events because “cyber*” includes any words that start with “cyber”.
Task 5: Filtering the Results in SPL
5.1
After inputting the provided query:
index=windowslogs | table _time EventID Hostname SourceName | reverse
Navigate to the Statistics tab to see the events organized by date and time.
The third event with the requested data has the EventID 4103.
5.2
For this query, you use the previous query paired with the “dedup” command, which removes duplicate fields. This particular query:
index=windowslogs | table _time EventID Hostname SourceName | dedup Hostname | reverse
The first username in the Hostname field returned with this improved query is Salena.Adam.
Task 6: SPL — Structuring the Search Results
6.1
For Task 6.1 the user first needs to utilize the query language structure that is provided in the explanation and add in the “reverse” command. This will filter the results into reverse order allowing the user to find the answer.
index=windowslogs | table _time EventID Hostname SourceName | reverse
Query Structure
Query Results
When looking at the query results we only see the username James.Browne
ANSWER:
6.2
For Task 6.2 we will utilize the same query language as task 6.1 and replace the “reverse” term with the “tail” command. Make sure that you remove the “reverse” command to filter the results correctly. If it is not removed you will not receive the results as seen below. The query structure should be as seen below.
index=windowslogs | table _time EventID Hostname SourceName | tail
Query Structure
Query Results
When viewing the query results we can see that the last entry in the table has an Event ID of 4103.
ANSWER:
6.3
For task 6.3 I had issues with the query structure and tried multiple different queries. This included utilizing the prompted commands that pop up as you type in the search bar, crafting my own commands from the explanation and just trying to input the language to the best of my understanding. Unfortunately none of these combinations worked! I ended up utilizing the Medium write-up posted by Josephalan, titled, “Splunk Exploring SPL TryHackMe Write-Up” (https://medium.com/@josephalan17201972/splunk-exploring-spl-tryhackme-write-up-b4f50e0903eb).
index=windowslogs | table _time EventID Hostname SourceName | sort SourceName | head 1
Query
Query Results
When viewing the query results we can clearly see the SourceName shows as Microsoft-Windows-Directory-Services-SAM.
ANSWER:
Task 7: Transformational Commands in SPL
7.1
For task 7.1 the user will want to input the query structure found under the table labeled “Top”. This query language must be changed to include at least the top 8 outputs to receive the answer.
index=windowslogs | top limit=8 Image
Query
Query Results
While technically the user could use the same query input as given under the “Top” table utilizing the limit command can be useful in other ways depending on the output desired. When we look at the final query results we can easily see that the sixth input had a count measurement of 196.
ANSWER:
7.2
For task 7.2 we can shorten the query language to include only the items requested in the question. Instead of having more information to sift through, we are simply looking for the fewest hits on any user account. This took some minor trial and error, but with the pop up prompts the user should find the below query language.
index=windowslogs | rare User
*Quick note* Make sure you are not trying to use the UserName command or Account/AccountName command as you will not receive the desired query results
Query
Query Results
When viewing the query results the user will find 4 Users in order of rarest first. This takes just a little logical thinking, as the returned information will not fit the question format. Knowing from our earlier tasks that the account is Cybertees we can take the output of Cybertees\James and extract that the User is James.
7.3
This task is by far the most confusing of the room, in my opinion. The user can easily copy the chart creation command and create a pie-chart similar to the one shown in the explanation. However, in order to answer the question, the command does not have to make the pie-chart. Since the user is looking for information on conhost.exe the command is:
conhost.exe
Query
Query Results
Once the query results come back, the user will have to do some digging. Thanks again to Josephalan’s Medium walk-through, we were able to get the right field. The user will notice that there are 100 events that come back in the results. To whittle this down to the needed information we need to utilize the field information on the left hand side of the screen. Click on “images” and the pop up will show the count for C:\Windows\System32\conhost.exe is 70.
ANSWER:
Task 8: Recap and Conclusion
8.1 NO ANSWER NEEDED
And there you have it, you have mastered a basic understanding of Splunk SPL! We hope that you found this walkthrough informative and helpful as you worked your way through the TryHackMe room.