Scribd Logo
Upload

Welcome to Scribd!

  • Splunk Dashboards Assignment at SOC Experts

    Uploaded by

    madhugouda
    14 views12 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    14 views12 pages

    Splunk Dashboards Assignment at SOC Experts

    Uploaded by

    madhugouda

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 12

    SOC Experts

    Cybersecurity Career Launcher

    Assignment: Splunk Dashboards

    1) Build dashboard to monitor FW logs – outbound connections over ports other than
    443 and 80 to public IP’s

    index=network dest_ip!="10.0.0.0/8" AND dest_ip!="172.16.0.0/12" AND


    dest_ip!="192.168.0.0/16" AND dest_port!=443 AND dest_port!=80 | iplocation dest_ip
    | eval bytes=bytes_in+bytes_out | table _time src_ip src_port src_zone dest_ip dest_port
    dest_zone City Country action bytes

    Table view of Outbound Connections over ports other than 80 and 443 to public IP’s

    This gives us a dashboard with important FW log details in a Table format.


    SOC Experts
    Cybersecurity Career Launcher

    2) Add a pie chart to your dashboard showing uploads on webserver from various
    Countries i.e., public IP’s

    index=webserver (method=POST OR method=PUT) AND (clientip!="10.0.0.0/8" AND


    clientip!="172.16.0.0/12" AND clientip!="192.168.0.0/16")
    | iplocation clientip | stats count by Country

    Stats table with count of all uploads on webserver from various Countries.

    Pie chart of the same

    Added to dashboard
    SOC Experts
    Cybersecurity Career Launcher

    b. File uploads to FTP server

    index=ftp source_ip!="10.0.0.0/8" AND source_ip!="172.16.0.0/12" AND


    source_ip!="192.168.0.0/16" | search filename=* | iplocation source_ip | stats count by
    Country

    Similar to webserver

    Pie Chart of the same

    Added to dashboard
    SOC Experts
    Cybersecurity Career Launcher

    3) Create a panel for webserver returning status code 404 (mention the IP, URI, User
    Agent)

    index=webserver status=404 | iplocation clientip | table clientip City Country uri useragent
    status

    Table view of All 404 errors with details

    Added to dashboard
    SOC Experts
    Cybersecurity Career Launcher

    4) Create a bar chart to show various status codes returned from our webserver logs

    index=webserver | fillnull value="No Status Code" | stats count by status

    Statistical view with count of all status codes including fields with No Status Code

    Bar chart of the same

    Added to Dashboard
    SOC Experts
    Cybersecurity Career Launcher

    Entire Dashboard:
    SOC Experts
    Cybersecurity Career Launcher

    Assignment 2: Splunk Dashboards

    1) Create a dashboard panel to check failure attempts by user. Use input field to
    select different Account name.

    index=main EventCode=4625 | eval AccountName=mvindex(Account_Name,1) | eval


    AccountDomain=mvindex(Account_Domain,1) | table _time AccountDomain AccountName
    Logon_Type Source_Network_Address

    Shows table of failed login with Time, Account Domain, Account Name, Logon Type,
    SourceIP

    Added to Dashboard with Search: which includes token = accountname (default value=*)

    index=main EventCode=4625 Account_Name=$accountname$ | eval


    AccountName=mvindex(Account_Name,1) | eval
    AccountDomain=mvindex(Account_Domain,1) | table _time AccountDomain AccountName
    Logon_Type Source_Network_Address
    SOC Experts
    Cybersecurity Career Launcher

    Sample search in Dashboard: Account Name = prajwal

    Now, adding a Dynamic Dropdown for Source Network Address: Token = srcip

    Search Query:

    index=main EventCode=4625 Account_Name=$accountname$


    Source_Network_Address=$srcip$ | eval AccountName=mvindex(Account_Name,1) | eval
    AccountDomain=mvindex(Account_Domain,1)
    | table _time AccountDomain AccountName Logon_Type Source_Network_Address

    Token Search String:

    index=main EventCode=4625 $srcip$ | dedup Source_Network_Address | table


    Source_Network_Address

    Selecting Source Network Address as 113.161.74.75 from dynamic dropdown


    SOC Experts
    Cybersecurity Career Launcher

    2) Create a dashboard panel to monitor DNS requests (Select fields of interest, filter
    out junk data)

    index=dns "d port"=53 flag=1 | table Date src URL

    Shows only IPv4 requests where only A record (flag=1) was accessed with table of Date,
    Source, URL

    When added to Dashboard: Token for search = url (default value =*)

    index=dns "d port"=53 flag=1 URL=$url$ | table Date src URL

    Sample Dashboard search: URL = www.apple.com


    SOC Experts
    Cybersecurity Career Launcher

    3) Write a search query to identify the threat information under firewall threat logs
    (select appropriate fields)

    index=network type=THREAT | table _time src_ip src_port dest_ip dest_port threat_name


    threat_severity rule action

    Added to Dashboard with search for Source IP, Source Port, Destination IP, and Destination
    Port

    index=network type=THREAT src_ip=$src$ dest_ip=$dest$ src_port=$srcport$


    dest_port=$destport$ | table _time src_ip src_port dest_ip dest_port threat_name
    threat_severity rule action
    SOC Experts
    Cybersecurity Career Launcher

    Sample search Destination IP = 10.196.1.50

    Sample search: Destination Port = 22

    Sample search: Destination Port = 443

    4) Use geo-stats command and add a panel to your dashboard (You can use any log)

    Network/FW Logs for outbound connections to Public IP’s and count for each City in Geo
    Map
    index=network dest_ip!="10.0.0.0/8" AND dest_ip!="172.16.0.0/12" AND
    dest_ip!="192.168.0.0/16" | iplocation dest_ip | geostats count by City
    SOC Experts
    Cybersecurity Career Launcher

    When added to Dashboard:

    Entire Dashboard where searches were done at the same time:

    You might also like