Proj 2x: BOSS OF THE SOC: Identifying Threat Actors (50 pts)
What You Need for this Project
- A computer with a Web browser.
Purpose
To practice threat hunting, using
the
Boss of the SOC (BOTS) Dataset.
Connecting to My Splunk Server
Go here:
https://splunk.samsclass.info
Log in using these credentials,
as shown below.
- If you are a CCSF student registered in CNIT 50, use the username in your
CCSF email address (the part before "@mail.ccsf.edu") and an initial password of changeme
- Otherwise, log in as student1 with a password of student1
Once you are logged in, at the top left,
click "Search & Reporting",
as shown below.
The "Search" page opens,
as shown below.
Exploring the BOTS Data
Sampling the Data
Do these steps:
- In the Search box, type
index="botsv1"
- On the right side, click the "Last 24 hours" box and click "All time"
- On the left side, under the Search box, click "No Event Sampling" and click "1: 100"
- On the right side, click the green magnifying-glass icon
The search finishes within a few seconds, and finds
approximately 9,452 results,
as shown below.
(The number varies because
the sampling is random.)
There are actually 100x as many events, but we are only
looking at 1% of them for now.
Viewing Sourcetypes
On the lower left, in the "SELECTED FIELDS" list,
click the blue sourcetype link.
A "sourcetype" box pops up, showing the
"Top 10 Values" of this field,
as shown below.
Viewing Suricata Events
In the "sourcetype" box,
in the "Top 10 Values" list,
click suricata
as shown in the image above.
Splunk adds
sourcetype="suricata"
to
the search and finds approximately 1,250 results,
as shown below. (The number varies because
the sampling is random.)
Scroll down and look on the left side for the
"INTERESTING FIELDS" list. Click
event_type to see a list of values,
as shown below.
The event types are self-explanatory, but you
can read about them
here if you want to.
Challenges
Find these items.
Use the forms
below to record your score in Canvas.
If you don't have a Canvas account, see
the instructions
here.