Proj 4x: Splunk Enterprise Security (10 pts. extra credit)

What You Need for this Project

Purpose

To learn the basics of searching in Splunk. This project follows the Splunk tutorial linked in the References at the bottom of this page.

Get a Splunk Cloud Free Trial

In a browser, go to

http://splunk.force.com/SplunkCloud?prdType=SplunkCloud

On the right side, click "Splunk Enterprise Security" box, as shown below.

The screen scrolls down. Click FREE as shown below.

The screen scrolls down. Click Continue as shown below.

On the next page, create an account. Use an email address you can receive mail at.

After a few seconds, a page appears saying "Your Splunk Enterprise Security Sandbox Is Ready!", as shown below.

Click "View My Instance".

Accept the terms and click OK.

The main Splunk Enterprise Security page appears, as shown below.

Product Tour

At the bottom, click "Product Tour". Go through the tour, noting these items: At the end, click the green "Try it now" button.

Using the Security Posture Dashboard

Notable Event Counts

At the top left, click "Security Posture".

The Security Posture dashboard opens, as shown below.

The top section has counts of "NOTABLES". In "IDENTITY NOTABLES", click 7.

You see the raw Splunk query that created this number, as shown below.

This doesn't seem to be useful.

In your browser, click the Back button to return to the Security Posture dashboard.

Notable Events By Urgency

At the lower left, in the click "Notable Events By Urgency" bar chart, click the little red bar denoting critical events.

An "Incident Review" page appears, as shown below.

Notice the list of eight events at the bottom, with useful titles.

In your browser, click the Back button to return to the Security Posture dashboard.

Top Notable Events

Scroll to the bottom of the Security Posture dashboard.

At the lower left find, "Top Notable Events" as shown below.

Click "Activity from Expired User Identity".

The user identities that tried to log in appear, as shown below.

In your browser, click the Back button to return to the Security Posture dashboard.

Saving the Screen Image

Make sure you can see the username Hax0r, as shown above.

Save a FULL DESKTOP image with the filename Proj 4x from Your Name.

Turning in Your Project

Send the image as an email attachment to cnit.50sam@gmail.com with a Subject line of Proj 4x from Your Name.
Posted 10-31-17 by Sam Bowne