Oliver Ugwoke

# Splunk SIEM SOC Lab# Lab Introduction & Hands-On Intoduction: 1. Objective: Build a Splunk-based SIEM lab for SOC Analysis using Windows/DNS logs 2. Lab Architecture: ▪ Host OS: Kali Linux ▪ Guest OS: Windows 11 VM ▪ SIEM: Splunk Enterprise ▪ Forwarder: Splunk Universal Forwarder Log Sources: ▪ Windows Security Events ▪ System Monitor (Sysmon) ▪ DNS/HTTP 3. Tools Employed Tool Splunk Enterprise Splunk UF Sysmon Purpose SIEM Log forwarding Endpoint telemetry 4. Data Onboarding: ▪ WinEventLog:Security ▪ Sysmon Operational Log ▪ DNS/HTTP Log Hands-On: A. Splunk Universal Forwarder Installation/Setup: ▪ “UF” installation on Windows VM and “inputs.conf” configuration Step 1: Guest OS (Windows 11) Step 2: Guest (Windows Name) Step 3: Splunk Login Step 4: UF Download Step 5: Check the selected boxes below and click “next” Step 6: Click “Next” Step 7: Click “Next” Step 8: Select “Local System” and click “Next” Step 9: Check the below boxes to grant windows privileges to enable UF features and click “Next” Step 10: Check all the boxes to allow UF to forwards all logs and click “Next” Step 11: Uncheck “Generate random Psw”, enter credentials to create administrator’s account and click “Next” Step 12: Enter host IP (Where Splunk Enterprise sits), default port “8089” to allow UF perform and click “Next” Step 13: Click “Install” after configuring Splunk Enterprise instance to receive data from UF on “9997” Step 14: Click “Finish” to conclude UF installation Step 15: “Input.conf” configuration C: \Program File\SplunkUniversalForwarder\apps/TA-Sysmon\local\inputs.conf B. Splunk Enterprise Setup Step 1: Insert splunk localhost/IP:8000 on address bar, enter login credentials and sign in Step 2: Click on “Settings” and choose “Forwarding and Receiving” option Step 3: Click on “Add New” to configure receiving of data Step 4: Enter Port “9997” and save Step 5: Splunk Enterprise instance enabled to receive data from “UF” C. Data Onboarding: Step 1: Click on “Searching and Reporting” Scenerio 1: WinEventLog:Security SPL Query: index=main host=”WINDOWS001” Note: Smart Mode Scenerio 2: WinEventLog:Security SPL Query: index=main sourcetype=”WinEventLog:Security” EventCode=4625 | table _time Computer Account_Name Account_Domain Login_Type Failure_Reason | sort _time Scenerio 3: WinEventLog:Security SPL Query: index=main host=”WINDOWS001” | stats count by ComputerName EventCode EventType Logon_ID SourceName Scenerio 4: WinEventLog:Sysmon SPL Query: index=main source=”WinEventLog:Microsoft-Windows-Sysmon/Operational” C. Log Ingestion Uploading DNS log file into Splunk Enterprise Step 1: Click on “Settings” and then click on “Add data” Step 2: Click on “Upload file from my computer” Step 3: Click on “Select file” Step 4: Click “Next” after file upload Step 5: Click “Save As” to save the log file” Step 6: Enter file name, select as appropriate and save Step 7: Click “Review” Step 8: Review and submit Step 9: Click on “Start searching” to go to the search page Step 10: DNS log successfully parsed New File Extraction: Step 1: Click on “Extract New File” Step 2: Select any of the events Step 3: When an event is selected, click “Next” Step 4: Select “Regular Expression” and click “Next” Step 5: Highlight the source IP to give it a name and click “Add Extraction” Step 6: Highlight the source port to give it a name and click “Add Extraction” Step 7: Highlight the destination IP to give it a name and click “Add Extraction” Step 8: Highlight the destination port to give it a name, click “Add Extraction” and then “Next” Let us stop with these four fields Step 9: View the created fields and click “Next” Step 10: Click “Finish” to complete the extraction Step 11: Click to explore the newly created fields Step 12: Newly created field now found on the left sidebar Step 13: Search: index=* sourcetype=DNSLOG | stats count by src_ip src_port dst_ip dst_port