Splunk: Setting up a SOC lab
Splunk: Setting up a SOC lab
Embedded Files
What is the default port for Splunk?
8000
In Splunk, what is the command to search for the term coffely in the logs?
./bin/splunk search coffely
What is the default port, on which Splunk Forwarder runs on?
8089
Follow the same steps and ingest /var/log/auth.log file into Splunk index Linux_logs. What is the value in the sourcetype field?
syslog
Create a new user named analyst using the command adduser analyst. Once created, look at the events generated in Splunk related to the user creation activity. How many events are returned as a result of user creation?
6
What is the path of the group the user is added after creation?
/etc/group
What is the default port Splunk runs on?
8000
Click on the Add Data tab; how many methods are available for data ingestion?
3
Click on the Monitor option; what is the first option shown in the monitoring list?
Local Event Logs
What is the full path in the C:\Program Files where Splunk forwarder is installed?
C:\Program Files\Splunk UniversalForwarder
What is the default port on which Splunk configures the forwarder?
9997
While selecting Local Event Logs to monitor, how many Event Logs are available to select from the list to monitor?
5
Search for the events with EventCode=4624. What is the value of the field Message?
An account was successfully logged on
In the lab, visit http://coffely.thm/secret-flag.html; it will display the history logs of the orders made so far. Find the flag in one of the logs.
{COffely_Is_Best_iN_TOwn}
Page updated
Google Sites
Report abuse