{"id":7526,"date":"2025-11-18T14:42:48","date_gmt":"2025-11-18T12:42:48","guid":{"rendered":"https:\/\/scalemedia.co.za\/cybermedia\/?p=7526"},"modified":"2025-11-20T12:16:45","modified_gmt":"2025-11-20T10:16:45","slug":"introduction-to-splunk-spl","status":"publish","type":"post","link":"https:\/\/scalemedia.co.za\/cybermedia\/introduction-to-splunk-spl\/","title":{"rendered":"Introduction To Splunk &#038; SPL"},"content":{"rendered":"\n<div class=\"wp-block-aioseo-table-of-contents\"><ul><li><a href=\"#what-is-splunk\">What Is Splunk?<\/a><\/li><li><a href=\"#splunk-as-a-siem-solution\">Splunk As A SIEM Solution<\/a><ul><li><a href=\"#basic-searching\">Basic Searching<\/a><\/li><li><a href=\"#fields-and-comparison-operators\">Fields and Comparison Operators<\/a><\/li><li><a href=\"#the-fields-command\">The fields command<\/a><\/li><li><a href=\"#the-table-command\">The table command<\/a><\/li><li><a href=\"#the-rename-command\">The rename command<\/a><\/li><li><a href=\"#the-dedup-command\">The dedup command<\/a><\/li><li><a href=\"#the-sort-command\">The sort command<\/a><\/li><li><a href=\"#the-stats-command\">The stats command<\/a><\/li><li><a href=\"#the-chart-command\">The chart command<\/a><\/li><li><a href=\"#the-eval-command\">The eval command<\/a><\/li><li><a href=\"#the-rex-command\">The rex command<\/a><\/li><li><a href=\"#the-lookup-command\">The lookup command<\/a><\/li><li><a href=\"#the-inputlookup-command\">The inputlookup command<\/a><\/li><li><a href=\"#time-range\">Time Range<\/a><\/li><li><a href=\"#the-transaction-command\">The transaction command<\/a><\/li><li><a href=\"#subsearches\">Subsearches<\/a><\/li><li><a href=\"#how-to-identify-the-available-data\">How To Identify The Available Data<\/a><\/li><\/ul><\/li><li><a href=\"#practical-exercises\">Practical Exercises<\/a><\/li><\/ul><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"what-is-splunk\">What Is Splunk?<\/h2>\n\n\n\n<p>Splunk is a highly scalable, versatile, and robust data analytics software solution known for its ability to ingest, index, analyze, and visualize massive amounts of machine data. Splunk has the capability to drive a wide range of initiatives, encompassing cybersecurity, compliance, data pipelines, IT monitoring, observability, as well as overall IT and business management.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252Fxn048vkL7M0A3DnH1JOG%252F101.webp%3Falt%3Dmedia%26token%3D3d313a7d-6942-435c-bca6-84b006e3aa49&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=67570b51&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FvGw4rGvGrrQPaRenJoYk%252F102.webp%3Falt%3Dmedia%26token%3Dd6ccfeb5-a09a-43ff-b6b9-2e120722b3b9&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=886521e9&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Splunk&#8217;s (Splunk Enterprise) <code>architecture<\/code> consists of several layers that work together to collect, index, search, analyze, and visualize data. The architecture can be divided into the following main components:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Forwarders:<\/strong><\/li>\n<\/ol>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Universal Forwarder (UF)<\/li>\n\n\n\n<li>Heavy Forwarder (HF)<\/li>\n<\/ul>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Indexers<\/strong><\/li>\n\n\n\n<li><strong>Search Heads<\/strong><\/li>\n\n\n\n<li><strong>Deployment Server<\/strong><\/li>\n\n\n\n<li><strong>Cluster Master<\/strong><\/li>\n\n\n\n<li><strong>License Master<\/strong><\/li>\n<\/ol>\n\n\n\n<p>Splunk&#8217;s <code>key components<\/code> include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Splunk Web Interface<\/strong><\/li>\n\n\n\n<li><strong>Search Processing Language (SPL)<\/strong><\/li>\n\n\n\n<li><strong>Apps and Add-ons<\/strong><\/li>\n\n\n\n<li><strong>Knowledge Objects<\/strong><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"splunk-as-a-siem-solution\"><a href=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/soc-hackthebox-notes-and-labs\/understanding-log-sources-and-investigating-with-splunk-module\/introduction-to-splunk-and-spl#splunk-as-a-siem-solution\" target=\"_blank\" rel=\"noopener\"><\/a>Splunk As A SIEM Solution<\/h2>\n\n\n\n<p>When it comes to cybersecurity, Splunk can play a crucial role as a log management solution, but its true value lies in its analytics-driven Security Information and Event Management (SIEM) capabilities. Splunk as a SIEM solution can aid in real-time and historical data analysis, cybersecurity monitoring, incident response, and threat hunting. Moreover, it empowers organizations to enhance their detection capabilities by leveraging User Behavior Analytics.<\/p>\n\n\n\n<p>Let&#8217;s assume that <code>main<\/code> is an index containing Windows Security and Sysmon logs, among others.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"basic-searching\"><a href=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/soc-hackthebox-notes-and-labs\/understanding-log-sources-and-investigating-with-splunk-module\/introduction-to-splunk-and-spl#basic-searching\" target=\"_blank\" rel=\"noopener\"><\/a><strong>Basic Searching<\/strong><\/h4>\n\n\n\n<p>The <code>search<\/code> command is typically implicit at the start of each SPL query and is not usually written out. However, here&#8217;s an example using explicit search syntax:Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>search index=&quot;main&quot; &quot;UNKNOWN&quot;<\/code><\/pre>\n\n\n\n<p>By specifying the index as <code>main<\/code>, the query narrows down the search to only the events stored in the <code>main<\/code> index.<\/p>\n\n\n\n<p><strong>Note<\/strong>: Wildcards (<code>*<\/code>) can replace any number of characters in searches and field values. Example (implicit search syntax):Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>index=&quot;main&quot; &quot;*UNKNOWN*&quot;<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"fields-and-comparison-operators\"><a href=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/soc-hackthebox-notes-and-labs\/understanding-log-sources-and-investigating-with-splunk-module\/introduction-to-splunk-and-spl#fields-and-comparison-operators\" target=\"_blank\" rel=\"noopener\"><\/a><strong>Fields and Comparison Operators<\/strong><\/h4>\n\n\n\n<p>Splunk automatically identifies certain data as fields (like <code>source<\/code>, <code>sourcetype<\/code>, <code>host<\/code>, <code>EventCode<\/code>, etc.), and users can manually define additional fields.Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>index=&quot;main&quot; EventCode!=1<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"the-fields-command\"><a href=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/soc-hackthebox-notes-and-labs\/understanding-log-sources-and-investigating-with-splunk-module\/introduction-to-splunk-and-spl#the-fields-command\" target=\"_blank\" rel=\"noopener\"><\/a><strong>The fields command<\/strong><\/h4>\n\n\n\n<p>The <code>fields<\/code> command specifies which fields should be included or excluded in the search results. Example:Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>index=&quot;main&quot; sourcetype=&quot;WinEventLog:Sysmon&quot; EventCode=1 | fields - User<\/code><\/pre>\n\n\n\n<p>After retrieving all process creation events from the <code>main<\/code> index, the <code>fields<\/code> command excludes the <code>User<\/code> field from the search results. Thus, the results will contain all fields normally found in the <a href=\"https:\/\/www.ultimatewindowssecurity.com\/securitylog\/encyclopedia\/event.aspx?eventid=90001\" target=\"_blank\" rel=\"noopener\">Sysmon Event ID 1<\/a> logs, except for the user that initiated the process.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"the-table-command\"><a href=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/soc-hackthebox-notes-and-labs\/understanding-log-sources-and-investigating-with-splunk-module\/introduction-to-splunk-and-spl#the-table-command\" target=\"_blank\" rel=\"noopener\"><\/a><strong>The table command<\/strong><\/h4>\n\n\n\n<p>The <code>table<\/code> command presents search results in a tabular format. Example:Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>index=&quot;main&quot; sourcetype=&quot;WinEventLog:Sysmon&quot; EventCode=1 | table _time, host, Image<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"the-rename-command\"><a href=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/soc-hackthebox-notes-and-labs\/understanding-log-sources-and-investigating-with-splunk-module\/introduction-to-splunk-and-spl#the-rename-command\" target=\"_blank\" rel=\"noopener\"><\/a><strong>The rename command<\/strong><\/h4>\n\n\n\n<p>The <code>rename<\/code> command renames a field in the search results. Example:Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>index=&quot;main&quot; sourcetype=&quot;WinEventLog:Sysmon&quot; EventCode=1 | rename Image as Process<\/code><\/pre>\n\n\n\n<p>This command renames the <code>Image<\/code> field to <code>Process<\/code> in the search results. <code>Image<\/code> field in Sysmon logs represents the name of the executable file for the process.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"the-dedup-command\"><a href=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/soc-hackthebox-notes-and-labs\/understanding-log-sources-and-investigating-with-splunk-module\/introduction-to-splunk-and-spl#the-dedup-command\" target=\"_blank\" rel=\"noopener\"><\/a><strong>The dedup command<\/strong><\/h4>\n\n\n\n<p>The &#8216;dedup&#8217; command removes duplicate events. Example:Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>index=&quot;main&quot; sourcetype=&quot;WinEventLog:Sysmon&quot; EventCode=1 | dedup Image<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"the-sort-command\"><a href=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/soc-hackthebox-notes-and-labs\/understanding-log-sources-and-investigating-with-splunk-module\/introduction-to-splunk-and-spl#the-sort-command\" target=\"_blank\" rel=\"noopener\"><\/a><strong>The sort command<\/strong><\/h4>\n\n\n\n<p>The <code>sort<\/code> command sorts the search results. Example:Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>index=&quot;main&quot; sourcetype=&quot;WinEventLog:Sysmon&quot; EventCode=1 | sort - _time<\/code><\/pre>\n\n\n\n<p>This command sorts all process creation events in the <code>main<\/code> index in descending order of their timestamps (_time), i.e., the most recent events are shown first.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"the-stats-command\"><a href=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/soc-hackthebox-notes-and-labs\/understanding-log-sources-and-investigating-with-splunk-module\/introduction-to-splunk-and-spl#the-stats-command\" target=\"_blank\" rel=\"noopener\"><\/a><strong>The stats command<\/strong><\/h4>\n\n\n\n<p>The <code>stats<\/code> command performs statistical operations. Example:Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>index=&quot;main&quot; sourcetype=&quot;WinEventLog:Sysmon&quot; EventCode=3 | stats count by _time, Image<\/code><\/pre>\n\n\n\n<p>This query will return a table where each row represents a unique combination of a timestamp (<code>_time<\/code>) and a process (<code>Image<\/code>). The count column indicates the number of network connection events that occurred for that specific process at that specific time.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"the-chart-command\"><a href=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/soc-hackthebox-notes-and-labs\/understanding-log-sources-and-investigating-with-splunk-module\/introduction-to-splunk-and-spl#the-chart-command\" target=\"_blank\" rel=\"noopener\"><\/a><strong>The chart command<\/strong><\/h4>\n\n\n\n<p>The <code>chart<\/code> command creates a data visualization based on statistical operations. Example:Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>index=&quot;main&quot; sourcetype=&quot;WinEventLog:Sysmon&quot; EventCode=3 | chart count by _time, Image<\/code><\/pre>\n\n\n\n<p>This query will return a table where each row represents a unique timestamp (<code>_time<\/code>) and each column represents a unique process (<code>Image<\/code>).<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"the-eval-command\"><a href=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/soc-hackthebox-notes-and-labs\/understanding-log-sources-and-investigating-with-splunk-module\/introduction-to-splunk-and-spl#the-eval-command\" target=\"_blank\" rel=\"noopener\"><\/a><strong>The eval command<\/strong><\/h4>\n\n\n\n<p>The <code>eval<\/code> command creates or redefines fields. Example:Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>index=&quot;main&quot; sourcetype=&quot;WinEventLog:Sysmon&quot; EventCode=1 | eval Process_Path=lower(Image)<\/code><\/pre>\n\n\n\n<p>This command creates a new field <code>Process_Path<\/code> which contains the lowercase version of the <code>Image<\/code> field. It doesn&#8217;t change the actual <code>Image<\/code> field, but creates a new field that can be used in subsequent operations or for display purposes.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"the-rex-command\"><a href=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/soc-hackthebox-notes-and-labs\/understanding-log-sources-and-investigating-with-splunk-module\/introduction-to-splunk-and-spl#the-rex-command\" target=\"_blank\" rel=\"noopener\"><\/a><strong>The rex command<\/strong><\/h4>\n\n\n\n<p>The <code>rex<\/code> command extracts new fields from existing ones using regular expressions. Example:Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>index=&quot;main&quot; EventCode=4662 | rex max_match=0 &quot;&#091;^%](?&lt;guid&gt;{.*})&quot; | table guid<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>rex max_match=0 &quot;[^%](?&lt;guid&gt;{.*})&quot;<\/code> uses the rex command to extract values matching the pattern from the events&#8217; fields. The regex pattern <code>{.*}<\/code> looks for substrings that begin with <code>{<\/code> and end with <code>}<\/code>. The <code>[^%]<\/code> part ensures that the match does not begin with a <code>%<\/code> character. The captured value within the curly braces is assigned to the named capture group <code>guid<\/code>.<\/li>\n\n\n\n<li>The <code>max_match=0<\/code> option ensures that all occurrences of the pattern are extracted from each event. By default, the rex command only extracts the first occurrence.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"the-lookup-command\"><a href=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/soc-hackthebox-notes-and-labs\/understanding-log-sources-and-investigating-with-splunk-module\/introduction-to-splunk-and-spl#the-lookup-command\" target=\"_blank\" rel=\"noopener\"><\/a><strong>The lookup command<\/strong><\/h4>\n\n\n\n<p>The <code>lookup<\/code> command enriches the data with external sources. Example:<\/p>\n\n\n\n<p>Suppose the following CSV file called <code>malware_lookup.csv<\/code>.Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>filename, is_malware\nnotepad.exe, false\ncmd.exe, false\npowershell.exe, false\nsharphound.exe, true\nrandomfile.exe, true<\/code><\/pre>\n\n\n\n<p>This CSV file should be added as a new Lookup table as follows.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FJyMMfgkIvrnI7EgDPHVf%252F107.webp%3Falt%3Dmedia%26token%3D398683ab-6532-4698-9382-369aee287ae7&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=3d2aa256&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FH4QcRbLJyUvUhf5QSCFZ%252F108.webp%3Falt%3Dmedia%26token%3Dcb9a6110-50be-49ed-816e-9ff2f332597d&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=2d84d78b&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252Fjtv3ZIdxfD8U9DySi24z%252F109.webp%3Falt%3Dmedia%26token%3D6298d07c-79a5-49a8-8c75-93accea10e0a&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=9b5bf79f&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FsFCzFiNjWZ6FJL9MYMWN%252F110.webp%3Falt%3Dmedia%26token%3Dfc45745e-1054-4426-82ea-af8322130046&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=9d343cb0&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>index=&quot;main&quot; sourcetype=&quot;WinEventLog:Sysmon&quot; EventCode=1 \n| rex field=Image &quot;(?P&lt;filename&gt;&#091;^\\\\\\]+)$&quot; \n| eval filename=lower(filename) \n| lookup malware_lookup.csv filename OUTPUTNEW is_malware \n| table filename, is_malware<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>| rex field=Image &quot;(?P&lt;filename&gt;[^\\\\\\]+)$&quot;<\/code>: This command is using the regular expression (regex) to extract a part of the Image field. The Image field in Sysmon EventCode=1 logs typically contains the full file path of the process. This regex is saying: Capture everything after the last backslash (which should be the filename itself) and save it as filename.<\/li>\n\n\n\n<li><code>| lookup malware_lookup.csv filename OUTPUTNEW is_malware<\/code>: This command is performing a lookup operation using the filename as a key. The lookup table (malware_lookup.csv) is expected to contain a list of filenames of known malicious executables. If a match is found in the lookup table, the new field is_malware is added to the event, which indicates whether or not the process is considered malicious based on the lookup table.<\/li>\n<\/ul>\n\n\n\n<p>In summary, this query is extracting the filenames of newly created processes, converting them to lowercase, comparing them against a list of known malicious filenames, and presenting the findings in a table.<\/p>\n\n\n\n<p>An equivalent that also removes duplicates is the following.Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>index=&quot;main&quot; sourcetype=&quot;WinEventLog:Sysmon&quot; EventCode=1 \n| eval filename=mvdedup(split(Image, &quot;\\\\&quot;)) \n| eval filename=mvindex(filename, -1) \n| eval filename=lower(filename) \n| lookup malware_lookup.csv filename OUTPUTNEW is_malware \n| table filename, is_malware \n| dedup filename, is_malware<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>| eval filename=mvdedup(split(Image, &quot;\\\\&quot;))<\/code>: This command is splitting the <code>Image<\/code> field, which contains the file path, into multiple elements at each backslash and making it a multivalue field. The <code>mvdedup<\/code> function is used to eliminate any duplicates in this multivalue field.<\/li>\n\n\n\n<li><code>| eval filename=mvindex(filename, -1)<\/code>: Here, the <code>mvindex<\/code> function is being used to select the last element of the multivalue field generated in the previous step. In the context of a file path, this would typically be the actual file name.<\/li>\n<\/ul>\n\n\n\n<p>In summary, this SPL query searches the Sysmon logs for process creation events, extracts the <code>file name<\/code> from the <code>Image<\/code> field, converts it to lowercase, matches it against a list of known malware from the <code>malware_lookup.csv<\/code> file, and then displays the results in a table, removing any duplicates based on the <code>filename<\/code> and <code>is_malware<\/code> fields.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"the-inputlookup-command\"><a href=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/soc-hackthebox-notes-and-labs\/understanding-log-sources-and-investigating-with-splunk-module\/introduction-to-splunk-and-spl#the-inputlookup-command\" target=\"_blank\" rel=\"noopener\"><\/a><strong>The inputlookup command<\/strong><\/h4>\n\n\n\n<p>The <code>inputlookup<\/code> command retrieves data from a lookup file without joining it to the search results. Example:Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>| inputlookup malware_lookup.csv<\/code><\/pre>\n\n\n\n<p>This command retrieves all records from the <code>malware_lookup.csv<\/code> file. The result is not joined with any search results but can be used to verify the content of the lookup file or for subsequent operations like filtering or joining with other datasets.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"time-range\"><a href=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/soc-hackthebox-notes-and-labs\/understanding-log-sources-and-investigating-with-splunk-module\/introduction-to-splunk-and-spl#time-range\" target=\"_blank\" rel=\"noopener\"><\/a><strong>Time Range<\/strong><\/h4>\n\n\n\n<p>Every event in Splunk has a timestamp. Using the time range picker or the <code>earliest<\/code> and <code>latest<\/code> commands, you can limit searches to specific time periods. Example:Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>index=&quot;main&quot; earliest=-7d EventCode!=1<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"the-transaction-command\"><a href=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/soc-hackthebox-notes-and-labs\/understanding-log-sources-and-investigating-with-splunk-module\/introduction-to-splunk-and-spl#the-transaction-command\" target=\"_blank\" rel=\"noopener\"><\/a><strong>The transaction command<\/strong><\/h4>\n\n\n\n<p>The <code>transaction<\/code> command is used in Splunk to group events that share common characteristics into transactions, often used to track sessions or user activities that span across multiple events. Example:Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>index=&quot;main&quot; sourcetype=&quot;WinEventLog:Sysmon&quot; (EventCode=1 OR EventCode=3) \n| transaction Image startswith=eval(EventCode=1) endswith=eval(EventCode=3) maxspan=1m \n| table Image \n|  dedup Image <\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>| transaction Image startswith=eval(EventCode=1) endswith=eval(EventCode=3) maxspan=1m<\/code>: The transaction command is used here to group events based on the Image field, which represents the executable or script involved in the event. This grouping is subject to the conditions: the transaction starts with an event where <code>EventCode<\/code> is <code>1<\/code> and ends with an event where <code>EventCode<\/code> is <code>3<\/code>. The <code>maxspan=1m<\/code> clause limits the transaction to events occurring within a 1-minute window. The transaction command can link together related events to provide a better understanding of the sequences of activities happening within a system.<\/li>\n<\/ul>\n\n\n\n<p>In summary, this query aims to identify sequences of activities (process creation followed by a network connection) associated with the same executable or script within a 1-minute window.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"subsearches\"><a href=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/soc-hackthebox-notes-and-labs\/understanding-log-sources-and-investigating-with-splunk-module\/introduction-to-splunk-and-spl#subsearches\" target=\"_blank\" rel=\"noopener\"><\/a><strong>Subsearches<\/strong><\/h4>\n\n\n\n<p>A subsearch in Splunk is a search that is nested inside another search. It&#8217;s used to compute a set of results that are then used in the outer search. Example:Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>index=&quot;main&quot; sourcetype=&quot;WinEventLog:Sysmon&quot; EventCode=1 NOT \n&#091; search index=&quot;main&quot; sourcetype=&quot;WinEventLog:Sysmon&quot; EventCode=1 | top limit=100 Image | fields Image ] \n| table _time, Image, CommandLine, User, ComputerName<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>NOT []<\/code>: The square brackets contain the subsearch. By placing <code>NOT<\/code> before it, the main search will exclude any results that are returned by the subsearch.<\/li>\n\n\n\n<li><code>search index=&quot;main&quot; sourcetype=&quot;WinEventLog:Sysmon&quot; EventCode=1 | top limit=100 Image | fields Image<\/code>: The subsearch that fetches <code>EventCode=1 (Process Creation)<\/code> events, then uses the <code>top<\/code> command to return the 100 most common <code>Image<\/code> (process) names.<\/li>\n<\/ul>\n\n\n\n<p>This query can help to highlight unusual or rare processes, which may be worth investigating for potential malicious activity. Be sure to adjust the limit in the subsearch as necessary to fit your environment.<\/p>\n\n\n\n<p>As with any language, proficiency comes with practice and experience. Find below some excellent resources to start with:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/docs.splunk.com\/Documentation\/SCS\/current\/SearchReference\/Introduction\" target=\"_blank\" rel=\"noopener\">https:\/\/docs.splunk.com\/Documentation\/SCS\/current\/SearchReference\/Introduction<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/docs.splunk.com\/Documentation\/SplunkCloud\/latest\/SearchReference\/\" target=\"_blank\" rel=\"noopener\">https:\/\/docs.splunk.com\/Documentation\/SplunkCloud\/latest\/SearchReference\/<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/docs.splunk.com\/Documentation\/SplunkCloud\/latest\/Search\/\" target=\"_blank\" rel=\"noopener\">https:\/\/docs.splunk.com\/Documentation\/SplunkCloud\/latest\/Search\/<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"how-to-identify-the-available-data\"><a href=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/soc-hackthebox-notes-and-labs\/understanding-log-sources-and-investigating-with-splunk-module\/introduction-to-splunk-and-spl#how-to-identify-the-available-data\" target=\"_blank\" rel=\"noopener\"><\/a>How To Identify The Available Data<\/h3>\n\n\n\n<p><strong>Data and field identification approach 1: Leverage Splunk&#8217;s Search &amp; Reporting Application (SPL)<\/strong><\/p>\n\n\n\n<p>Splunk can ingest a wide variety of data sources. We classify these data sources into source types that dictate how Splunk formats the incoming data. To identify the available source types, we can run the following SPL command, after selecting the suitable time range in the time picker of the Search &amp; Reporting application.Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>| eventcount summarize=false index=* | table index<\/code><\/pre>\n\n\n\n<p>This query uses <code>eventcount<\/code> to count events in all indexes, then <code>summarize=false<\/code> is used to display counts for each index separately, and finally, the <code>table<\/code> command is used to present the data in tabular form.Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>| metadata type=sourcetypes<\/code><\/pre>\n\n\n\n<p>This search uses the <code>metadata<\/code> command, which provides us with various statistics about specified indexed fields. Here, we&#8217;re focusing on <code>sourcetypes<\/code>. The result is a list of all <code>sourcetypes<\/code> in our Splunk environment, along with additional metadata such as the first time a source type was seen (<code>firstTime<\/code>), the last time it was seen (<code>lastTime<\/code>), and the number of hosts (<code>totalCount<\/code>).Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>| metadata type=sourcetypes index=* | table sourcetype<\/code><\/pre>\n\n\n\n<p>Here, the <code>metadata<\/code> command retrieves metadata about the data in our indexes. The <code>type=sourcetypes<\/code> argument tells Splunk to return metadata about sourcetypes. The <code>table<\/code> command is used to present the data in tabular form.Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>| metadata type=sources index=* | table source<\/code><\/pre>\n\n\n\n<p>This command returns a list of all data sources in the Splunk environment.<\/p>\n\n\n\n<p>Once we know our source types, we can investigate the kind of data they contain. Let&#8217;s say we are interested in a sourcetype named <code>WinEventLog:Security<\/code>, we can use the table command to present the raw data as follows.Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sourcetype=&quot;WinEventLog:Security&quot; | table _raw<\/code><\/pre>\n\n\n\n<p>A better approach is to identify the fields you are interested in using the <code>fields<\/code> command as mentioned before, and then specifying those field names in the <code>table<\/code> command. Example:Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sourcetype=&quot;WinEventLog:Security&quot; | fields Account_Name, EventCode | table Account_Name, EventCode<\/code><\/pre>\n\n\n\n<p>If we want to see a list of field names only, without the data, we can use the <code>fieldsummary<\/code> command instead.Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sourcetype=&quot;WinEventLog:Security&quot; | fieldsummary<\/code><\/pre>\n\n\n\n<p>This search will return a table that includes every field found in the events returned by the search (across the sourcetype we&#8217;ve specified). The table includes several columns of information about each field:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>field<\/code>: The name of the field.<\/li>\n\n\n\n<li><code>count<\/code>: The number of events that contain the field.<\/li>\n\n\n\n<li><code>distinct_count<\/code>: The number of distinct values in the field.<\/li>\n\n\n\n<li><code>is_exact<\/code>: Whether the count is exact or estimated.<\/li>\n\n\n\n<li><code>max<\/code>: The maximum value of the field.<\/li>\n\n\n\n<li><code>mean<\/code>: The mean value of the field.<\/li>\n\n\n\n<li><code>min<\/code>: The minimum value of the field.<\/li>\n\n\n\n<li><code>numeric_count<\/code>: The number of numeric values in the field.<\/li>\n\n\n\n<li><code>stdev<\/code>: The standard deviation of the field.<\/li>\n\n\n\n<li><code>values<\/code>: Sample values of the field.<\/li>\n<\/ul>\n\n\n\n<p>Please note that the values provided by the <code>fieldsummary<\/code> command are calculated based on the events returned by our search. So if we want to see all fields within a specific <code>sourcetype<\/code>, we need to make sure our time range is large enough to capture all possible fields.Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>index=* sourcetype=* | bucket _time span=1d \n| stats count by _time, index, sourcetype \n| sort - _time<\/code><\/pre>\n\n\n\n<p>This query retrieves all data (<code>index=* sourcetype=*<\/code>), then <code>bucket<\/code> command is used to group the events based on the <code>_time<\/code> field into 1-day buckets. The <code>stats<\/code> command then counts the number of events for each day (<code>_time<\/code>), <code>index<\/code>, and <code>sourcetype<\/code>. Lastly, the <code>sort<\/code> command sorts the result in descending order of <code>_time<\/code>.Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>index=* sourcetype=* | rare limit=10 index, sourcetype<\/code><\/pre>\n\n\n\n<p>The <code>rare<\/code> command can help us identify uncommon event types, which might be indicative of abnormal behavior. This query retrieves all data and finds the 10 rarest combinations of indexes and sourcetypes.Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>index=&quot;main&quot; | rare limit=20 useother=f ParentImage<\/code><\/pre>\n\n\n\n<p>This command displays the 20 least common values of the <code>ParentImage<\/code> field.Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>index=* sourcetype=* \n| fieldsummary \n| where count &lt; 100 \n| table field, count, distinct_count<\/code><\/pre>\n\n\n\n<p>This search shows a summary of all fields (<code>fieldsummary<\/code>), filters out fields that appear in less than 100 events (<code>where count &lt; 100<\/code>), and then displays a table (<code>table<\/code>) showing the field name, total count, and distinct count.Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>index=* | sistats count by index, sourcetype, source, host<\/code><\/pre>\n\n\n\n<p>We can also use the <code>sistats<\/code> command to explore event diversity. This command counts the number of events per index, sourcetype, source, and host, which can provide us a clear picture of the diversity and distribution of our data.Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>index=* sourcetype=* \n| rare limit=10 field1, field2, field3<\/code><\/pre>\n\n\n\n<p>The rare command can also be used to find uncommon combinations of field values. Replace <code>field1<\/code>, <code>field2<\/code>, <code>field3<\/code> with the fields of interest. This command will display the 10 rarest combinations of these fields.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"practical-exercises\"><a href=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/soc-hackthebox-notes-and-labs\/understanding-log-sources-and-investigating-with-splunk-module\/introduction-to-splunk-and-spl#practical-exercises\" target=\"_blank\" rel=\"noopener\"><\/a>Practical Exercises<\/h2>\n\n\n\n<p>1) Navigate to http:\/\/[Target IP]:8000, open the &#8220;Search &amp; Reporting&#8221; application, and find through an SPL search against all data the account name with the highest amount of Kerberos authentication ticket requests. Enter it as your answer.Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>index=&quot;main&quot; sourcetype=&quot;WinEventLog:Security&quot; EventCode=4769\n| stats count by Account_Name\n| sort - count<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FSZ70JqJPoZLjIRkVY1Nt%252FScreenshot%283%29.png%3Falt%3Dmedia%26token%3D41ffb93a-fee5-40b1-b0f5-ea31ed9037fd&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=c9d3ff4a&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Answer: waldo<\/p>\n\n\n\n<p>2) Navigate to http:\/\/[Target IP]:8000, open the &#8220;Search &amp; Reporting&#8221; application, and find through an SPL search against all 4624 events the count of distinct computers accessed by the account name SYSTEM. Enter it as your answer.Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>index=&quot;main&quot; sourcetype=&quot;WinEventLog:Security&quot; EventCode=4624 \n| stats dc(ComputerName) as Unique_Computers by Account_Name\n| sort - Unique_Computers<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FlBaYp9McmCaTUluV57QI%252FScreenshot%284%29.png%3Falt%3Dmedia%26token%3De4125a4e-7360-4ffd-b885-2765d8e019cc&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=8926f427&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>3) Navigate to http:\/\/[Target IP]:8000, open the &#8220;Search &amp; Reporting&#8221; application, and find through an SPL search against all 4624 events the account name that made the most login attempts within a span of 10 minutes. Enter it as your answer.Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>index=&quot;main&quot; sourcetype=&quot;wineventlog:security&quot; EventCode=4624 \n| stats count as login_attempts, range(_time) as time_range by Account_Name \n| where time_range &lt;= 600 \n| sort - login_attempts \n| head 1<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FveYrAWfZwZt9StyewVB2%252FScreenshot%285%29.png%3Falt%3Dmedia%26token%3D7ffbb447-4ec7-426e-b349-84776ebf9ebd&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=9a103b44&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Answer: aparsa<a href=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/soc-hackthebox-notes-and-labs\/understanding-log-sources-and-investigating-with-splunk-module\/introduction-to-splunk-and-spl#what-is-splunk\" target=\"_blank\" rel=\"noopener\"><\/a><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>What Is Splunk? Splunk is a highly scalable, versatile, and robust data analytics software solution known for its ability to ingest, index, analyze, and visualize massive amounts of machine data. Splunk has the capability to drive a wide range of initiatives, encompassing cybersecurity, compliance, data pipelines, IT monitoring, observability, as well as overall IT and&#8230;<\/p>\n","protected":false},"author":1,"featured_media":7538,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[30],"tags":[],"class_list":["post-7526","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-log-sources-investigating-with-splunk"],"_links":{"self":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/posts\/7526","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/comments?post=7526"}],"version-history":[{"count":1,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/posts\/7526\/revisions"}],"predecessor-version":[{"id":7528,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/posts\/7526\/revisions\/7528"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/media\/7538"}],"wp:attachment":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/media?parent=7526"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/categories?post=7526"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/tags?post=7526"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}