Project Objective: Navigate and perform basic searches in Splunk.
Tools: Kali Linux, Ubuntu, Splunk
SIEM
What is a SIEM?
Security Information and Event Management is a software solution that collects data from various network resources, for example, servers, firewalls, aggregates and analyzes collected data to discover and detect threats and other security events. It enables organizations to effectively investigate any alerts.
Splunk
This is a popular SIEM tool that captures, analyzes, and correlates high volumes of real-time network data which can be used to generate alerts and reports. It aids security professionals in security monitoring and provides them with relevant intelligence they need to effectively respond to potential threats and malicious events ore efficiently.
Splunk Enterprise Environment
I installed and launched a Splunk forwarder on an Ubuntu machine (responsible for collecting data from the Ubuntu machine for analysis) and a Splunk Indexer on a Kali Linux machine (responsible for storing and analyzing collected data).
Logged in and access the main Splunk interface on my Kali-Linux machine
Navigated to the Search Screen to perform our search. To search for possible failed events associated with user accounts on the Ubuntu machine; we simply insert the key terms ‘failed’ and search.
We can see we have a few failed events associated with both the ubuntu user account and the root user account (superuser). For the first two events, we can see a user with IP address 223.21.255.255 tried to access both ubuntu and root user accounts via ssh over ports 4411 and 8000 but failed to gain access. This data was collected from /var/log/splunk/default/linux_s_30DAY.log file on the machine. Security professionals can use such data to conduct investigations to analyze the potential malicious events and enhance security operations to prevent security breaches.
SIEM is a security tool that should be implemented in organizations to offer enterprise visibility and assist security teams with critical data sets to meet compliance requirements, detect suspicious events, and identify malicious incidents prevent and respond to security events in real-time to minimize the damage.