🔵Fixit

Fixit

INTRO

Fixit is a blue-themed room aimed at testing knowledge of Splunk, prepared by Dex01.

Link to the room: https://tryhackme.com/r/room/fixit

Fix event boundaries

Fix the Event Boundaries in Splunk. As the image below shows, Splunk cannot determine the Event boundaries, as the events are coming from an unknown device.

Questions part 1

What is the full path of the FIXIT app directory?

/opt/splunk/etc/apps/fixit

What Stanza will we use to define Event Boundary in this multi-line Event case?

BREAK_ONLY_BEFORE - Specifies a regular expression pattern that marks the end of an event. It is used to identify patterns in the data that indicate the completion of an event.

Nice table about santzas you can find in this THM room: https://tryhackme.com/r/room/splunkdatamanipulation

In the inputs.conf, what is the full path of the network-logs script?

What regex pattern will help us define the Event's start?

Considering that the logs are under the name network-log, we will create a props.conf file with this regex.

[network_logs]
SHOULD_LINEMERGE =true
BREAK_ONLY_BEFORE = \[Network-log\]
TRANSFORM-network = network_custom_fields

This is how the content of the file should look, saved in /opt/splunk/etc/apps/fixit/default#.

[network_logs]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = \[Network-log\]
TRANSFORMS-network = network_custom_fields[network_custom_fields]
REGEX = \[Network-log\]:\sUser\snamed\s([\w\s]+)\sfrom\s([\w]+)\sdepartment\saccessed\sthe\sresource\s([\w]+\.[\w]+\/[\w-]+\.[\w]+)\sfrom\sthe\ssource\sIP\s((?:[0-9]{1,3}\.){3}[0-9]{1,3})\sand\scountry\s([\w\s]+)(?=\s+at:)
FORMAT = Username::$1 Country::$5 Source_IP::$4 Department::$2 Domain::$3

Extract Custom Fields

Once the event boundaries are defined, it is time to extract the custom fields to make the events searchable.

Username
Country
Source_IP
Department
Domain

💡 NOTE: To apply the changes, you need to restart Splunk using the command `/opt/splunk/bin/splunk restart`.

We will start by creating a fields.conf file in which we will "select" which fields we will include, of course using the previously provided list:

[Username]
INDEXED = true

[Country]
INDEXED = true

[Source IP]
INDEXED = true

[Department]
INDEXED = true

[Domain]
INDEXED = true

Contents of the fields.conf file

Next, we need to tell Splunk what these fields look like by using the newly created transforms.conf file:

[network_custom_fields]
REGEX = \[Network-log\]:\sUser\snamed\s([\w\s]+)\sfrom\s([\w]+)\sdepartment\saccessed\sthe\sresource\s([\w]+\.[\w]+\/[\w-]+\.[\w]+)\sfrom\sthe\ssource\sIP\s((?:[0-9]{1,3}\.){3}[0-9]{1,3})\sand\scountry\s([\w\s]+)(?=\s+at:)
FORMAT = Username::$1 Country::$5 Source_IP::$4 Department::$2 Domain::$3
WRITE_META = true

Contents of the transforms.conf file

Next, just like a moment ago, we will restart Splunk.

Questions part 2

What is the captured domain?

The answer immediately stands out.

Cybertees.THM

How many countries are captured in the logs?

To answer this question, simply click on “4 more fields” in the menu on the left and select country.

The answer will then appear.

How many departments are captured in the logs?

In the same way, we can find the answer to this question; simply select department instead of country.

How many usernames are captured in the logs?

In the same way, we can find the answer to this question; simply select username instead of country.

How many source IPs are captured in the logs?

You know the drill at this point 😁

Which configuration files were used to fix our problem? [Alphabetic order: File1, file2, file3]

fields.conf, props.conf, transforms.conf

What are the TOP two countries the user Robert tried to access the domain from? [Answer in comma-separated and in Alphabetic Order][Format: Country1, Country2]

We can verify this by filtering by user and then clicking on the country field. We see that the most common countries are Canada and the USA.

Which user accessed the secret-document.pdf on the website?

We can filter it as shown in the screenshot:

sarah hall

Conclusion

A solid room summarizing the Splunk module on TryHackMe. As usual, I learned a lot and had a lot of fun doing it.😉 See you soon😁😎

PreviousTryHack3M Subscribe NextDead End

Last updated 1 year ago

hashtagFixit

hashtagINTRO

hashtagFix event boundaries

hashtagQuestions part 1

hashtagWhat is the full path of the FIXIT app directory?

hashtagWhat Stanza will we use to define Event Boundary in this multi-line Event case?

hashtagIn the inputs.conf, what is the full path of the network-logs script?

hashtagWhat regex pattern will help us define the Event's start?

hashtagExtract Custom Fields

hashtagQuestions part 2

hashtagWhat is the captured domain?

hashtagHow many countries are captured in the logs?

hashtagHow many departments are captured in the logs?

hashtagHow many usernames are captured in the logs?

hashtagHow many source IPs are captured in the logs?

hashtagWhich configuration files were used to fix our problem? [Alphabetic order: File1, file2, file3]

hashtagWhat are the TOP two countries the user Robert tried to access the domain from? [Answer in comma-separated and in Alphabetic Order][Format: Country1, Country2]

hashtagWhich user accessed the secret-document.pdf on the website?

hashtagConclusion