top of page
Search

Project 10: Using Splunk and Chronicle

  • Writer: Ben Lee
    Ben Lee
  • Jun 26, 2023
  • 2 min read

Updated: Jul 10, 2023

Getting familiar with different types of SIEMS


Today I'll be using Splunk and Chronicle as required by Google's Cybersecurity program.


First off, I'll doing simple search quieries on Splunk. After creating an account and starting the free trial, I was presented with the main dashboard.


Since I don't have any existing data for the software, I'll using a zipfile containing data provided by Google and uploading the file into Splunk.



The result has over 100,000+ events



I narrowed down my search by clicking 'host' and then clicking 'mailsv' to search for events generated by the mail server.



The result came up to over 9000 events



The goal is to search for a failed login for root. To achieve this, I typed in 'index=main host=mailsv fail* root' into the search bar.


This searches for the keyword fail*. The wildcard (*) tells Splunk to expand the search term to find other terms that contain the word fail such as failure, failed, etc. Lastly, the keyword root searches for any event that contains the term root.


The result came down to over 300 events.




This concludes my first Splunk experience.


Next up is Google's Chronicle



For this activity, I'll analyze signin.office365x24.com which is a phishing site.



The result:


I clicked office365x24.com by the Top Private Domain section, to have the domain view of the site. Then I used the integrated Virustotal tool and analyzed the results



Then I went back to signin.office365x24.com and clicked on the ET INTELLIGENCE REP LIST insight card to analyze the results. Chronicle listed this website as a dropsite for logs or stolen credentials.



After that, I analyzed the assests and timeline of this dropsite by accessing the left tab of the overlay



So far, I have collected information about the domain's reputation using threat intelligence, and I identified the assets and events associated with the domain. Based on this information, it's clear that this domain is suspicious and most likely malicious. But before I can confirm that it is malicious, there's one last thing left to investigate.


Attackers sometimes reuse infrastructure for multiple attacks. In these cases, multiple domain names resolve to the same IP address.


Under RESOLVED IPS, I clicked the IP address 40.100.174.34. and then analyzed the timelone, assests, and the domains associated with this IP.



That concludes my first experience with Chronicle and today's activity.

 
 
 

Comments

bottom of page