Home » Cyber Security – Certificate IV » VU23225 Investigate Windows security features » Detailed Report on VU23225 Investigate Windows Security Features – Lesson 05

Detailed Report on VU23225 Investigate Windows Security Features – Lesson 05

Overview

The document titled “VU23225 Investigate Windows Security Features – Lesson 05” focuses on operating a SIEM tool called Splunk. It covers the process of importing data into a SIEM, setting up data forwarding from Windows endpoints, and performing basic SIEM commands. The content aims to provide hands-on knowledge on utilizing Splunk for effective data analysis and security monitoring.

1. Objectives

The lesson sets out the following objectives:

  • Import data into a SIEM.
  • Set up forwarding of log data from a Windows endpoint into a SIEM.
  • Perform basic SIEM commands.

2. Import Log Data into a SIEM

This section explains the process of importing log data into Splunk.

Getting the Data In:

  • Splunk offers multiple ways to handle data import and indexing.
  • The example uses the Splunk Enterprise Search Tutorial available at Splunk Tutorial.

Manually Uploading Formatted Data:

  1. Select Source: Upload a zipped tutorial file containing web server access logs and other server data.
  2. Select Source Type: Splunk usually recognizes the data format and selects the correct source type automatically.
  3. Select Input Settings: Choose settings based on data type and source.
  4. Review Data Input Settings: Verify settings and submit.

Conclusion:

  • Manual data upload is typically used for analyzing historical data, not efficient for continuous data ingestion.
  • Linux servers can forward logs via Syslog to Splunk using a universal forwarder for live data.

3. Universal Forwarders

A universal forwarder is a lightweight component that collects and forwards data to Splunk indexers.

Features:

  • Data Collection: From log files, OS metrics, network traffic, event logs, and application outputs.
  • Lightweight: Minimal system resource usage.
  • Data Forwarding: Secure transmission to central Splunk deployment.
  • Encryption and Compression: Secure and optimized data transfer.
  • Configuration Management: Centrally managed through configuration files or deployment tools.
  • Add-on Support: Extendable with Splunk add-ons for specific data sources and formats.

Installing a Universal Forwarder in Windows:

  1. Download the Forwarder: Select the appropriate OS version.
  2. Installation Steps: Follow the setup guide to configure the forwarder, set the port, and start data forwarding.

4. Perform Basic SIEM Commands

This section covers the basics of Splunk’s Search Processing Language (SPL) and command usage.

SPL Components:

  1. Search Terms: Keywords to search within data.
  2. Commands: Actions to perform on search results (e.g., charting, statistics).
  3. Functions: Methods to evaluate results.
  4. Arguments: Variables applied to functions.
  5. Clauses: Grouping or defining results.

Search Bar:

  • Search & Filter: Components separated by a pipe |.
  • Commands and Functions: Various commands and functions to process search results.

Basic Search:

  • Wildcard Support: Use * for multiple occurrences.
  • Booleans: AND, OR, NOT must be uppercase.
  • Complex Searches: Use parentheses and quotes.

Search Assistant:

  • Automated Assistance: Displays operators, commands, arguments, and functions in different colors.

Comparison Operators:

  • Various operators to compare values (=, !=, <, <=, >, >=).

Search Limitations:

  • Each command refines the search, reducing the search surface for efficiency.

Search Differences:

  • Fields Command: Include or exclude fields from search results to improve performance.
  • Table Command: Retains data in tabulated format.
  • Rename Command: Renames fields but cannot be referred to in future searches after renaming.
  • Dedup Command: Removes events with duplicate values.
  • Sort Command: Sorts results in ascending or descending order.

Conclusion

The document provides a comprehensive guide to operating Splunk as a SIEM tool, covering data import methods, setting up universal forwarders, and performing basic SIEM commands. It emphasizes the importance of understanding SPL components and commands to effectively analyze and monitor security data. Additionally, it offers resources for further training and hands-on practice with Splunk.

 

Scroll to Top