Identifying a threat using SIEM data.For this task you are going to detect and identify a threat in a Windows 7 system. Refer to previous labs for guidance here. 1. Login to the Windows 10 system. 2. Open the Splunk link on the Desktop. Login with admin/changeme 3. Go to Search. 4. Create and run a search query that identifies: a. new accounts that have been created on the system in the past 7 days b. accounts that have been added to security-enable groups such as administrators or remote desktop users 5. Display the output of the query in a table that shows a. EventCode b. Group_Name c. Account_Name 6. Paste a Screenshot of the query and the output and paste it over the image in the table below.
|
