Lab: Analyzing Machine Data with Splunk

Due Date if submitting this lab as Lab 5: April 18, 2019, 11:59pm
Due Date if submitting this lab as extra credit: April 25, 2019, 11:59pm

Learning objectives

1. Conduct searches on log data from an e-commerce shopping cart

2. Create an informative dashboard
3. Use Splunk to search for failed password attempts
4. Describe categories of machine data
5. Gain an introduction to how data analytics applies to information security management

Getting Started

1. Create an account to access a free trial version of Splunk Cloud:

https://www.splunk.com/en_us/download.html (You will not be downloading any software)

2. Download the Splunk Search Tutorial PDF document from either Blackboard or Splunk:
 http://docs.splunk.com/Documentation/SplunkCloud/7.0.0/SearchTutorial/WelcometotheSearc
hTutorial

3. Download data for the Splunk Search Tutorial from Blackboard.

As part of this lab, we will complete the Splunk “Search Tutorial” Parts 2-5, 7 (i.e., do not complete Parts
1 or 6). Below are abbreviated instructions. In your lab submission document, please provide screen
shots as requested in the instructions below. Make screen shots legible by taking a print screen of the
active window only (e.g., using Snipping tool). In parallel to working with the instructions below, please
follow along in the Splunk Search Tutorial as it provides more explanation. In other words, have both
this document and the Search Tutorial open while completing this lab assignment.

Page 1 of 7
Note: The Search Tutorial (by Splunk) includes instructions for Splunk Enterprise and Splunk Cloud.
Follow instructions for Splunk Cloud, which is the version we are using for this lab.

1. Conduct searches and create a dashboard from the log data of an e-commerce shopping cart (6 pts)

1. “Add Data” by following Part 2, pages 21-24.

 Note: add data from the file “Tutorialdata.zip” that you obtain from Blackboard. (do not unzip
the file) Please get the data from Blackboard since the dates in the dataset change according to
the download date. So, to ensure we are working with the same dates, it is important to get the
data from Blackboard.
1. After completing step 11 upon adding the data, Take a screen shot of the search results.
a) Make sure the search string in the search textbox is visible in your screen shot.
2. Question: In your own words, what kind of data is included in this tutorial? (hint: you can view the
raw data by clicking on the ZIP file outside of splunk and/or you can browse around Splunk. You can
also browse the Search Tutorial document for some explanation. Briefly describe the types of data
included.)

__________________________________________________________________________

__________________________________________________________________________

__________________________________________________________________________

3. Follow instructions in Part 3 of the Search Tutorial to use the Splunk Search (p. 25)
a) Click on Search from the Splunk home page, and type within the Splunk search bar:
buttercupgames
 For results, it is necessary to choose “Last 30 days” as the time range:

b) Customize the date & time range (p. 33 of Search Tutorial) with search date: 03/28/2018,
beginning at time 0:00 through 23:59 (i.e., filtering on 1 full day).
c) Take a screen shot of filtered results.
 You should see approx. 4107 events in the results (Note: if you upload the data
multiple times, your results will be different, and that is ok.)
 Make sure the search criteria (e.g., “buttercups”) is shown in screen shot.
d) Explore the “interesting fields” and “events” in the search results to familiarize yourself with the
data
4. Follow instructions in Part 4 of the Search Tutorial to use the Splunk Search (p. 32) to learn how to
refine your searches of the tutorial data

Page 2 of 7
 a) Use fields to search the data. Following the tutorial on page 43, click on the ‘action’ field (under
“Interesting Fields”) and notice the existing values in that field.

b) Run a targeted search (pg 46): sourcetype=access_* status=200 action=purchase | top

categoryId
 Notice the use of the wild character *
 Notice the use of “|” (the pipe character) and sorting in descending order using the
“top” command
 Browse previous pages in the tutorial as needed in order to understand this query
c) Take a screen shot of the search results in the Statistics tab
 Make sure the search criteria is shown in screen shot.
d) In the Visualization tab of the search results, display a pie chart of the search results (pg 50
provides explanation)
e) Take a screen shot of the search results in the Visualization tab
 Make sure the search criteria is shown in screen shot.
f) Search: sourcetype=access_* status=200 action=purchase clientip=87.194.216.51 | stats count,
dc(productId), values(productId) by clientip
 see p. 54 in the Search Tutorial for an explanation of these commands
g) Take a screen shot of the search results in the Statistics tab
 Make sure the search criteria is shown in screen shot.
 Make sure that your name (shown in the upper right hand corner of the Splunk
window) is shown in the screen shot.
h) Rhetorical question: what does status=200 mean? Understanding status codes may come in
handy later in this homework assignment. FYI, here is a list of HTTP status codes:
http://en.wikipedia.org/wiki/List_of_HTTP_status_codes

5. Part 5: As instructed on pg. 57 in the Search Tutorial, obtain a prices.csv.zip data file. Instead of
downloading the file from the Splunk web site, download prices.csv.zip from Blackboard.
a) Continue with the Search Tutorial on pp. 58-65 to do Field Lookups:
 Continue with the Search Tutorial, (a) uploading the prices.csv file as a lookup table
file, (b) defining a lookup, and (c) creating an automatic lookup

Page 3 of 7
 b) Take a screenshot of the new fields you added to Selected Fields (pg. 66, step 11).
 The fields should be visible in the screen shot.
c) Run search: sourcetype=access_* status=200 action=purchase [search
sourcetype=access_* status=200 action=purchase | top limit=1 clientip |
table clientip] | stats count AS "Total Purchased", dc(productId) AS
"Total Products", values(productName) AS "Product Names" by clientip |
rename clientip AS "Premier Customer"
d) Take a screenshot of the search results.
 Make sure the search criteria is shown in screen shot.
 Make sure that your name (shown in the upper right hand corner of the Splunk
window) is shown in the screen shot.
e) As an FYI, Browse Part 6 on creating reports. Do not complete.
f) For Part 7, run this search and save as a dashboard (p. 86): sourcetype=access_* status=200
action=purchase | top categoryId
 Follow the instructions on Dashboards in Part 7; however name your dashboard
“Top Purchased Products Dashboard by [your name]”, replacing “[your name]” with
your actual first and last name.
g) Take a screenshot of your completed dashboard. (Note: If you had problems with the automatic
lookup running correctly, omit the sections of Part 7 that require the ‘product_name’ field.)

2. Create a Splunk search and dashboard for security monitoring (4 pts)

Create a search

Imagine that you work as a security analyst in the IT department of Buttercup Games. You have been
asked to analyze access logs to determine how often there are failed login attempts and to investigate
any suspicious activity that may suggest ‘brute force’ login or other hacking attempts.

You often use Splunk to analyze various types of log data, and so decide to use Splunk for this task. Using
the tutorial data in the earlier portion of this lab assignment, write the search queries you would use.
From a previous investigation, you determined that sshd error codes [5280-5289] are particularly
concerning (note that this is a hypothetical scenario).

Construct a search on the security table (sourcetype=secure) that lists all the “Failed password” attempts
(hint: this phrase is case sensitive) with a code whose first 3 digits are 528; use a wild character for the
4th digit (hint: there is no field name for these codes, so just search on the value). From your search
results determine which host has had this problem occur most (hint: use the Top command that you
used above in Part I of this lab).

1. Take a screenshot of your search and the results for the above scenario.
 Make sure the search criteria is shown in screen shot.
 Make sure that your name (shown in the upper right hand corner of the Splunk window) is
shown in the screen shot.
2. How many failed password attempts with a code between 5280 and 5289 have there been
across all hosts? _____________

Page 4 of 7
 3. Which “host” experienced the most failed password attempts with one of these error codes?
_____________
4. In analyzing only the host “www1”, what hour of the day do these failed password attempts tend
to occur most often? ______________
5. You decide to investigate one particular user a little further. Again, search for events with a
“Failed password” and also include the IP address 198.35.1.75 in the search.
6. Take a screenshot of your search and the results for the above scenario.
 Make sure the search criteria is shown in screen shot.
 Make sure that your name (shown in the upper right hand corner of the Splunk window) is
shown in the screen shot.
7. If you wanted to further investigate this user’s failed password attempt in order to determine if
there is a possible hacking attempt, what else might you analyze from this log data? (You don’t
need to do the analysis, just consider the next step that you would take.) ________________

___________________________________________________________________________

___________________________________________________________________________

Create a dashboard

Create a dashboard that you can share with the CISO as part of the company’s effort to continue to
monitor failed login attempts. Note that since your dashboard will be used by a “C-level” (chief)
executive, it must be user friendly, informative at a glance, and presented as some type of graph that
summarizes results.

1. Use a key search you created above, or create a new search for this dashboard.
2. Set a preset date range for your dashboard (e.g., the previous week, or as you prefer)
3. Customize the dashboard title to include your name(s), a very brief descriptive label of what
this dashboard shows, and the date range you used
4. Take a screenshot of your completed dashboard.
 Make sure that your name (shown in the upper right hand corner of the Splunk window) is
shown in the screen shot.
5. Briefly describe why this dashboard would be useful in analyzing failed login attempts.

___________________________________________________________________________

___________________________________________________________________________

3. What is Machine Data?

Read web page on Machine Data:

http://www.splunk.com/view/machine-data/SP-CAAACDC

(read for your knowledge; no write-up requested here)

Notice the various types of log data that are related to information security (e.g., authentication, firewall,
etc.) These log data must be analyzed in order to identify trends, unusual behavior, and/or to investigate

Page 5 of 7
specific issues. Splunk can be used for this analysis. Splunk has a separate product, Splunk Enterprise
Security, that provides advanced security analytics:

https://www.splunk.com/en_us/products/premium-solutions/splunk-enterprise-security/features.html

Supplemental, optional links

Splunk product overview (3:19m)

http://www.splunk.com/view/SP-CAAAHG6

Education videos
http://www.splunk.com/view/education-videos/SP-CAAAGB6

Hands-on Tutorials (including Search; Data Model and Pivot)

http://docs.splunk.com/Documentation/Splunk

Splunk education (overview of offerings)

http://www.splunk.com/web_assets/pdfs/support/edu/Splunk_Education_Programs.pdf

Virtual classroom:
http://www.splunk.com/view/SP-CAAACDG

Free vs. Enterprise versions:

http://www.splunk.com/view/free-vs-enterprise/SP-CAAAE8W

Instructions for Lab Document Formatting and Submission:

1. Start your homework document as a blank document that only contains your name. Delete my
instructions. However, for any fill-in-the-blank questions, provide the question and answer.

2. Clearly label each software exercise.

3. For Windows host machines, use the Snipping Tool when asked to “Take a screen shot.” (For Mac
machines, use shortcut commands.)

You provide evidence of completing the lab by taking screen shots. Use the Snipping Tool that comes
with Windows (or a similar tool) to take screen shots of the specific window that shows the evidence for
a given step. In other words, do not print the entire computer screen with lots of windows. Instead,
increase visibility of each screen shot by taking shots of the specific relevant screen. Points will be
deducted for hard-to-read screen shots.

4. If there is a portion of an exercise that you are having difficulty completing exactly as the instructions
request, you can make some relevant adjustments as needed. Just provide a brief sentence on what
adjustment you made.

Page 6 of 7
5. If you get screen error messages for some reason and cannot continue with an exercise, take a
screen shot of the error message, and continue on with the lab.

Page 7 of 7