• Reports in splunk: For automating repetitive searches
• Report can be run on a schedule

Creating example report for the search "all ports used in network connections"

Description: Using the network-server host which contains all the network logs. The result is piped to the stats command to count all ports and the sort command sorts in reverse with the hyphen switch.

Creating the actual report

Description: Using save as option in splunk, search can be saved as a report, a dashboard or an alert

Description: After a report is created permissions can be set to limit access. One of the three main RBAC Role Based Access Control that splunk uses can be set, either private to limit access to the owner of the report or give access to the splunk app instance or allow access outside the app.

Study Guide: TryHackMe Soc2 Dashboards and Reports

• Splunk dashboards: For visualising findings in data

Creating example dashboard for User connection via VPN

After a regular search, save as option in splunk is used to save the search as a report, this starts the creation of a report.

Description: Adding in data via the Add Panel option in splunk

Description: A bar chart representation of the data in the dashboard

Description: Under dashboard tab are all saved dashboards and permission if needed can be set

Study Guide: TryHackMe Soc2 Dashboards and Reports

Creating an APP

Description: Under App settings, used the create app option to complete a simple app

Default App directory is appended to splunk-installed-dir/etc/apps/"customApp".

App Configuration files

• inputs.conf: To specify log source
• props.conf: To specify the processing option to apply before indexing
• transforms.conf: To extract custom fields
• indexes.conf: To specify fields/variables to index in the data

Event Boundaries

/using a sample VPN_LOGS

Description: Splunk isn't breaking the end of events by default.

Description: Used props.conf and REGEX expression to break the events

Masking sensitive Data

Using sample purchase log

Description: In these events credit card details are exposed

Description: In props.conf, used REGEX to replace part or the credit card details

Extracting Custom Fields

Description: First the REGEX to use to extract interested fields

Description: Then in transforms.conf, applied the regex and defined field names

Description: In props.conf, included the tranforms to be processed before indexing

Description: In index.conf, specified the field names to be indexed

Description: The extracted fields purchaser_username, card_details

Description: inputs.conf