Lab) Splunk Investigation 2 Solution

Question 1

Lab) Splunk Investigation 2 Solution

Answer 1

In the lab scenario on the Instructions page we’re told to scope this investigation to fortigate_utm logs only. We are also told to search for two strings, our website name “imreallynotbatman.com”, and “vulnerability” to help identify if our site is being scanned by an attacker.

To get Splunk ready, we’ll open a Terminal using the icon on the bottom toolbar and enter in the following command: sudo systemctl start Splunkd. After a minute we’ll open Firefox and visit 127.0.0.1:8000. Next we’ll click on the ‘Search & Reporting’ app on the left-hand side of the Splunk homepage.

We need to make sure we can see all of the logs as they were generated back in 2020. To do this we’ll click on the timeframe selector on the far right and select OTHER > All time on the right.

Whenever we conduct a search we want to start the query with index=”botsv1” to ensure we are loading the right data.

We’re ready to get started with the lab questions!

Question 2

Q1

Answer 2

Question 1 - What is the name of the web vulnerability scanner that is being used?

There is a wide range of ways we can approach this investigation, as we are not provided with the pre-written search queries in this lab. Let’s assume we’re not familiar with Splunk, so we can’t just write a perfect search to find this information instantly. Let’s go step-by-step and build up our query!

First, we want to find events with the sourcetype fortiguate_utm, so we’ll turn Event Sampling to 1:100 (as we don’t want to search through every single log just to retrieve the sourcetype) and run a search for index=”botsv1”.

Question 3

Q1 contd

Answer 3

On the left-hand panel, we’ll see ‘sourcetype’ under the ‘SELECTED FIELDS’ heading. After clicking on sourcetype we can see fortigate_utm is listed. Clicking on this will add that filter to our search query.

Question 4

Q1 contd

Answer 4

Our search query is now index=”botsv1” sourcetype=fortigate_utm. Let’s turn Event Sampling off (No Event Sampling) and wait for the search to finish.

Next we’re looking for a field that will hold the domain we’re looking for, imreallynotbatman.com. Scrolling down the Interesting Fields we find ‘url_domain’, and clicking on it shows the domain we’re interested in. We can click the value to add it to our search.

Question 5

Q1 contd

Answer 5

Our search query is now index=”botsv1” sourcetype=fortigate_utm url_domain=”imreallynotbatman.com”. The final part the scenario told us about is including the string ‘vulnerability’. We can add this by simply writing vulnerability at the end of our search query, giving us a final query of index=”botsv1” sourcetype=fortigate_utm url_domain=”imreallynotbatman.com” vulnerability.

Going back to the question now that our query is built, looking at the Event Details panel we can see that the text ‘vulnerability’ is highlighted, showing us that two fields in these logs, ‘attack’ and ‘msg’ inform us that the traffic is being generated by the Acunetix Web Vulnerability Scanner.

Question 6

Q2

Answer 6

Question 2 - What is the source IP of the vulnerability scanner, and therefore the attacker?

Looking at the events our search has found, we can see that the field ‘srcip’ is being used by this log to hold the source IP address value.

Question 7

Q3

Answer 7

Question 3 - What is the destination IP? (the internal address for our web server)

Looking at the events our search has found, we can see that the field ‘dstip’ is being used by the log to hold the destination IP address value.

Question 8

Q4

Answer 8

Question 4 - Fortigate UTM provides enrichment, and can tell us the source IP country based on a lookup. What country is the scanning IP associated with?

Looking at the events our search has found, we can see that the field ‘srccountry’ is being used by this log to hold the source IP address country value.

Question 9

Q5

Answer 9

Question 5 - What is the timestamp in the first Fortigate UTM log referencing the vulnerability scan, on 8/10/16, in the format HH:MM:SS? (Use the log timestamp, not the Time column next to the event)

Keeping the same search query, we want to sort these events based on the ‘time’ field within the logs. To do this, we’ll use the ‘sort’ functionality in our query. All we need to do is add | sort _time asc to the end of our search, which will sort all the events in time ascending order, putting the first events at the top.