Class 7 Lab 1 ‐ Creating Alerts - Justin-Boyd/CIT-Class GitHub Wiki
Task 1: Generate Access Logs
Step 1
Start your pfSense machine
Step 2
Start your Ubuntu machine, click Activities, search for the terminal, and open it.
Step 3
Type the command ip address, find your interface card, and write down your IP.
Step 4
Use the command sudo /opt/splunk/bin/splunk start to start the Splunk daemon.
Step 5
Use the command service apache2 start to start Apache2.
Step 6
Open a new tab and browse to localhost
Step 7
Browse to localhost/random and try to access a nonexistent page to generate the 404 HTTP error code and logs.
Step 8
On your Windows 10 machine, open Microsoft Edge.
Step 9
Browse to the following IP address: your Ubuntu machine/random
Task 2: Create a Custom 404 Alert
Step 1
In Ubuntu, click the Firefox icon in the panel on the left and browse to 127.0.0.1:8000
Sign in with the username admin and the password Aa123456
Step 2
Click Search & Reporting.
Step 3
Use the query source= “/var/log/apache2/access.log”, then click the dropdown and select status_code 404 to show it in your search.
Step 4
Use the query source="/var/log/apache2/access.log" AND status_code=404 to search for the Apache 404 status code.
Step 5
Click Save As at the top right and then select Alert.
Step 6
In the window that appears, configure the alert settings as follows, and then click
Save:
Title: Dir.Enum
Alert type: Real-time
Trigger alert when: Number of results
Is greater than: 4
Trigger: For each result
Throttle: Check
Suppress results containing: ip_addr_count
Add Actions: Add to Triggered Alerts
Step 7
Click Continue Editing.
Step 8
Open a new browser from the Windows 10 machine and navigate to the nonexistent Apache page (Ubuntu IP/random) to generate 404 logs. Click the Refresh icon five times to trigger the new alert.
Step 9
Go to Triggered Alerts in the Activity menu and check the results.
Task 3: Windows Security Alert
Step 1
Go to the Windows machine and log out of the user John to create authentication failures to the account. Then intentionally fail to log in by typing an incorrect password. This will create a Windows event log. Do this at least five to seven times to populate logs for Splunk.
Step 2
Go to Search & Reporting and type in the following search to populate logs: source=”wineventlog:security”
Step 3
Identify the event ID by using the following: | stats count by EventCode
Step 4
Now that you have the list of EventCodes, what is the windows event code for authentication failure? Once you have identified the EventID, use the following: | where EventCode=[ID#]
The command from step 4 will populate the specific event code. You’ll need to add in another search parameter that will show an account with four or more failed login attempts. Add the following: | where count > 4
Step 6
Add another user into Windows to test the alert. Open an administrator command line and run the following command: net user /add [username] key=[password]
Step 7
Confirm the new user with the command net user
Step 8
Logout of the primary account and fail to log into the new user account at least four times. This will create Windows event logs in Splunk.
Step 9
Switch to Splunk and update the stats command by adding Account_Name
Step 10
Create an alert for the Windows failed logon event. Click Save As and select Alerts. Input the following:
Title: WIN - Login Fail
Alert type: Real-Time
Trigger alert when: Number of results
Is greater than: 1
Trigger: For each result
Throttle: Check
Suppress results containing: login_failure
Add Actions: Add to Triggered Alerts set to High
Step 11
Save the alert and test it by creating more failed login attempts with the user Jane.
Step 12
Go to Activity and click on Triggered Alerts to make sure everything worked.