Understanding Splunk - KVNuhman/cybersecurity-tools GitHub Wiki

Intro into Splunk

  1. What is splunk ? Splunk's software can be used to examine, monitor, and search for machinegenerated big data through a browser-like interface.

image

  1. Using splunk web Splunk web is pre configured environment, there are three pre defined roles in splunk enterprise a. Admin - Full access b. Power - It will perform real time searches. c. User - user can access own knowledge object.

image

  1. Using search Search option is used to search the incident log with time span. Limiting a search by time is a key to faster result and is a best practice. E.g. We can look for apps that have been installed by searching install in the search bar.

image

  1. Exploring Events If we search the objects in filters by default the event will turn the list, filtered keyword would be highlighted and we can examine the logs with timespan.

image

  1. Using search term In filters we can use terms of keywords. E.g. fail*, failed, FAILURE image

Search terms are not case sensitive and Booleans also we can use Boolean operations have an order of evaluation a. NOT b. OR c. AND Note: parenthesis () should be used.

image

User can customize the filter as per the requirements.

  1. What are commands? Search splunk language contain 5 component’s a. search term - Foundation of search query. b. commands - Commands is used to customize the log as per the need like charts, statistics and formatting. c. functions - How we need to display the charts and evaluate the results. d. arguments - It is the variables which we want to apply in the functions. e. clauses - It will group the result as per the requirement.

image

  1. What are knowledge objects? It is tools that help you discover and analyse the data, will be grouped in 5 categories . a.Data Interpretation b.Data classifications c.Data Enrichment d.Data Normalisation e.Data Model Knowleage object is use full for several reasons it can be create by one user and share with other user with permission granted. It is powerful tool for your deployment Data Interpretation - Fields

image

image

  1. Creating Reports Customize the report using visualization trick and statistics charts

image

  1. Creating Dashboards Creating new dashboard for User

image

  1. Dashboard Studio Classic Dashboard

image

image