In this project, I will be using a cyber security SIEM tool called Splunk. Splunk is a powerful software tool that is used to monitor and troubleshoot a variety of systems. I will be doing a variety of tasks using Splunk such as; uploading a file or data into Splunk, performing a basic search, evaluating the fields, narrowing my findings, searching for a failed login for root, and evaluating the search result.
You are a security analyst working at the e-commerce store Buttercup Games. You've been tasked with identifying whether there are any possible security issues with the mail server. To do so, you must explore any failed SSH logins for the root account.
The first step is to upload the Buttercup Games data into Splunk. So on the dashboard, I would go to Settings > Add Data > Upload files from my computer and select the buttercup games.zip file. Then click next once it is uploaded.
The second step is to configure the Host section and set the segment number as 1. Then click on review.
Lastly, is to make sure that everything is all set and ready to be submitted.
This is the final result once the file is uploaded and complete.
Now that it is uploaded, I can perform a basic search using this data. I can use the index=main which will give me all the main contents of the file and on the right side select All Time will give me the entire time.
I am tasked to find any possible security issues within the mail server. To do this I can narrow my search using the index=main host=mailsv, which will narrow down to just the mail servers. As you can see in the highlighted yellow, it gives me all the mail servers listed.
Now that I have narrowed my search results to events generated by the mail server, I need to continue to narrow the search based on any failed SSH logins for the root account. To do this I can enter index=main host=mailsv fail* root. The fail* keyword is a wildcard that finds relatable words that have fail in it (i.e. failure, failed, etc). As you can see there have been multiple failed login attempts in the mail server. This can mean someone is trying to gain access to the mail server which is a possible security issue.
