RQP3 Training Guide | Splunk · should login to the Splunk instance. Mentors should be supporting this to ensure successful logins. Add any humor you have here if needed, we all know

TRAINING GUIDES P L U N K

TABLE OF CONTENTS

R E L I A Q U E S T U N I V E R S I T Y

Splunk .............................................................................................................................................2

Introduction/Agenda......................................................................................................................................2

Architecture Overview ..................................................................................................................................3

Navigating ES ....................................................................................................................................................4

Intro to SPL ........................................................................................................................................................5

Sourcetypes & Indexes ..................................................................................................................................6

Efficient Searching ..........................................................................................................................................7

Table Command ...............................................................................................................................................8

Stats Command ................................................................................................................................................9

Rename Command........................................................................................................................................10

Eval Command ...............................................................................................................................................11

Alerting/Lab ....................................................................................................................................................12

Course Wrap-Up............................................................................................................................................13

Hands-On Lab.................................................................................................................................................14

A day in the life of an RQ Analyst.........................................................................................................................14

Splunk Advanced........................................................................................................................17

Introduction/Agenda...................................................................................................................................17

IR Investigation .............................................................................................................................................18

Rule Tuning .....................................................................................................................................................19

Threat Management ....................................................................................................................................20

Course Wrap-up ............................................................................................................................................21

Advanced Lab Scenario Answers ............................................................................................................22

IR Investigation Scenario: PSExec Pivoting .......................................................................................................22

Rule Tuning Scenario: Port Scan .............................................................................................................................22

Threat Management Scenario: Suspicious File Downloaded from High Risk Categorized Site ..............23


Splunk - 9am -12pm

Segment Title

Introduction/Agenda 9:00am 9:10am 10 minutes

Architecture 9:15am 9:20am 10 minutes

Navigating ES 9:20am 9:30am 10 minutes

Intro to SPL 9:30am 9:45am 15 minutes

Sourcetypes & Indexes 9:45am 9:55am 10 minutes

Efficient Searching 9:55am 10:05am 10 minutes

Table Command 10:05am 10:15am 10 minutes

Stats Command 10:15am 10:25am 10 minutes

Rename Command 10:25am 10:35am 10 minutes

Eval Command 10:35am 10:45am 10 minutes

Alerting/Labs 10:45am 11:30am 55 minutes

Course End 11:30am 12:00pm 30 minutes

Start Time End Time Segment Length

Splunk Advanced - 1pm - 4pm

Segment Title

Introduction/Agenda 1:00pm 1:10pm 10 minutes

IR Investigation 1:10pm 2:00pm 50 minutes

Rule Tuning 2:00pm 2:50pm 50 minutes

Threat Management 2:50pm 3:40pm 50 minutes

Course End 3:40pm 4:00pm 20 minutes

Start Time End Time Segment Length


Splunk

Topic: Introductions

Start Time: 9:00 AM

End Time: 9:10 AM

Length: 10 minutes

Objectives

• Participants will be introduced to the course and trainer/mentors.

• Participants will learn the focus of the course.

• Participants will be encouraged to ask questions throughout the course.

Introductions/Agenda

In-Class Participant Questions• What are the different types of roles joining us today?• Does everyone know that we have an rqBAR that can be leveraged

for more information and in-depth Q/A for anything not covered?

#

1

2

3

Slide Objective RQ Demo

Welcome the participants to the course and introduce the mentors and explain that each mentor will be managing sections of the room.

History of each person that is in the room and how it important it is for RQ and our partners to learn together.

This is the time when the participants should login to the Splunk instance. Mentors should be supporting this to ensure successful logins.

Add any humor you have here if needed, we all know that logging in can be a process.

Briefly cover the topics and the aim of the course. Explain that the hands-on labs will reinforce the skills learned throughout the course. Also explain that these portions of this course are guided click-thrus, so be sure to invite the participants to join you as you click through the sections.

If needed, use yourjudgement.


Splunk

Topic: Architecture

Start Time: 9:10 AM

End Time: 9:20 AM

Length: 10 minutes

Objectives

• Participants will gain an understanding of the components.

• Participants will gain an understanding of the data pipeline.

• Participants will engage in a discussion around the importance of a properly setup environment.

Architecture Overview

In-Class Participant Questions• How does Splunk Differ from SIEMs like QRadar and LogRhythm?• What is a capability difference between a Heavy Forwarder and Universal Forwarder?• In what order does the data flow within the pipeline?

#

4

5

6


Cover in this section the Data Pipeline sequence at a high-level. Review Parsing and Inputs and how Splunk differs from other SIEM technologies.

Share a story on how itwas for you to learn the architecture of the Splunk.

Cover how the data flows within a Splunk environment and the importance of understanding the flow of data.

As needed.

As needed.

Explain the linking of the Splunk components and how information passes through each throughout the data pipeline.


Splunk

Topic: Navigation

Start Time: 9:20 AM

End Time: 9:30 AM

Length: 10 minutes

Objectives

• Participants will gain an understanding of the tool’s GUI layout.

• Participants will gain an understanding of ES’ options to narrow down searches.

• Participants will gain an understanding of the search results Splunk displays.

Navigating ES

In-Class Participant Questions

• How many people have the ES add-on?• How does this Splunk’s search results page differ from other SIEM tools?• Which part of the results page is most beneficial to you and why?

#

7

3

Slide Objective

This slide is used to transition the class into the topic of navigating Enterprise Security.

As needed.

As needed.

Cover the use of the search bar, time frame and the mode they can use to choose which types of time frames and modes.

Cover the events, statistics, and visualization and the ways in which they should be used.

Share how different roles can leverage this page.

Cover and explain the breakdown of the search results page.

Share which parts ofthis results page is most beneficial to you and why.

RQ Demo

8

9

10


Splunk

Topic: Intro to SPL

Start Time: 9:30 AM

End Time: 9:45 AM

Length: 15 minutes

Objectives

• Participants will gain an understanding of SPL and its uses.

• Participants will learn about indexes and sourcetypes.

• Participants will gain an understanding of the SPL command structure and syntax.

Intro to SPL

In-Class Participant Questions• What other programming language does Splunk mimic?• What are some of the benefits of learning strings instead of point and click features?• How difficult is it for you and your team to learn the language?

#

11


Use this slide to introduce SPL, how it can used effectively and how a team can leverage SPL to shorten search time.

Explain some of yourstruggles getting use to SPL.

Explain the difference between indexes and sourcetypes and the importance of understanding the how to leverage each.

Share from your experience why understanding the difference helped you learn the tool.

Share a story on how you adjusted to the syntax of the Splunk.

Explain the structure/syntax of SPL.

12

13


• What type of data is held in sourcetypes?• What is the difference between sourcetypes and indexes? • How should we leverage these 2 sets of data?

#

14

3

Slide Objective

This slide should be used to discuss the transition of the class focus to using SPL to engage sourcetypes.

Share a story the showcases the importance of sourcetypes.

Have the class practice the SPL command and explain the purpose of it.

As needed.

This slide should be used to discuss the transition of the class focus to using SPL to engage indexes.

Share a story the showcases the importance of indexes. Humor helps


RQ Demo

15

16

17


18


Splunk

Objectives

• Participants will practice using the SPL to retrieve data on Sourcetypes and indexes.

• Participants will gain an understanding of the CAM methodology.

• Participants will demonstrate searching and navigating the tool.

Sourcetypes & Indexes

Topic: Indexes & Sourcetypes

Start Time: 9:45 AM

End Time: 9:55 AM

Length: 10 minutes

As needed.

As needed.


Splunk

Topic: Efficient Searching

Start Time: 9:55 AM

End Time: 10:05 AM

Length: 10 minutes

Objectives

• Participants will gain an understanding of the tool’s GUI layout.

• Participants will practice using the search capability.

• Participants will gain an understanding of the CAM methodology.

• Participants will demonstrate searching and navigating the tool.

Efficient Searching


• What other tricks have you all found while using Splunk when it comes to searching?• Which of these tips do you currently use most frequently? • What mistakes have you made while searching? What was the outcome and solution?

#

19

3

Slide Objective

This slide should be used to discuss the transition of the class focus to understanding the syntax nuances of Splunk. (i.e. keywords, fields, wildcards, etc.)

Share of story of inefficient searching and the impact.

Add in an example.Cover how keywords and phrases can affect the SPL commands uses engage.

Cover how Fields and Wildcards can affect the SPL commands uses engage.

Cover how comparisons and booleans can affect the SPL commands uses engage.

RQ Demo

20

21

22

Add in an example.

Add in an example.


Splunk

Topic: Table Command

Start Time: 10:05 AM

End Time: 10:15 AM

Length: 10 minutes

Objectives

• Participants will gain an understanding of the Table Command

structure and syntax.

• Participants will gain an understanding of the pros/cons.

• Participants will demonstrate using the table command.

Table Command

In-Class Participant Questions• Who here leverages the table command on a frequent basis? Why?• What are some of the benefits of this command?• Name some disadvantages when using the table command?

#

23


This slide should be used to discuss the transition of the class focus to using SPL to create Table Commands.

Share a story of using the Table command.

Explain the syntax and structure of table command query and the benefits and disadvantages of this command.

Share a story of how this was used effectively and the outcome.

Explain your experience using this type of command.

Have the participants practice in their own environments the table command in the slide.

24

25


Splunk

Objectives

• Participants will gain an understanding of the Stats Commandstructure and syntax.


• Participants will demonstrate using the stats command.

In-Class Participant Questions• How has this command helped you within your team?• What are some pros/cons of this command?• Share an experience of when this command helped you and/or the team.

Stats Command

#

26


This slide should be used to discuss the transition of the class focus to using SPL to create Stats Commands.

Share a story of using the Stats command.

Explain the syntax and structure of stats command query and the benefits and disadvantages of this command.


Have the participants practice in their own environments the table command in the slide.


Topic: Stats Command


End Time: 10:25 AM

Length: 10 minutes

27

28

Splunk

In-Class Participant Questions• How has this command helped you within your team?• What are some pros/cons of this command?• How have you leveraged this command for an IR investigation? • What other commands could you use with the rename command?

#

29


This slide should be used to discuss the transition of the class focus to using SPL to create Rename Commands.

Share a story of using the Rename command.



Have the participants practice in their own environments the rename command in the slide.


30

31


Splunk

Rename Command

Objectives

• Participants will gain an understanding of the Rename Commandstructure and syntax.


• Participants will demonstrate using the rename command.

Topic: Renaame Command


End Time: 10:35 AM

Length: 20 minutes

Splunk

Objectives

• Participants will gain an understanding of the Eval Commandstructure and syntax.


• Participants will demonstrate using the eval command.

In-Class Participant Questions• How has this command helped you within your team?• What are some pros/cons of this command?• Ask if they have any additional questions on the labs.• Remind them that the rqBAR is available for more specific and in-depth needs/questions they may have.

Eval Command

#

32


This slide should be used to discuss the transition of the class focus to using SPL to create Eval Commands.

Share a story of using the Eval command.



Have the participants practice in their own environments the eval command in the slide.


Topic: Eval Command


End Time: 10:45 AM

Length: 10 minutes

33

34



• How does your team leverage the Incident Review dashboard?• Who here as experience building correlated strings?

#

35

3

Slide Objective

This slide should be used to discuss the transition of the class focus to how Splunk leverages correlation search strings to alert companies with Notable Events.

Share a story of how Splunk alerting has impacted your work with our partners.

Explain how to navigate to the Incident Review Dashboard. Explain some of the benefits of having the Enterprise Security add-on for alerts.

Explain the menus and different portions of the Incident Review landing page.

Explain your experience on how clients normally leverage this area of Splunk.

Share what it was like prior to ES being a common add-on.

Explain how we at RQ leverage this sectionin Splunk.

Explain the breakdown and details of each segment of a Notable Event and how and when a user would, could, and should pivot on specific information found her.

RQ Demo

36

37

38

Have the participants start hands-on labs and ask the mentors to be a supportive throughout this section.

39

Splunk

Objectives

• Participants will gain an understanding of Splunk event correlation approach.

• Participants will gain an understanding of the Notable Events fields and data.

• Participants will gain an understanding of efficient correlation strings.

Alerting/Lab

Topic: Alerting/Lab


End Time: 11:30 AM

Length: 45 minutes

As needed.



Splunk

Objectives

• Participants will gain an understanding of the Eval Command structure and syntax.


• Participants will demonstrate using the eval command.

Course Wrap-Up

Topic: Eval Command


End Time: 11:55 AM

Length: 25 minutes


• Ask if they have any additional questions on the labs.• Remind them that the rqBAR is available for more specific and in-depth needs/questions they may have.

#

40

Slide Objective

End the hands-on lab time, answer any questions about the lab questions and then continue to the next slide.

As Needed.

Briefly remind the participants at a high-level what was covered in each segment.

RQ Demo

41 As Needed.

3

Thank everyone and have the mentors thank the participants also. Dismiss the class.

42 N/A


Hands-On Lab

A day in the life of an RQ Analyst

You are an RQ analyst who will be working thorough incidents coming from a customer’sSplunk SIEM. Work through each question step by step and document your findings.

1. After logging into the Customer’s Splunk Incident Review, you notice there are multiple incidents that are not from RQ’s content. Since you only want to focus on active RQ events, create a search in the Incident Review Tab to show only RQ-S alerts.

2. Before you begin processing alerts, you will need to know the different indexes and source-types in the customer’s environment. Conduct a search to find the top 10 source-types with respect to the total number of events produced by that source-type. Remember to leverage these while investigating.

3. An alert has triggered for an internal Port Scan. Find the correlating incident and perform your analysis answering the following questions:

a. What is the Splunk event id?b. What is the address that is performing the scanning?c. What address is being scanned?d. What is the total number of unique targeted ports?

i. Of this number, what is the top targeted service? (List all targeted services of same count if they are equally the highest). What is the event count of the highest service(s)?

e. Is there a hostname associated with the address that is being scanned? f. Was the source address seen in any other notable activity outside this event over the last 24 hours?g. After your initial artifact gathering and analysis, you noticed another analyst closed this as a false positive noting

this was “authorized scanning from the source IP”. What did the analyst review to determine this event is a false positive without performing log analysis?

h. What steps are needed to prevent this alarm from alerting as a False Positive again?

4. A customer called and noted that a long-time developer, Christopher Rusher, was recently fired from the company. He did not take the news of his departure very well and they fear he will utilize his skills as a developer and his previous privilege to retaliate against the company. The company’s worst fears seemingly came true after an RQ alert noted that the user was seen in web related activity a week after his parting. The customer would like you to run a 7-day search on his username ‘crusher’ and perform an ad-hoc investigation on this user’s activity answering the following questions:

a. What is the user’s internal source IP address or workstation?b. What external IP address did the user communicate with the most?

i. According to your favorite OSINT, who owns this IP address and what country is it located in? Also, has the IP been associated with any malicious activity according to Open Source Intelligence?

ii. According to the logs, is there a URL/domain associated with the IP that the user attempted to connect to?(If many, choose one)

iii. Did the user attempt to download any files? If so, list five files and their correlating file types (ex. Adobe.exe)

iv. Has any other internal host communicated with this external IP? If so, list the event names.

c. Were there any other notable events associated with this user?


5. An alert for “RQ-SM-3C - C2 IDS Callback” has been triggered in Splunk for the internal host at 192.168.0.2. Review the rule logic to understand why this rule fired and answer the following initial analysis questions:

a. In plain English, explain what security threat this alert is attempting to catch.

b. What signature did the IDS give this attack and what does the signature mean according to the IDS Vendor (Symantec)?

c. Is there a user associated with the source host?

d. What does your favorite OSINT say about the external IP?

e. Did any other internal host communicate with this external IP?

f. What action was taken on this activity?

6. The customer has called in again and noted that they believe that the default account “administrator” was successfully brute forced sometime this morning. Conduct a 24-hour search to find the ‘administrator’ account authentication activity and confirm or deny if it has been successfully brute forced.

a. Group the results by the source IP and rename the field results to the ones below. Export the results for the administrator over the last 24 hours on one page in the following order:

i. Source_IPii. Username (administrator)iii. Event_Nameiv. Event_IDv. Source_Typevi. Source_Workstationvii. Destination_Workstation

Splunk Advanced

Objectives

• Participants will be introduced to the course and trainer/mentors.

• Participants will learn the focus of the course.

• Participants will be encouraged to ask questions throughout the course.

In-Class Participant Questions• What are the different types of roles joining us today?• Does everyone know that we have an rqBAR that can be leveraged for more information

and in-depth Q/A for anything not covered?

Introduction/Agenda

#

1


Welcome the participants to the course and introduce the mentors and explain that each mentor will be managing sections of the room.

As needed.

As needed.

This is the time when the participants should login to the Web Console and Thick Client. Mentors should be supporting this to ensure successful logins.

Briefly cover the topics and the aim of the course. Explain that the hands-on labs will reinforce the skills learned throughout the course. Also explain that these portions of this course are guided click-thrus, so be sure to invite the participants to join you as you click through the sections.

If needed, use yourjudgement.

Topic: Introductions

Start Time: 1:00 PM

End Time: 1:10 PM

Length: 10 minutes

2

3


#

4

3

Slide Objective

Explain to the participants that this section will give them an

IR Investigation scenario and they will have to answer

corresponding questions utilizing LogRhythm. Since this is a

LogRythm training class and not an IR training class. We’ll

provide a brief overview/run-down of how our IR analysts

approach IR Investigations (for additional context and help).

As needed.

Explain that this is how RQ defines an Event and an Artifact and the importance of applying this thinking when investigating events.

Explain the CAM process from a high-level and be sure to answer any questions they may have. Explain that their next step is to attempt a hands-on scenario.

Share how this process has improved our ability to systemize IR.

Share how this has impacted us from past approaches. Be wary about how you explain this topic.

Share that at RQ we believe the best way to learn is to dive in.

Explain the PSExec Pivoting scenario and direct them to use their training binder which has this scenario. Remind them that if they hit a snag the mentors are there to offer support and Google is allowed.

RQ Demo

5

6

7

Objectives

• Participants will be introduced to the CAM methodology.

• Participants will gain understanding of specific definitionson events and artifacts.

• Participants will apply their skills to a live simulated event.

IR Investigation

Topic: IR Investigation

Start Time: 1:10 PM

End Time: 2:00 PM

Length: 50 minutes

Splunk Advanced



#

8


Share as needed based on hurdles a user may facewhen investigating artifacts.

Review the artifacts they should have been able to discover and showcase our approach to gathering these artifacts. (Live demonstration)

9

10

In-Class Participant Questions• Does every team have their own process/methodology?• How many approaches are there to investigate an IR incident?• How do you currently streamline an IR investigation?


Splunk Advanced

Objectives

• Participants will gain an understanding of the importance of rule tuning.

• Participants will apply their current knowledge within a scenario on rule tuning.

• Participants will learn how RQ approaches rule tuning.

In-Class Participant Questions• How do teams tune rules now?• What are the challenges you face when attempting to tune rules? • How many people in the room have to tune rules or have done it in the past, what was the experience like? • What is the impact to the enterprise if this process isn’t done correctly? Why?

Rule Tuning

Topic: Rule Tuning

Start Time: 2:00 PM

End Time: 2:50 PM

Length: 50 minutes

#

11

3

Slide Objective

Explain that this segment is going to cover tuning rules and the importance of this process. Also discuss how RQ approaches rule tuning and the impact this process has on an enterprise’s maturity roadmap.

Explain the importance

Explain the Port Scan scenario and direct them to use their training binder which has this scenario. Remind them that if they hit a snag the mentors are there to offer support.


Share your experience about how this is heavily impactful if done correctly.

As needed.

Share any relevant stories during the review discussion.

Have the class discuss their approach between each other and then bring them back to discuss this. The mentors should support the facilitation of the discussion. Goal is to have the participants work together to find a solution.

RQ Demo

12

13

14


Splunk Advanced

Objectives

• Participants will gain an understanding of building rule logic.

• Participants will apply their IR and rule skills to identify a new threat and develop their own rule logic.

• Participants will learn how RQ approaches threat management.

Threat Management

Topic: Threat Mang.

Start Time: 2:50 PM

End Time: 3:40 AM

Length: 50 minutes

#

15

3

Slide Objective

Explain that this segment is going to cover Threat management and the importance of this process. Also discuss how RQ approaches threat management and the impact this process has on an enterprise’s maturity roadmap.

Explain the importance of threat management and how RQ has evolved this process.

Explain the Suspicious File Downloaded from High Risk Categorized Site scenario and direct them to use their training binder which has this scenario. Remind them that if they hit a snag the mentors are there to offer support.


RQ Demo

16

17

18

As Needed.

As Needed.


#

19




As needed

Explain the content questions based off part 1 of this scenario. and direct them to use their training binder which has this scenario. Remind them that if they hit a snag the mentors are there to offer support.


Review the logic for Scenario 3: Mitigate the Threat in the SIEM, the test alert is titled: Test Alert

20

21


• What does threat management look like at your organization?• What are the challenges you face when attempting develop threat management processes? • What is the impact to the enterprise if this process isn’t done correctly? Why? • How do you currently abreast of the emerging threats within your industry and where do you

see needed growth within your company?


Splunk Advanced

Objectives

• Participants will be applying skills learned to scenario-based labs.

• Participants will review the topics covered in the course.

Course Wrap-up

Topic: Wrap-Up

Start Time: 3:0 PM

End Time: 3:55 AM

Length: 50 minutes


• Ask if they have any additional questions on the labs.• Remind them that the rqBAR is available for more specific

and in-depth needs/questions they may have.

#

22

Slide Objective

End the hands-on lab time, answer any questions about the lab questions and then continue to the next slide.

As needed.

Briefly remind the participants at a high-level what was covered in each segment.

RQ Demo

23Remind of story that seemed to stick if needed.

3

Thank everyone and have the mentors thank the participants also. Dismiss the class.

24


Advanced Lab Scenario Answers

IR Investigation Scenario: PSExec Pivoting

Summary: A PSExec Pivoting alert triggered involving a domain admin user being a victim of a phishing attack. A Russian IP used jgrayson’s compromised credentials to VPN into the network and perform PSExec Pivoting on the host TP00288LP, followed by creating a local account, granting admin privileges, and enumerating all usernames in the IT Administrators group. SMB exploits were then conducted against other hosts in the network over port 445 followed by audit logs being cleared to remove evidence on the host.

Alert fires at 9:30 AM involving Windows Security Event Code:• Event Code 5140 (where the share name is “ADMIN$” and host TP00288LP) • Event Code 4697 (with the same host TP00288LP)

Correlated Events Pre-Alert: • 8:15 AM; Bluecoat web proxy reports to a domain admin user “jgreyson” going to a phishing site

(GET request & POST response)• 9:00 AM; Fortigate reports a VPN logon of “jgreyson” from the suspicious Russian IP 81.177.73.7

Correlated Events Post-Alert: • 10:30 AM; Windows Security Auditing reports to a Process Creation event (event code 4688) of jgreyson opening the

process “cmd.exe” and performing the command net group “IT Administrators” /Domain to enumerate usernames• 10:45 AM; Windows Security Auditing reports to a local account creation (event code 4720) of jgrays0n on TP00288LP• 10:45 AM; Windows Security Auditing reports to a privilege escalation (event code 4732) of jgrays0n to the

group IT Administrators• 11:00 AM; Palo Alto firewall reports to the compromised source host TP00288LP reaching out to the following

devices over port 445: TP00381WS @ 10.14.33.140, TP00429WS @ 10.14.33.58• 11:30 AM; Windows Security Auditing reports to an Audit Log Cleared event (event code 1102) from TP00288LP.

Rule Tuning Scenario: Port Scan

Summary: A Port Scan – Internal alert fired due to the device Nessus02 @ 10.150.18.10 scanning the network. The training attendees are to do initial triaging on the alert and discover from the event logs that the source hostname resolves to a Nessus scanner, you can verify to the trainees that port scans from Nessus scanners are authorized in the network. Trainees are to understand the concept of tuning and how they would tune an authorized scanning host. For tuning purposes, the Nessus02 IP 10.150.18.10 is static and will never change.

Alert fires at 10:00 AM involving Palo Alto firewall logs:• Multiple firewall events with different unique destination ports within the 1-1024 range.

Correlated Events Pre-Alert: • None were needed for this alert. The 2nd scenario was built with focus on tuning the Nessus scanner.

Correlated Events Post-Alert: • None were needed for this alert. The 2nd scenario was built with focus on tuning the Nessus scanner.

Threat Management Scenario: Suspicious File Downloaded from High Risk Categorized Site

Summary: This alert fired when victim users opened the Word doc FreeBitcoinVoucherLink.doc and accessed a link to a malicious website that downloads malware to the victim machines. There were a total of 5 unique users/machines involved in this traffic that have been infected with malware, and their Symantec AV is unable to successfully remediate this infection every hour. This ultimately originated from a phishing campaign (no email traffic logged in the SIEM).

Alert fires at 9:00 AM involving Blue Coat Web Proxy logs:• Outbound web traffic to the site ffoqr3ug7df323[.]213211[.]top to download the file YoudaoDictSet-

up_51000004914113162139 (1).exe

Correlated Events Pre-Alert: • 8:30 AM to 8:34 AM; Windows Security Auditing reports to Process Creation events (event code 4688) where the

process is Winword.exe with the filename FreeBitcoinVoucherLink.doc. This is seen on the following Source usersand IP/Hosts:

• tmoore, yatkinson, mquinn, vriza, pshaw• 10.4.83.104 TPA-693864, 10.4.83.148 TPA-154542, 10.4.83.66 TPA-581677, 10.4.83.39 TPA-567471,

10.4.83.55 TPA-418652

Correlated Events Post-Alert: • 9:01 AM; Palo Alto Firewall reports to multiple permit events from 5 unique Source Hosts/IPs (shown above). • 9:30 AM-9:34 AM per hour; Symantec Antivirus will report to malware events on these victim devices being

detected every hour at the same minute


Documents

RQP3 Training Guide | Splunk · should login to the Splunk instance. Mentors should be supporting this to ensure successful logins. Add any humor you have here if needed, we all know