I mounted a disk in /data for the Splunk Indexes: :/# grep data /etc/fstabĪnd softlinked the var folder so that the indexes are not on the /: lrwxrwxrwx 1 splunk splunk 5 May 6 18:46 var -> /data Validating installed files against hashes from '/opt/splunk/splunk-7.1.0-2e75b3406c5b-linux-2.6-x86_64-manifest' Validated: _audit _internal _introspection _telemetry _thefishbucket history main summaryĬhecking filesystem compatibility. I use Splunk 7.1, which is located in /opt/splunk :/# /opt/splunk/bin/splunk startĬhecking appserver port : open The start-point is a basic Ubuntu Linux VM on a VMware ESXi in the lab: :/data/import$ cat /etc/lsb-release Prepare a Splunk server based on Ubuntu Server This article uses the Splunk BOTS data-set in order to exemplify some basic SOC skills with Splunk. The following examples use the freely available version of Splunk, which is a widely distributed Log Management and Analysis product from Splunk Inc. The user names and corporations are generic, and do not identify individuals, trademarks or corporate entities.
Threat Hunting is a term, that is replacing “Log Analysis” here, because many security professionals believe that it needs to evolve. This Digital Forensics and Incident Response (DFIR) Wiki article uses an artificial research data-set to exemplify analysis steps for the purpose of “Threat Hunting”.
0 kommentar(er)
