Fixit

Welcome to this hands-on Splunk challenge room. In this scenario, you've just completed your third screening interview for a SOC Level 2 role at MSSP Cybertees Ltd, and you're now faced with the final assessment to test your knowledge. You'll be given access to a Splunk instance receiving network logs from an unknown source. The data isn't arriving in a usable state, so before you can analyze what's happening on the network, you must Fixit!

Objectives

This challenge is divided into three phases

1. Fix event boundaries for the incoming logs
2. Extract custom fields from the available events
3. Analyze event data to uncover network activity 

Prerequisites

This challenge is based on the knowledge covered in the following rooms

• Check out Regular Expressions to get familiar with pattern matching
• Cover Splunk: Exploring SPL for an overview of Splunk queries
• Explore Splunk: Data Manipulation to learn event parsing and field extraction

Lab Access

Click the Start Machine button below to start the lab. Please give Splunk five minutes to load and access the UI at http://MACHINE_IP:8000. Splunk is installed in the default /opt directory, and you will be working with the Fixit app.

If Splunk stops responding at any point, run /opt/splunk/bin/splunk restart as root and wait for a few minutes.

Set up your virtual environment

To successfully complete this room, you'll need to set up your virtual environment. This involves starting the Target Machine, ensuring you're equipped with the necessary tools and access to tackle the challenges ahead.

Target machine

Status:Off

Start Machine