SPLUNK

Splunk is s is a software platform used to collect, search, monitor, and analyze machine-generated data such as logs, events, and metrics from servers, applications, networks, and security devices.

Common uses of Splunk include:

• Security monitoring (SIEM)
  Detecting threats, attacks, suspicious logins, malware activity, etc.
• Log management
  Centralizing logs from Windows, Linux, firewalls, applications, and cloud services.
• Troubleshooting systems
  Finding errors, crashes, performance bottlenecks, or failed services quickly.
• Data visualization
  Creating dashboards, alerts, reports, and charts from real-time data.
• Compliance & auditing
  Tracking user activity and system changes for regulatory requirements.

For example:

• A Windows server generates event logs
• Sysmon creates detailed security logs
• Splunk ingests those .evtx logs
• You search them using SPL (Search Processing Language)

SPL stands for Search Processing Language. It is the query language used in Splunk to search, filter, analyze, and visualize machine data.

It works somewhat like SQL, but it is designed specifically for logs and event data.

What SPL is used for 

With SPL, you can:

• Search logs
• Filter events
• Detect attacks
• Create alerts
• Build dashboards
• Generate statistics and reports
• Investigate incidents

Example Splunk SPL search:

index=sysmonsplunk EventCode=1

This Splunk SPL searches the index "sysmonsplunk" which is the log being audited  and EventCode = 1 EventCode 1 in Splunk is process creation, it gives detailed information about a newly created process.

Example 2 Splunk SPL search:

index=splunkex1 EventCode=3 | table _time DestinationIp SourceIp ProcessId Image User

This SPL search as seen in the image below searches index=slunkex1 for EventCode=3 which is network connection  and shows the _time  DestinationIp SourceIp ProcessId Image User in a table roll, 

EventCodes:

In Splunk, EventCode is a field that identifies the specific type of event recorded in a log source. 

For Windows and Sysmon logs, each EventCode corresponds to a particular activity such as:

• EventCode 1 : Process Creation 

Process created logs when a process starts. Includes executable name, command line, parent process, hashes, and user account. which is very important for threat hunting.

• EventCode 2: Process File Creation Time Changed

File Creation Time Changed detects when a file’s creation timestamp is modified (“timestomping”), often used by attackers to hide malware activity. EventCode 3 : Network Connection  Network Connection logs outbound network connections made by processes. Useful for detecting malware beaconing or suspicious external communication. EventCode 4 : Sysmon Service State Changed   Sysmon Service State Changed Indicates Sysmon service start or stop events. Helps verify monitoring integrity. EventCode 5 : Process Terminated  Process Terminated records when a process exits or is killed. Useful during forensic investigations. EventCode 6 : Driver Loaded  Driver Loaded logs kernel driver loads. Important because malicious/rootkit drivers often load at kernel level. EventCode 7 : Image Loaded  Image Loaded records DLLs or modules loaded into processes. Useful for detecting malicious DLL injection. EventCode 8 : CreateRemoteThread  CreateRemoteThread detects one process creating a thread in another process — commonly associated with code injection and malware. EventCode 9 : RawAccessRead RawAccessRead detects raw disk access. Attackers and forensic tools may use this to bypass filesystem monitoring. EventCode 10 : Process Access  Process Access logs when one process accesses another process. Useful for detecting credential dumping tools like Mimikatz targeting LSASS.   There still more EventCode's you can do personal research for more EventCode's.

Solve the below SPL search in the image, leave answers in the comments