topic Re: Get logs in Getting Data In

Get logs

tuts — Wed, 17 Jul 2024 06:00:53 GMT

Hello everyone
I want help on how to deal with the following problem
A company that got hacked and we want to know how the hack happened and is there a data leak or not
The company does not use any of the EDR and sime and ndr systems
Question
The best way to extract logs from the company's systems and analyze them in splunk and what are the rules to start searching

Re: Get logs

bowesmana — Wed, 17 Jul 2024 06:10:15 GMT

The best way of getting data from the company's systems is generally whatever is the easiest to get them out. Splunk can ingest data in many ways, but there are many standard ways of looking at data.

What systems do you have and what logs are available.

Do you currently use Splunk?

Re: Get logs

tuts — Wed, 17 Jul 2024 07:39:22 GMT

Yes, I'm currently working on Splunk.
I want to pull the data from Event Viewer and save them to the cvs file and then I add data for splunk is this the right way

I want the data to be understandable like botsv

Re: Get logs

bowesmana — Wed, 17 Jul 2024 22:32:04 GMT

The normal way to get data from windows machines is to install the universal forwarder on the machine and pretty much the rest happens as magic.

https://www.splunk.com/en_us/blog/learn/splunk-universal-forwarder.html

Also, you should install the TAs (Technical Add On) for Windows

https://splunkbase.splunk.com/app/742

and then you will have the data in Splunk in a way that can be easily digested.

Re: Get logs

tuts — Thu, 18 Jul 2024 07:24:31 GMT

I don't want to use universal forwarder
I mean, what is the correct way to pull data from a hacked device, then take the data, save it in a folder, and then analyze it in splunk, and the hacked device does not have any universal forwarder and does not allow it to be installed
All I want is to know the way to create data from the device such as botsv2 data and analyze it in Splunk

Re: Get logs

PickleRick — Thu, 18 Jul 2024 12:44:26 GMT

The way to get "data like bots dataset" would be to ingest it with a UF and then copy out buckets with indexed data.

Also remember that if an incident had already happened the attackers might have removed as many traces of their activity as they could. You can try to do some forensic analysis but that's not something Splunk is meant for. Yes, in a skilled person's hands it can be a tool helping in such analysis but it's not a forensic solution.