Getting Data In

Get logs

tuts
Path Finder

Hello everyone
I want help on how to deal with the following problem
A company that got hacked and we want to know how the hack happened and is there a data leak or not
The company does not use any of the EDR and sime and ndr systems
Question
The best way to extract logs from the company's systems and analyze them in splunk and what are the rules to start searching

Labels (3)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

The best way of getting data from the company's systems is generally whatever is the easiest to get them out. Splunk can ingest data in many ways, but there are many standard ways of looking at data.

What systems do you have and what logs are available.

Do you currently use Splunk?

 

0 Karma

tuts
Path Finder

Yes, I'm currently working on Splunk.
I want to pull the data from Event Viewer and save them to the cvs file and then I add data for splunk is this the right way

I want the data to be understandable like botsv

0 Karma

bowesmana
SplunkTrust
SplunkTrust

The normal way to get data from windows machines is to install the universal forwarder on the machine and pretty much the rest happens as magic.

https://www.splunk.com/en_us/blog/learn/splunk-universal-forwarder.html

Also, you should install the TAs (Technical Add On) for Windows

https://splunkbase.splunk.com/app/742

and then you will have the data in Splunk in a way that can be easily digested.

 

0 Karma

tuts
Path Finder

I don't want to use universal forwarder
I mean, what is the correct way to pull data from a hacked device, then take the data, save it in a folder, and then analyze it in splunk, and the hacked device does not have any universal forwarder and does not allow it to be installed
All I want is to know the way to create data from the device such as botsv2 data and analyze it in Splunk

0 Karma

PickleRick
SplunkTrust
SplunkTrust

The way to get "data like bots dataset" would be to ingest it with a UF and then copy out buckets with indexed data.

Also remember that if an incident had already happened the attackers might have removed as many traces of their activity as they could. You can try to do some forensic analysis but that's not something Splunk is meant for. Yes, in a skilled person's hands it can be a tool helping in such analysis but it's not a forensic solution.

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...