Getting Data In

Get logs

tuts
Path Finder

Hello everyone
I want help on how to deal with the following problem
A company that got hacked and we want to know how the hack happened and is there a data leak or not
The company does not use any of the EDR and sime and ndr systems
Question
The best way to extract logs from the company's systems and analyze them in splunk and what are the rules to start searching

Labels (3)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

The best way of getting data from the company's systems is generally whatever is the easiest to get them out. Splunk can ingest data in many ways, but there are many standard ways of looking at data.

What systems do you have and what logs are available.

Do you currently use Splunk?

 

0 Karma

tuts
Path Finder

Yes, I'm currently working on Splunk.
I want to pull the data from Event Viewer and save them to the cvs file and then I add data for splunk is this the right way

I want the data to be understandable like botsv

0 Karma

bowesmana
SplunkTrust
SplunkTrust

The normal way to get data from windows machines is to install the universal forwarder on the machine and pretty much the rest happens as magic.

https://www.splunk.com/en_us/blog/learn/splunk-universal-forwarder.html

Also, you should install the TAs (Technical Add On) for Windows

https://splunkbase.splunk.com/app/742

and then you will have the data in Splunk in a way that can be easily digested.

 

0 Karma

tuts
Path Finder

I don't want to use universal forwarder
I mean, what is the correct way to pull data from a hacked device, then take the data, save it in a folder, and then analyze it in splunk, and the hacked device does not have any universal forwarder and does not allow it to be installed
All I want is to know the way to create data from the device such as botsv2 data and analyze it in Splunk

0 Karma

PickleRick
SplunkTrust
SplunkTrust

The way to get "data like bots dataset" would be to ingest it with a UF and then copy out buckets with indexed data.

Also remember that if an incident had already happened the attackers might have removed as many traces of their activity as they could. You can try to do some forensic analysis but that's not something Splunk is meant for. Yes, in a skilled person's hands it can be a tool helping in such analysis but it's not a forensic solution.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...