Recently, I wanted to learn more about Splunk, and SIEM tools in general. While I’ve lightly played with them in the past, I wanted to gain experience with tools like this. I decided on utilizing Splunk, as it is one of the most popular SIEM tools that are available.
Installing Splunk Enterprise
I chose to install Splunk Enterprise on a Ubuntu 20.04 Hyper-V virtual machine. Since this will only be for testing/playing with sample data, I’ll be leaving a majority of default settings on the VM as-is.
Installing Splunk was relatively easy. I downloaded the “.deb” Splunk Enterprise files from Splunk’s website, clicked on the download, and installed the package via the “Software Install” on Ubuntu. Once installed, I did the following command to start Splunk on start:
/opt/splunk/bin/splunk enable boot-startIngestion of Sample Data
Once the Splunk environment was set up, I wanted to get sample data into the environment. While I could have installed and set up multiple agents to get data, I wanted to get data from devices that I didn’t have, such as Azure logs. This would give me an understanding of data from technologies that are used in today’s organizations.
After researching, I found the “Boss of the SOC” dataset that Splunk specifically created for this type of training. It has several different data points, such as Azure, Microsoft 365, Cisco, and other tools. Before I added the dataset to my instance, I went ahead and installed all of the required add-ons. At the time of performing this, there have been some add-ons that were depreciated. For those, I went ahead and found ones that may have replaced them.
Once they are all installed, I went ahead and copied the sample data into the instance. This is done by copying the Github project (I chose via ZIP as I’m using a GUI-based Linux distro). Then, I copied the contents of the file into the Splunk directory. Once copied, I restarted my Splunk instance. To verify that the data has been ingested, I went ahead and ran the following search:
index=botsv3 earliest=0After a few moments, I was able to see that there are over 2 million events that are now in my instance.
Now that I have Splunk set up, I can now practice different types of searches, review different types of logs, and learn how Splunk functions.