[SOLVED] Cs6261 project 1- splunk project fall25

Complete the Splunk Boss of the SOC exercise, answering as many questions as possible. While this is an individual assignment, we do encourage collaboration. Feel free to pose questions on Ed Discussion and to help your fellow students, but do not give away answers.

Background:

The purpose of this project is to build a foundation of log analysis which is a necessary skillset for executing incident response activities. System and security log analysis helps incident responders to determine what actions to take to identify, contain, eradicate, and recover from an incident.

There are many tools available for performing log analysis, but for this class we will leverage Splunk which is one of the most popular tools available.

For this exercise, we will be leveraging the Splunk Boss of the SOC exercise. This exercise will give you familiarity with logs, log analysis, and Splunk. The exercise is a series of questions within the provided Splunk environment. The provided logs must be searched to identify answers to the provided questions.

Instructions:

1. Log into the Splunk environment:
   • You must first connect to the Georgia Tech VPN: https://vpn.gatech.eduLinks to an external site.
   • Then, log into the Splunk environment: https://splunk.class.security.gatech.edu/en-US/app/SA-ctf_scoreboard/welcomeLinks to an external site.
2. Log in to Splunk using your normal Georgia Tech login/password
3. The Splunk navigation bar at the top of the application will help you move around the Splunk environment.
4. Click on the “Questions” link in the navigation bar to see what the questions are for this assignment that you will be answering.
5. Click on “Search” link in the navigation bar to be taken to the Splunk Search tool and start querying the available logs to try and answer the questions for the assignment.
   • All relevant logs for this project are located in the “botsv3” index. Add index=botsv3 to your searches and make sure to search over “All time.”
6. To change to All Time, on the far right side of the search bar, click the box that says “Last 24 hours”
7. In the dropdown that appears, click “All time” under “Other”
8. Submit answers on the “Questions” page.

What to submit:

The Splunk Capture the Flag application will keep track of your answers. We will utilize your score in Splunk to grade the assignment. Since this is a capture the flag competition, the amount of points you earn for each question you answer will decrease the longer it takes for you to answer and also by how many hints you utilize. Please note that the basis of your grade will be calculated by number of correct answers, NOT the points you receive in Splunk. Bonus points will be awarded based on standing for a percentage of students to be determined.

Hints:

• You can see which log types are available by looking at the list of “sourcetype”s:

index="botsv3" | stats count by sourcetype

• While we have changed the questions and answers from the originals, you can find some helpful walkthroughs of the original exercise by searching Google for “Boss of the SOC version 3.”

Resources:

1. Note that the “How to Search” section in the Splunk Seach tool provides resources to help you learn Splunk
2. Splunk makes many courses available for free to students at https://workplus.splunk.com/universities
3. Many of the questions you will need to answer will require separate research on the log format and how to interpret logs for various types of systems.
4. If you enjoyed this and want to do more similar exercises, Splunk has more available at https://bots.splunk.com