Skip to main content

Log Analysis with Splunk

Overview

Room URL: https://tryhackme.com/room/splunkforloganalysis-aoc2025-x8fj2k4rqp
Difficulty: Medium
Category: SOC Monitoring
Date Completed: 12/3/2025

Objectives

  • Ingest and interpret custom log data in Splunk
  • Create and apply custom field extractions
  • Use Search Processing Language (SPL) to filter and refine search results
  • Conduct an investigation within Splunk to uncover key insights

Table of Contents

Introduction
Walk Through
Lessons Learned
Resources

Introduction

This is an introduction to the room.

Walk Through

  1. Enable the splunk online instance (Logs are already ingested upon vm starting)
  2. What is the attacker IP found attacking and compromising the web server?
    1. Search term index=main & timeframe All Time
      1. 2 source types. web_traffic & firewall_logs
      2. Webserver local ip 10.10.1.5
    2. index=main sourcetype=web_traffic to view just web traffic
    3. index=main sourcetype=web_traffic | timechart span=1d count to visualize the timeline
      • splunk1.png
    4. Reverse the query to show the days with the max number at the beginning Search query: index=main sourcetype=web_traffic | timechart span=1d count | sort by count | reverse
    5. Using the events tab to see data about the events and interesting fields
    6. client_ip revealed 198.51.100.55 with 7,876 entries
  3. Which day was the peak traffic in the logs? (Format: YYYY-MM-DD)
    1. Using the three interesting fields displayed the year, month, and day with the peak traffic date_year date_month date_mday
    2. October 12, 2025
  4. What is the count of Havij user_agent events found in the logs?
    1. This can be found in the user_agent interesting field.
    2. 993
  5. How many path traversal attempts to access sensitive files on the server were observed?
    1. Filtering out benign values by adding user_agent!=*Mozilla* user_agent!=*Chrome* user_agent!=*Safari* user_agent!=*Firefox* to the query
      1. This query would be used to help narrow down suspicous IP's sourcetype=web_traffic user_agent!=*Mozilla* user_agent!=*Chrome* user_agent!=*Safari* user_agent!=*Firefox* | stats count by client_ip | sort -count | head 5
    2. Reconnisance sourcetype=web_traffic client_ip="198.51.100.55" AND path IN ("/.env", "/*phpinfo*", "/.git*") | table _time, path, user_agent, status
      1. curl & wget were met with 404 401 and 403
      2. splunk2.png
    3. Vulnerability testing sourcetype=web_traffic client_ip="198.51.100.55" AND path="*..*" OR path="*redirect*"
      • This shows what the attackers were trying to access
    4. sourcetype=web_traffic client_ip="198.51.100.55" AND path=".." OR path="redirect" | stats count by path
      • This displays how many attempts there were for each path.
      • splunk3.png
      • 658 attempts to access /etc/passwd
      • 633 url redirects
  6. Examine the firewall logs. How many bytes were transferred to the C2 server IP from the compromised web server?
    1. sourcetype=firewall_logs src_ip="10.10.1.5" AND dest_ip="198.51.100.55" AND action="ALLOWED" | table _time, action, protocol, src_ip, dest_ip, dest_port, reason
      • view the c2 events
    2. sourcetype=firewall_logs src_ip="10.10.1.5" AND dest_ip="198.51.100.55" AND action="ALLOWED" | stats sum(bytes_transferred) by src_ip
      • count the bytes transfered
      • splunk4.png
      • 126167

Lessons Learned

Resources

TryHackMe

Back to top