Understanding Splunk Architecture

Splunk is a powerful platform for searching, monitoring, and analyzing machine-generated data. Its architecture consists of three primary components:

1. Forwarder

The forwarder is responsible for collecting and sending log data from various sources to the indexer. Splunk provides two types of forwarders:

• Universal Forwarder: Lightweight and primarily used for forwarding data.
• Heavy Forwarder: Has more capabilities like parsing and filtering data before forwarding it.

2. Indexer

The indexer processes incoming data by indexing it, making it searchable. It stores this indexed data and performs searches on it. The indexer ensures high performance in retrieving relevant data efficiently.

3. Search Head

The search head is the user interface that allows analysts to run search queries and interact with indexed data. It distributes the search queries to indexers and aggregates the results.

Splunk’s architecture is scalable, allowing organizations to adapt it based on their data ingestion and analysis needs.

Common Splunk Commands for SOC Analysts

SOC analysts regularly use Splunk to monitor security events and detect threats. Below are some essential Splunk commands used by SOC analysts:

1. stats

The stats command is used to generate statistics, such as count, sum, or average, for data sets.

Example: Count the number of login attempts.

index=security sourcetype=windows:security EventCode=4624 
| stats count by Account_Name

2. timechart

This command creates a time-based chart of data.

Example: Show failed login attempts over time.

index=security sourcetype=windows:security EventCode=4625 
| timechart span=1h count by Account_Name

3. eval

eval allows the creation of custom fields.

Example: Tag events as ‘success’ or ‘failure’ based on a condition.

index=security sourcetype=windows:security 
| eval login_status=if(EventCode==4624, "success", "failure")

4. top

The top command returns the most frequent values.

Example: Find the top 5 usernames with the most failed logins.

index=security sourcetype=windows:security EventCode=4625 
| top limit=5 Account_Name

Basic Detection Rules for Splunk

1. Brute-Force Attack Detection

A brute-force attack is characterized by multiple failed login attempts followed by a successful login. The following Splunk query detects such activity by analyzing Windows Event Codes:

index=security sourcetype=windows:security 
(EventCode=4625 OR EventCode=4624) 
| stats count(eval(EventCode=4625)) AS failed_logins, count(eval(EventCode=4624)) AS successful_logins by Account_Name 
| where failed_logins > 5 AND successful_logins >= 1

This query looks for accounts with more than 5 failed login attempts (Event Code 4625) followed by at least one successful login (Event Code 4624).

2. Unauthorized Access Detection

This detection identifies users attempting unauthorized access by looking for failed access attempts:

index=security sourcetype=windows:security EventCode=4625 
| stats count by Account_Name, ComputerName 
| where count > 10

This query returns users with more than 10 failed login attempts across different machines, which may indicate an attempt to gain unauthorized access.