UFCFFY-15-M Cyber Security Analytics¶

Practical Lab 7: Working with Splunk and Python¶

In this lab, we will explore how we can integrate Splunk and Python. Whilst Splunk provides sophisticated means of analysis through the Splunk Query Language, the ability to integrate Python allows for even greater control of how we analyse and process our data. We can then make use of the extensive data science libraries in Python to perform further analytics.

Useful links:

General Guidance to Setup with DetectionLab instance

You can use the following examples to link up your UWEcyber VM with your DetectionLab logger machine that has an instance of Splunk running on it. This may be useful if you wish to obtain data from your DetectionLab to explore further in Python and Pandas.

First, make sure you have the Splunk SDK installed in your UWEcyber VM: python3 -m pip install splunk-sdk
Assuming that your DetectionLab is installed and running, you should be able to navigate to Splunk using a web browser - check that you can access Splunk at https://192.168.56.105:8000
From the DetectionLab/Vagrant directory, type: vagrant ssh logger to log into the logger machine via ssh.
Navigate to /opt/splunk/etc/system/local and type sudo nano server.conf
Add the line allowRemoteLogin = always under the [general] section of the configuration file. Save the file with Ctrl+S and exit with Ctrl+X.
Navigate to /opt/splunk/bin and type sudo ./splunk restart to restart Splunk. If asked for a password for user vagrant, type vagrant.
Type exit to exit the ssh session.

Basics of cURL usage for Splunk

https://docs.splunk.com/Documentation/SplunkCloud/8.2.2112/RESTTUT/RESTsearches

Try the following command curl -u admin:changeme -k https://192.168.56.105:8089/services/search/jobs -d search="search *". If the above is configured correctly, then your default credentials will allow you to get a XML response that contains a search ID. You can then follow this up for more information.

import splunklib.client as client

HOST = "192.168.56.105"
PORT = 8089
USERNAME = "admin"
PASSWORD = "changeme"

# Create a Service instance and log in 
service = client.connect(
    host=HOST,
    port=PORT,
    username=USERNAME,
    password=PASSWORD)

# Print installed apps to the console to verify login
for app in service.apps:
    print (app.name)

alert_logevent
alert_webhook
appsbrowser
force_directed_viz
introspection_generator_addon
journald_input
launcher
learned
legacy
link_analysis_app
lookup_editor
punchcard_app
python_upgrade_readiness_app
sample_app
sankey_diagram_app
search
splunk-dashboard-studio
splunk_archiver
splunk_essentials_8_2
splunk_gdi
splunk_httpinput
splunk_instrumentation
splunk_internal_metrics
splunk_metrics_workspace
splunk_monitoring_console
splunk_rapid_diag
splunk_secure_gateway
Splunk_TA_bro
Splunk_TA_windows
SplunkForwarder
SplunkLightForwarder
TA-asngen
TA-microsoft-sysmon
ThreatHunting

import pandas as pd

kwargs_oneshot = {"earliest_time": "2021-10-1T12:00:00.00", "latest_time": "2022-10-1T12:00:00.00"}

searchquery_oneshot = "| tstats count WHERE index=* by index"
oneshotsearch_results = service.jobs.oneshot(searchquery_oneshot, **kwargs_oneshot)

def splunk_to_pandas(reader):
    d = []
    for item in reader:
        entry = {}
        for i in item:
            entry[i] = item[i]
        d.append(entry)
    d = pd.DataFrame(d)
    return d

reader = results.ResultsReader(oneshotsearch_results)
d = splunk_to_pandas(reader)
d

import splunklib.results as results

kwargs_oneshot = {"earliest_time": "2021-10-1T12:00:00.00", "latest_time": "2022-10-1T12:00:00.00"}
searchquery_oneshot = "search index=suricata | head 10"

oneshotsearch_results = service.jobs.oneshot(searchquery_oneshot, **kwargs_oneshot)

reader = results.ResultsReader(oneshotsearch_results)
d = splunk_to_pandas(reader)
d

import splunklib.results as results

kwargs_oneshot = {"earliest_time": "2021-10-1T12:00:00.00", "latest_time": "2022-10-1T12:00:00.00"}
searchquery_oneshot = "search index=zeek | head 10"

oneshotsearch_results = service.jobs.oneshot(searchquery_oneshot, **kwargs_oneshot)

reader = results.ResultsReader(oneshotsearch_results)
d = splunk_to_pandas(reader)
d

	index	count
0	osquery	2995
1	osquery-status	8
2	suricata	46
3	zeek	7096

	_bkt	_cd	_indextime	_raw	_serial	_si	_sourcetype	_subsecond	_time	host	index	linecount	source	sourcetype	splunk_server
0	suricata~0~E9D1DED8-2B5E-4CE4-B073-6EDDE62A2180	0:2622	1647389357	{"timestamp":"2022-03-16T00:09:14.158750+0000"...	0	[logger, suricata]	suricata:json	.158750	2022-03-16T00:09:14.158+00:00	logger	suricata	1	/var/log/suricata/eve.json	suricata:json	logger
1	suricata~0~E9D1DED8-2B5E-4CE4-B073-6EDDE62A2180	0:2602	1647389354	{"timestamp":"2022-03-16T00:09:14.116753+0000"...	1	[logger, suricata]	suricata:json	.116753	2022-03-16T00:09:14.116+00:00	logger	suricata	1	/var/log/suricata/eve.json	suricata:json	logger
2	suricata~0~E9D1DED8-2B5E-4CE4-B073-6EDDE62A2180	0:2570	1647387852	{"timestamp":"2022-03-15T23:44:12.091112+0000"...	2	[logger, suricata]	suricata:json	.091112	2022-03-15T23:44:12.091+00:00	logger	suricata	1	/var/log/suricata/eve.json	suricata:json	logger
3	suricata~0~E9D1DED8-2B5E-4CE4-B073-6EDDE62A2180	0:2400	1647387297	{"timestamp":"2022-03-15T23:32:44.108479+0000"...	3	[logger, suricata]	suricata:json	.108479	2022-03-15T23:32:44.108+00:00	logger	suricata	1	/var/log/suricata/eve.json	suricata:json	logger
4	suricata~0~E9D1DED8-2B5E-4CE4-B073-6EDDE62A2180	0:2384	1647387297	{"timestamp":"2022-03-15T23:32:44.103102+0000"...	4	[logger, suricata]	suricata:json	.103102	2022-03-15T23:32:44.103+00:00	logger	suricata	1	/var/log/suricata/eve.json	suricata:json	logger
5	suricata~0~E9D1DED8-2B5E-4CE4-B073-6EDDE62A2180	0:2368	1647387297	{"timestamp":"2022-03-15T23:32:44.103095+0000"...	5	[logger, suricata]	suricata:json	.103095	2022-03-15T23:32:44.103+00:00	logger	suricata	1	/var/log/suricata/eve.json	suricata:json	logger
6	suricata~0~E9D1DED8-2B5E-4CE4-B073-6EDDE62A2180	0:2352	1647387297	{"timestamp":"2022-03-15T23:32:44.103089+0000"...	6	[logger, suricata]	suricata:json	.103089	2022-03-15T23:32:44.103+00:00	logger	suricata	1	/var/log/suricata/eve.json	suricata:json	logger
7	suricata~0~E9D1DED8-2B5E-4CE4-B073-6EDDE62A2180	0:2336	1647387297	{"timestamp":"2022-03-15T23:32:44.103078+0000"...	7	[logger, suricata]	suricata:json	.103078	2022-03-15T23:32:44.103+00:00	logger	suricata	1	/var/log/suricata/eve.json	suricata:json	logger
8	suricata~0~E9D1DED8-2B5E-4CE4-B073-6EDDE62A2180	0:2319	1647387297	{"timestamp":"2022-03-15T23:32:44.103064+0000"...	8	[logger, suricata]	suricata:json	.103064	2022-03-15T23:32:44.103+00:00	logger	suricata	1	/var/log/suricata/eve.json	suricata:json	logger
9	suricata~0~E9D1DED8-2B5E-4CE4-B073-6EDDE62A2180	0:2302	1647387297	{"timestamp":"2022-03-15T23:32:44.103006+0000"...	9	[logger, suricata]	suricata:json	.103006	2022-03-15T23:32:44.103+00:00	logger	suricata	1	/var/log/suricata/eve.json	suricata:json	logger

	_bkt	_cd	_indextime	_raw	_serial	_si	_sourcetype	_subsecond	_time	host	index	linecount	source	sourcetype	splunk_server
0	zeek~1~E9D1DED8-2B5E-4CE4-B073-6EDDE62A2180	1:25307	1647391442	{"ts":1647391439.448863,"uid":"ChwtJl1kqAQootk...	0	[logger, zeek]	zeek:json	.448863	2022-03-16T00:43:59.448+00:00	logger	zeek	1	/opt/zeek/spool/manager/ssl.log	zeek:json	logger
1	zeek~1~E9D1DED8-2B5E-4CE4-B073-6EDDE62A2180	1:25269	1647391442	{"ts":1647391439.448863,"uid":"CBzMvfpOZtcylE4...	1	[logger, zeek]	zeek:json	.448863	2022-03-16T00:43:59.448+00:00	logger	zeek	1	/opt/zeek/spool/manager/ssl.log	zeek:json	logger
2	zeek~1~E9D1DED8-2B5E-4CE4-B073-6EDDE62A2180	1:25284	1647391442	{"ts":1647391439.013609,"uid":"CYdh5Pv28gLesFo...	2	[logger, zeek]	zeek:json	.013609	2022-03-16T00:43:59.013+00:00	logger	zeek	1	/opt/zeek/spool/manager/ssl.log	zeek:json	logger
3	zeek~1~E9D1DED8-2B5E-4CE4-B073-6EDDE62A2180	1:25245	1647391442	{"ts":1647391439.013609,"uid":"CWxOT51gUL6S9F0...	3	[logger, zeek]	zeek:json	.013609	2022-03-16T00:43:59.013+00:00	logger	zeek	1	/opt/zeek/spool/manager/ssl.log	zeek:json	logger
4	zeek~1~E9D1DED8-2B5E-4CE4-B073-6EDDE62A2180	1:25229	1647391442	{"ts":1647391438.696717,"uid":"CiArdp4VpF78enx...	4	[logger, zeek]	zeek:json	.696717	2022-03-16T00:43:58.696+00:00	logger	zeek	1	/opt/zeek/spool/manager/ssl.log	zeek:json	logger
5	zeek~1~E9D1DED8-2B5E-4CE4-B073-6EDDE62A2180	1:25214	1647391442	{"ts":1647391438.696717,"uid":"CfMsvor6KIC1GHJ...	5	[logger, zeek]	zeek:json	.696717	2022-03-16T00:43:58.696+00:00	logger	zeek	1	/opt/zeek/spool/manager/ssl.log	zeek:json	logger
6	zeek~1~E9D1DED8-2B5E-4CE4-B073-6EDDE62A2180	1:25112	1647391439	{"ts":1647391436.877053,"uid":"CAeyRuKRL3MIDEX...	6	[logger, zeek]	zeek:json	.877053	2022-03-16T00:43:56.877+00:00	logger	zeek	1	/opt/zeek/spool/manager/ssl.log	zeek:json	logger
7	zeek~1~E9D1DED8-2B5E-4CE4-B073-6EDDE62A2180	1:25088	1647391439	{"ts":1647391436.874396,"uid":"Cmtgy53JFDOGT7F...	7	[logger, zeek]	zeek:json	.874396	2022-03-16T00:43:56.874+00:00	logger	zeek	1	/opt/zeek/spool/manager/ssl.log	zeek:json	logger
8	zeek~1~E9D1DED8-2B5E-4CE4-B073-6EDDE62A2180	1:25401	1647391444	{"ts":1647391436.868701,"uid":"CAeyRuKRL3MIDEX...	8	[logger, zeek]	zeek:json	.868701	2022-03-16T00:43:56.868+00:00	logger	zeek	1	/opt/zeek/spool/manager/conn.log	zeek:json	logger
9	zeek~1~E9D1DED8-2B5E-4CE4-B073-6EDDE62A2180	1:25362	1647391444	{"ts":1647391436.868701,"uid":"Cmtgy53JFDOGT7F...	9	[logger, zeek]	zeek:json	.868701	2022-03-16T00:43:56.868+00:00	logger	zeek	1	/opt/zeek/spool/manager/conn.log	zeek:json	logger