# splunk https://splunkbase.splunk.com/app/3186 https://www.splunk.com/en_us/download/universal-forwarder.html https://www.splunk.com/en_us/download/splunk-enterprise.html?locale=en_us https://www.bitsioinc.com/install-splunk-linux/ ## Get license https://www.youtube.com/watch?v=SEc6-Ma1B-s&list=PLSr58-DJdRybowRyR8gp4cbLtoQektcze&index=4 ## set up on linux https://www.youtube.com/watch?v=_3yDDzKddwQ ## Set up on windows https://takahiro-oda.medium.com/splunk-how-to-capture-log-using-splunk-universal-forwarder-b6b87ae62a8b ## Search document https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Search/Usethestatscommandandfunctions ## Web data https://www.youtube.com/watch?v=9ZGZ-UhtUuQ ## FW https://medium.com/@black_Diamond/easy-steps-to-connect-fortigate-firewall-with-splunk-part-3-7c949f8ca761 ## monitor https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/Monitorfilesanddirectorieswithinputs.conf ## Incident response https://medium.com/@Mx0o14/tryhackme-incident-handling-with-splunk-1f21fa04b644 https://www.youtube.com/watch?v=4Jau-Wj-mkE&list=PLqM63j87R5p42cBwRwI24FQeF7oEBFmka /opt/splunk/bin/splunk add forward-server 0.0.0.0:9997 /opt/splunk/bin/splunk add monitor /var/log/apache2/access.log -sourcetype apache:access -index web /opt/splunk/bin/splunk add monitor /var/log/apache2/error.log -sourcetype apache:error -index web /opt/splunk/bin/splunk restart /opt/splunk/bin/splunk remove monitor /var/log/apache2/access.log -sourcetype apache:access -index web # suricata https://123host.vn/community/tutorial/huong-dan-cai-dat-suricata-tren-ubuntu-20-04.html https://123host.vn/community/tutorial/huong-dan-thiet-lap-suricata-lam-he-thong-ngan-chan-xam-nhap-ips-tren-ubuntu-20-04.html https://docs.suricata.io/en/latest/quickstart.html#installation # WAZUH https://documentation.wazuh.com/current/quickstart.html https://documentation.wazuh.com/current/installation-guide/uninstalling-wazuh/central-components.html https://medium.com/@RitajBiri/wazuh-installation-guide-on-rhel-085364183590 ## remove wazuh agent https://github.com/wazuh/wazuh/issues/3064 ## 500 internal error https://www.reddit.com/r/Wazuh/comments/154mg67/need_help_internal_server_error_500/ ## file monitor https://medium.com/@RitajBiri/wazuh-file-integrity-monitoring-ec9d30764c30 https://www.youtube.com/watch?v=qeYgMSaUZhM&list=PLissCAcRHDmKLFYXQQxuOOFow1wypOdlP&index=4 ## bash history https://medium.com/@RitajBiri/bash-history-logging-with-rsyslog-forwarding-the-logs-to-wazuh-5cb9d1319c6f ## System auditing https://www.youtube.com/watch?v=O7Q1dMuGMNM&list=PLI0vJRMEGNYR19bcKXIIi0c3BV1GJ1t-A&index=5 ## Wazuh - Monitor & Analyze AWS CloudTrail Service https://www.youtube.com/watch?v=xqqJ5kJDQxU&list=PLissCAcRHDmKLFYXQQxuOOFow1wypOdlP&index=6 ## monitor Docker https://www.youtube.com/watch?v=6w7KEy6TSq8&list=PLI0vJRMEGNYR19bcKXIIi0c3BV1GJ1t-A&index=11 User: admin Password: 1z*+3lq97ZBRsVn3CPCr8w.q9s82kDbD /var/ossec/bin/manage_agents systemctl start wazuh-dashboard systemctl start wazuh-manager systemctl start wazuh-indexer # Elasaticsearch & kibana https://serverfault.com/questions/699977/ubuntu-uninstall-elasticsearch https://webhostinggeeks.com/howto/how-to-uninstall-elasticsearch-on-ubuntu/ ## Download and install the Debian package manually https://www.elastic.co/guide/en/elasticsearch/reference/current/deb.html https://viblo.asia/p/series-elasticsearch-huong-dan-cai-dat-elasticsearch-tren-linux-djeZ10EQKWz ## Docker https://viblo.asia/p/elasticsearch-zero-to-hero-1-elasticsearch-la-gi-cai-dat-the-nao-GyZJZxgbVjm https://viblo.asia/p/phan-5-elasticsearch-modeling-data-and-handling-relationships-V3m5W2qQlO7 https://viblo.asia/p/tich-hop-elasticsearch-va-kibana-vao-docker-compose-Az45bymqlxY https://www.youtube.com/watch?v=JOZ41DtKcNw&list=PLwJr0JSP7i8AgjUjKnecVUN2i3txuS-1J&index=4 GET _cat/indices?v PUT /product?pretty #create index PUT /product/_doc/1 #create data in a index { "name":"sheng", "age":20 } GET /product/_doc/1?pretty #access data in a index POST /_bulk #update or create many data {"index":{"_index":"product","_id":3}} {"name": "ten3","age":20} {"index":{"_index":"product","_id":4}} {"name": "ten4","age":20} curl -XPOST localhost:9200/bank/_bulk?pretty --data-binary @accounts.json -H 'Content-Type: application/json' ## search https://www.youtube.com/watch?v=SsJjZUSAcFo&list=PLwJr0JSP7i8AgjUjKnecVUN2i3txuS-1J&index=4 GET /bank/_search { "query": {"match_all": {}} } ## monitor container https://medium.com/@shala.p02/centralized-logging-using-elk-as-a-docker-container-for-microservices-in-just-4-steps-4f4cdf278712 https://discuss.elastic.co/t/filebeat-module-problem/219042 Authentication and authorization are enabled. TLS for the transport and HTTP layers is enabled and configured. The generated password for the elastic built-in superuser is : TLYyTFGhRPxHu5NQp-Xx If this node should join an existing cluster, you can reconfigure this with '/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token <token-here>' after creating an enrollment token on your existing cluster. You can complete the following actions at any time: Reset the password of the elastic built-in superuser with '/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic'. Generate an enrollment token for Kibana instances with '/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana'. Generate an enrollment token for Elasticsearch nodes with '/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node' =ea8ruCijhb5hHgPxVtX ## File Integrity Module https://medium.com/opstree-technology/elastic-siem-an-event-tracking-feature-8aa35d37b919 # rsyslog https://www.linkedin.com/pulse/how-install-set-up-rsyslog-server-linux-ubuntu-20041-akshay-sharma/ # snort https://linuxier.com/how-to-install-snort-on-ubuntu/ https://systemweakness.com/tryhackme-snort-challenge-the-basics-de3bae9ee1b1 Q1: Write a rule to detect the PNG file in the given pcap. Troubleshooting Rule Syntax Errors # auditd log About A Linux Auditd rule set mapped to MITRE's Attack Framework https://github.com/bfuzzy/auditd-attack/tree/master