We will tackle a straightforward simulated breach scenario by diving into AWS CloudTrail logging using Splunk.
Splunk subscription cost and memes apart, it’s a brilliant go-to platform when it comes to log segregation and investigation.
SOF-ELK needs no introduction, the platform is a customized build of the open source Elastic stack, consisting of the Elasticsearch storage and search engine, Logstash ingest and enrichment system, Kibana dashboard frontend, and Elastic Beats log shipper (specifically filebeat).
We’re trying to keep things simple to get you familiar with the nitty-gritties of CloudTrail logging.
In this writeup, we’ll import the downloaded CloudTrail JSON file(s) and get right into the investigation.
This article isn’t an AWS CloudTrail or a Splunk/SOF-ELK primer. I would advise you to get acquainted with AWS at at-least a practitioner level. We’ll be looking at things that look odd and smell malicious!
An up-and running Splunk server, Linux or Windows. It’s really easy, give it a go.
Start here: Splunk Tutorial: Getting Started Using Splunk | Splunk
My two cents, the quickest way to get started is using Docker on a Ubuntu machine.
//Install the Docker application
snap install docker
//Pull the Docker Image
docker pull splunk/splunk:latest
//Run the Docker! Please ensure you use a strong password, else it won't start!
docker run -d -p 8000:8000 -e SPLUNK_START_ARGS='--accept-license' -e SPLUNK_PASSWORD='admin@123' splunk/splunk:latest
//Browser - localhost:8000