Purpose: Document my experience and share knowledge on the Google cybersecurity certificate program Scope: Learn the foundations of cybersecurity and prepare for a career as a cybersecurity analyst

• Environment: Windows OS, Brave browser, and Splunk Cloud
• Accounts and Access: Google, coursera, and splunk accounts

• Objective: Perform a query with Splunk to locate failed SSH login(s) for the root account

• Download tutorialdata.zip file

• Click Add data

• Click upload

• Select a file and select tutorialdata.zip then click next

• By the host section select Segment in the path and enter 1 as the segment number

• Click the review button

• Click submit button

• On the homepage click search & reporting

• In the search bar type index=main this search term specifies the index. An index is a repository for data. Here, the index is a single dataset containing events from an index named main.

• Click the range dropdown menu and select All time

• Click the search button or press enter. Note that the search button is represented by the magnifying glass icon. Your search should retrieve thousands of events.

• Evaluate the fields. For each event the fields are host, source, and sourcetype. Under SELECTED FIELDS, examine the same fields.

  • Examine the field values by clicking on the field under SELECTED FIELDS. You should observe the following:

    • host: The host field specifies the name of the network host from which the event originated. In this search there are five hosts:

    • source: The source field indicates the file name from which the event originates. You should identify eight sources. Notice /mailsv/secure.log which is a log file that contains information related to authentication and authorization attempts on the mail server.

      

    • sourcetype: The sourcetype determines how data is formatted. You should observe three sourcetypes. Examine secure-2.

• Narrow search by clicking host and click mailsv

• Continue to narrow the search to locate any failed SSH logins for the root account. In the search bar enter index=main host=mailsv fail* root. This search expands on the search from the previous task and searches for the keyword fail*. The wildcard tells Splunk to expand the search term to find other terms that contain the word fail such as failure, failed, etc. Lastly, the keyword root searches for any event that contains the term root. Press Enter.

• Result

• There are a total of 109,864 events

• There are 346 failed ssh logins for the root account on the mail server

• Learnings: Querying in splunk

• Summary: Successfully determined the failed ssh logins on the mail server's root account

• https://www.splunk.com/
• Google Cybersecurity Certificate
• https://grow.google/certificates/cybersecurity/
• SPL syntax