CA#3 Analysis of SIEM Tools: Investigating Long files with TE, Splunk, and ELK
| University | University of limerick (UOL) |
| Subject | Cybersecurity |
CA#3 Compare and contrast SIEM product offerings
The concept behind this CA is for you to investigate using a corporate SIEM solution like
Splunk or a mix of opensource and freely available tools.
• Task 1 – Examine given log files for suspicious activity using TimeLine Explorer (TE)
• Task 2 – Replicate Task 1 in Splunk SIEM environment
• Task 3 – Replicate Task 1 in ELK SIEM environment
• Task 4 – Compare and contrast user experience (UX) of three methods
Deliverable:
Doc/pdf report with log lists, screenshots, tables and analysis where
appropriate. This is YOUR analysis of the data, so it is your interpretation of the log files.
I am NOT looking for right/wrong answers but rather the process and rationale behind your
analysis. There is no page/word requirement or limit.
Starting point is to ‘read’ the log files (see task 1 overleaf). Open them and get a sense of
how the data is arranged and what information is contained withing them.
Task 1: pick 10 random log files from folders in Teams -> SIEM -> Files -> General ->
Compromised Logs. Use Timeline Explorer (TE) to identify suspicious activity and then use
Mitre ATT&CK and Google to determine if these are IoCs or benign activity.
Task 2: Use Splunk to analyse the log files
Task 3: Use ELK to analyse the log files
Task 4: Compare and contrast the UX of TE, Splunk and ELK
Are You Searching Answer of this Question? Request Ireland Writers to Write a plagiarism Free Copy for You.
Task 1 – Timeline Explorer (25%)
On Teams->SIEM->Files->General->Compromised Logs->, there is a collection of logs from
compromised machines. These logs contain indicators of compromise (IoC) activity such as
Autorun, Network, Prefetch, and Scheduled Task. There are approximately 12 machine logs in
each section totalling approx 50 log files from you to choose from.
You are to choose (and list) 10 random log files from these Compromised Logs files. You are to
analyse them using TimeLine explorer, filtering trusted or normal activity to leave suspicious
activity. You may need to Google some content to decide if valid or suspicious, consult the
Mitre ATT&CK website and research events such as Windows services, file captures and
command strings (PowerShell etc). The number of ‘suspicious finds’ is up to you and the
selection of the log files, but you should limit this number to approx. 10 items. You can use a
table to summarise the findings:
It is important that you capture all your work by detailing this analysis, writing about these
Google searches and stating the rationale behind why you ignored or concentrated on a
particular IoC. Use screenshots, URLs and tables here to augment your report.
Task 2 – Splunk SIEM (20%)
This section challenges you to replicate your analysis using Splunk SIEM.
You should upload (some of) the 10 log files, individually or as a ZIP collective and use Splunk
filtering to arrive at similar results OR conclusions from Task 1. This may require you to use
scripting to arrive at our answers. Important: you do NOT have to replicate the
results/analysis from Task 1, but rather assess the user experience (UX).
Your output in this section will invariably contain screenshots and scripts.
(If you are using Azure VM, you will need to uninstall and reinstall Splunk from installer on
Desktop. If you are having any difficulty doing this, then I can do this remotely).
Get Solution of this Assessment. Hire Experts to solve this assignment for you Before Deadline.
Task 3 – ELK SIEM (35%)
This section challenges you to set up an ELK Elastic account and access their SIEM on the
cloud. They offer a 14-day trial and provides sample data or allows you to upload files.
This element of the assessment provides you with the opportunity to explore other SIEM
environments. As in Task 2 above, upload the 10 log files individually and use ELK
Discover/Visualise to arrive at similar results OR conclusions from Task 1.
Your output in this section will invariably contain screenshots and scripts
Task 4 – Compare and contrast the UX of TE, Splunk and ELK (20%)
The learning outcome and deliverable in this subsection is the UX associated with using
Timeline Explorer in Task 1 and Splunk/SIEM. For example, it might be useful to create
comparison criteria such as data import, filtering, data representation and ease-of-use. You
can decide on other criteria and create a comparison table for example, but this is just a
suggestion.
4.1 Introduction
4.2 Criteria
4.2.1 Criteria 1
Text and screenshots of 3 applications (TE, Splunk, ELK)
4.3.2 Criteria 2
Text and screenshots of 3 applications (TE, Splunk, ELK)
Etc. ……..
