The premise of this project is to demostrate my understanding and indepth knowledge of the tools Splunk and Phantom (security orchestration, automation, and response (SOAR)) by first doing an investigation into a suspicious email artifact that I created on a custom playbook with Phantom. The second part will be the Greylog — Pepper Minstix challenge setup by SANS during their Holiday Hack Challenge of 2019. The final report will be linked in the References section.
Note: This project was my part of my midterm for the Information Systems Security Auditing course in which I received a grade of 100% for this practical.
The tools used here are the following:
- Splunk
- Phantom (SOAR)
- Oracle VM VirtualBox
- Windows 10 ISO
Practical 1
- For the first problem, I created a new suspicious email container with 2 suspicious artifacts (email type and with the IP address of those emails).
- Printed out all the artifact’s IP address by invoking the collect() function in phantom.
- Finally, I checked the debugger log to verify and confirm that the files were actually ran.
Practical 2
Note Please refer to the written report for more in-depth detail.
- Learned how to use Phantom playbook and different types of functions written in a Python script such collect(), on_start(), phantom.debug(container), etc.
- Learned how to create a container which holds suspicious artifacts.
- Learned how to add and customize suspicious artifacts within the container.
- Understood how to use, search techniques in Splunk such as keywords like EventID, pipe functions, source & destination IP addresses, boolean conditions, LogonType, HostName, etc.