# NerisBot Lab
First, let's see the available indexes.
```splunk-spl
| eventcount summarize=false index=*
| table index
```
\#OR
From Settings -> Indexes.
Next, let's see the sourcetypes that we have.
```splunk-spl
| metadata type=sourcetypes
```
Q1) Can you identify the IP address from which the initial unauthorized access originated?
```splunk-spl
index=* sourcetype=suricata
| stats values(dest_ip) values(http.hostname) values(http.url) by src_ip
```
Answer: 195.88.191.59
Q2) What is the domain name of the attacker server?
Answer: nocomcom.com
Q3) What is the IP address of the system that was targeted in this breach?
Answer: 147.32.84.165
Q4) Identify all the unique files downloaded to the compromised host. How many of these files could potentially be malicious?
Answer: 5
Q5) What is the sha256 hash of the malicious file disguised as a txt file?
```splunk-spl
index=* sourcetype=zeek:files tx_hosts="195.88.191.59"
| join left=L right=R where L.seen_bytes=R.bytes
[search index=* sourcetype=suricata src_ip=147.32.84.165 dest_ip=195.88.191.59 url=* ]
| table L.md5, L.sha1, R.url
```
Let's search by the sha1 on Virustotal to get the sha256.
Answer: 6fbc4d506f4d4e0a64ca09fd826408d3103c1a258c370553583a07a4cb9a6530
.png?alt=media&token=29c7a939-661e-4090-858d-dc8667a99864)
.png?alt=media&token=03da153f-2bf8-4e9e-b125-77396294f57f)
.png?alt=media&token=8de410a1-84a3-4baa-9cbb-a57afef0c51d)
.png?alt=media&token=e8da6139-aa9d-4330-b835-52b2852dcd7c)
.png?alt=media&token=94d02cef-95b1-46e8-8cf1-3b2c554cd9a6)
.png?alt=media&token=6aa8aef6-024b-4fc2-9349-4d1649d7d1a2)
.png?alt=media&token=c435a0c7-d305-4faf-a105-f03946bdb818)
.png?alt=media&token=f4de7dbc-4149-41a7-b044-04141fdcea56)
.png?alt=media&token=661c624e-1d6f-444d-a003-c117fd091bfd)