# NerisBot Lab First, let's see the available indexes. ```splunk-spl | eventcount summarize=false index=* | table index ```

\#OR From Settings -> Indexes.

Next, let's see the sourcetypes that we have. ```splunk-spl | metadata type=sourcetypes ```

Q1) Can you identify the IP address from which the initial unauthorized access originated? ```splunk-spl index=* sourcetype=suricata | stats values(dest_ip) values(http.hostname) values(http.url) by src_ip ```

Answer: 195.88.191.59 Q2) What is the domain name of the attacker server?

Answer: nocomcom.com Q3) What is the IP address of the system that was targeted in this breach?

Answer: 147.32.84.165 Q4) Identify all the unique files downloaded to the compromised host. How many of these files could potentially be malicious?

Answer: 5 Q5) What is the sha256 hash of the malicious file disguised as a txt file? ```splunk-spl index=* sourcetype=zeek:files tx_hosts="195.88.191.59" | join left=L right=R where L.seen_bytes=R.bytes [search index=* sourcetype=suricata src_ip=147.32.84.165 dest_ip=195.88.191.59 url=* ] | table L.md5, L.sha1, R.url ```

Let's search by the sha1 on Virustotal to get the sha256.

Answer: 6fbc4d506f4d4e0a64ca09fd826408d3103c1a258c370553583a07a4cb9a6530 --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://faresbltagy.gitbook.io/footprintinglabs/cyberdefenders/nerisbot-lab.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.