> For the complete documentation index, see [llms.txt](https://faresbltagy.gitbook.io/footprintinglabs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://faresbltagy.gitbook.io/footprintinglabs/tryhackme-soc-2/advanced-splunk/fixit.md).

# Fixit

In this challenge room, you will act as John, who has recently cleared his third screening interview for the SOC-L2 position at MSSP Cybertees Ltd, and a final challenge is ready to test your knowledge, where you will be required to apply the knowledge to FIX the problems in Splunk. You are presented with a Splunk Instance and the network logs being ingested from an unknown device.

Pre-requisites\
This challenge is based on the knowledge covered in the following rooms:

* [Regex](https://tryhackme.com/room/catregex)
* [Splunk: Exploring SPL](https://tryhackme.com/room/splunkexploringspl)
* [Splunk: Data Manipulation](http://tryhackme.com/jr/splunkdatamanipulation)

### Challenge: FIXIT

This challenge is divided into three levels:

### **Level 1: Fix Event Boundaries**

Fix the Event Boundaries in Splunk. As the image below shows, Splunk cannot determine the Event boundaries, as the events are coming from an unknown device.

<figure><img src="/files/s6M3U7SaTtkZmMC1C52P" alt=""><figcaption></figcaption></figure>

### **Level 2: Extract Custom Fields**

Once the event boundaries are defined, it is time to extract the custom fields to make the events searchable.

* Username
* Country
* Source\_IP
* Department
* Domain

### Sample Logs:&#x20;

To create regex patterns, sample Network logs are shown below:

```c
[Network-log]: User named Johny Bil from Development department accessed the resource Cybertees.THM/about.html from the source IP 192.168.0.1 and country 
Japan at: Thu Sep 28 00:13:46 2023
[Network-log]: User named Johny Bil from Marketing department accessed the resource Cybertees.THM/about.html from the source IP 192.168.2.2 and country 
Japan at: Thu Sep 28 00:13:46 2023
[Network-log]: User named Johny Bil from HR department accessed the resource Cybertees.THM/about.html from the source IP 10.0.0.3 and country 
Japan at: Thu Sep 28 00:13:46 2023
```

### Level 3: Perform Analysis on the FIXED Events&#x20;

Once the custom fields are parsed, we can use those fields to analyze the Event logs. Examine the events and answer the questions.

Now our first task is to fix the event boundaries in Splunk because Splunk cannot determine the Event boundaries, as the events are coming from an unknown device.

In order to fix this issue, we can use different `stanzas` in the `props.conf` file. If we run the script a few times to observe the output, we can see that each event starts with the term `[Network-log]`, indicating the start of the event. We can use this as the regex pattern with the stanza `BREAK_ONLY_BEFORE` and see if it could fix this problem.

```
[network_logs]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = \[Network-log\]
```

<figure><img src="/files/5q6MIUKHUGto2K4sXXkM" alt=""><figcaption></figcaption></figure>

Let’s restart Splunk to apply the changes.

```
/opt/splunk/bin/splunk restart
```

```
index=main sourcetype="network_logs"
```

<figure><img src="/files/MqsK6mM55AHgV1XbXsVC" alt=""><figcaption></figcaption></figure>

Great. See, now Splunk is able to break the event exactly how it was intended.

1\) What is the full path of the FIXIT app directory?

Answer:  /opt/splunk/etc/apps/fixit

2\) What Stanza will we use to define Event Boundary in this multi-line Event case?

Answer:  BREAK\_ONLY\_BEFORE

3\) In the inputs.conf, what is the full path of the network-logs script?

<figure><img src="/files/xmxD43yr8eTJHA4B0Brj" alt=""><figcaption></figcaption></figure>

Answer:  /opt/splunk/etc/apps/fixit/bin/network-logs

4\) What regex pattern will help us define the Event's start?

Answer:  \[Network-log]

Let’s proceed to extract fields such as Username, Country, Source IP, Department, and Domain.

```c
[Network-log]: User named Johny Bil from Development department accessed the resource Cybertees.THM/about.html from the source IP 192.168.0.1 and country 
```

Now, let’s create a `transforms.conf` in the default folder of the DataApp directory, and put the following configurations in it as it is.

```
[network_log_extractions]
REGEX = \[Network-log\]:\sUser\s+named\s+([\w\s]+)\s+from\s+(\w+)\s+department\s+accessed\s+the\s+resource\s+([\w]+\.[\w]+\/[\w\-]+\.[\w]+)\s+from\s+the\s+source\s+IP\s+(\d{1,3}(?:\.\d{1,3}){3})\s+and\s+country\s+(\w+)(?=\s+at:) 
FORMAT = Username::$1 Department::$2 Domain::$3 Source_IP::$4 Country::$5
WRITE_META = true
```

<figure><img src="/files/h4RJ39vKFHP4yXz2Sy2q" alt=""><figcaption></figcaption></figure>

We need to update the props.conf to mention the recent updates we did in transforms.conf.

```
[network_logs]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = \[Network-log\]
TRANSFORMS-network_log = network_log_extractions
```

<figure><img src="/files/46Nw0v0tkTU8Gb9swfcZ" alt=""><figcaption></figcaption></figure>

The next step would be to create fields.conf and mention the field we are going to extract from the logs.

```
[Username]
INDEXED = true

[Country]
INDEXED = true

[Source_IP]
INDEXED = true

[Department]
INDEXED = true

[Domain]
INDEXED = true
```

<figure><img src="/files/JlyQ23v1uNZGUVrwDyt4" alt=""><figcaption></figcaption></figure>

That’s all we need in order to extract the custom fields. Now, restart the Splunk instance so that the changes we have made are committed.

<figure><img src="/files/fpzP0NSBoyiuev8yrYUV" alt=""><figcaption></figcaption></figure>

5\) What is the captured domain?

<figure><img src="/files/yP6fPF3f1HtmCwnDUQN5" alt=""><figcaption></figcaption></figure>

Answer:  Cybertees.THM

6\) How many countries are captured in the logs?

Answer:  12

7\) How many departments are captured in the logs?

Answer:  6

8\) How many usernames are captured in the logs?

Answer:  28

9\) How many source IPs are captured in the logs?

Answer:  52

10\) Which configuration files were used to fix our problem? \[Alphabetic order: File1, file2, file3]

Answer:  fields.conf, props.conf, transforms.conf

11\) What are the TOP two countries the user Robert tried to access the domain from? \[Answer in comma-separated and in Alphabetic Order]\[Format: Country1, Country2]

Answer:  Canada, United States

**12)** Which user accessed the secret-document.pdf on the website?

Answer:  Sarah Hall


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://faresbltagy.gitbook.io/footprintinglabs/tryhackme-soc-2/advanced-splunk/fixit.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.