SOC Practical Assessment

Task:

SOC ENGINEERING: PRACTICAL

To access elastic, use this link http://198.96.95.202:5601/login?next=%2F

• Username: we-innovate-quiz

• Password: dT%t9(YaKCpWwh*D

A. SIEM

Local Audit Policies:

• Add local audit policies to your machine.

Log Generation:

• Generate some administrative activities that trigger logs.

Log Transmission:

• Send logs using Winlogbeat.

Hostname Format:

• Ensure your machine’s hostname follows the

• format: GROUP#_FIRSTNAME_LASTNAME

B. Fluentbit

Regex Parser:

• Write a regex parser for this log file (extract at least 8 key fields, but you MUST extract the source IP and Destination IP).

Log Indexing:

• Send the parsed logs to the SIEM.

• Your index should be named: GROUP#-FIRSTNAME-LASTNAME-Fluentbit

Dashboard Creation:

• Create a descriptive dashboard for the logs, visualize some important fields.

C. SOAR

Create a new workflow in Tines and do the following steps:

IP Extraction:

• Using the Fluentbit index created in elastic, extract all destination IP addresses.

Threat Intelligence:

• Send the IP addresses to VirusTotal to scan their reputation.

Email Notification:

• Send an email to soc.weinnovate@gmail.com containing the filtered IP addresses that seem to be malicious.

• The subject of your email MUST be in this format: GROUP#_FIRSTNAME_LASTNAME

Bonus Challenge:

• Integrating additional threat intelligence feeds (ex: AbuseIPDB).

• Using winlogbeat index created extract logs with event id: [4720,4725,4726]

• Extract Most important details from extracted logs (ex: event.action, related users, targetUser).

• Send an email to Soc.WeInnovate@gmail.com containing Extracted details, The subject of your email MUST be in this format: GROUP#_FIRSTNAME_LASTNAME_Account_Management_Summary

A. SIEM

Let's begin by configuring Local Security Policies on our system.

• Success (to log successful account changes)

• Failure (to log failed attempts)

Now, let's generate some logs by creating a new user and then deleting it to verify that everything is functioning correctly.

To create a new user account:

net user Ahmed ahmed123 /add

To disable the user account:

net user Ahmed /active:no

To delete the user account:

net user Ahmed /delete

Let's ensure that these actions are properly recorded in the log files.

4720 → A user account was created.

4725 → A user account was disabled.

4726 → A user account was deleted.

Next, we will download Winlogbeat and configure its configuration to forward logs to Elasticsearch.

Next, we will initiate the Winlogbeat service to begin forwarding logs to Elasticsearch.

Start-Service winlogbeat

Now, let's test the output, and if everything is functioning correctly, we will forward the logs to ELK.

.\winlogbeat.exe test output -c .\winlogbeat.yml -e

.\winlogbeat.exe -c .\winlogbeat.yml -e

Now, let's access ELK to verify that the logs have been successfully sent.

B. Fluentbit

Let's begin by installing Fluent-Bit on Windows.

We have a log file named firewall-log.log that we need to be ingested into the ELK stack. To ensure accurate data extraction, we will begin by crafting an appropriate regular expression to parse the required information.

date=(?<date>\d{4}-\d{2}-\d{2})\s+time=(?<time>\d{2}:\d{2}:\d{2})\s+
devname="(?<devname>[^"]+)"\s+devid="(?<devid>[^"]+)"\s+logid="(?<logid>[^"]+)"
\s+type="(?<type>[^"]+)"\s+subtype="(?<subtype>[^"]+)"\s+eventtype="
(?<eventtype>[^"]+)"\s+level="(?<level>[^"]+)"\s+vd="(?<vd>[^"]+)"\s+
policyid=(?<policyid>\d+)\s+sessionid=(?<sessionid>\d+)\s+srcip=(?<srcip>\d{1,3}\.
\d{1,3}\.\d{1,3}\.\d{1,3})\s+srcport=(?<srcport>\d+)\s+dstip=(?<dstip>\d{1,3}\.
\d{1,3}\.\d{1,3}\.\d{1,3})\s+dstport=(?<dstport>\d+)\s+srcintf="
(?<srcintf>[^"]+)"\s+dstintf="(?<dstintf>[^"]+)"\s+service="
(?<service>[^"]+)"\s+hostname="(?<hostname>[^"]+)"\s+profile="(?<profile>[^"]+)
"\s+direction="(?<direction>[^"]+)"\s+virusname="(?<virusname>[^"]+)"\s+action=
"(?<action>[^"]+)"\s+msg="(?<msg>[^"]+)"

Next, we need to modify the parsers.conf file located in C:\Program Files\fluent-bit\conf.

Next, we need to configure the fluent-bit.conf file, located at C:\Program Files\fluent-bit\conf, to forward logs to the ELK stack.

[SERVICE]
    flush        1
    parsers_file parsers.conf
    plugins_file plugins.conf

[INPUT]
    Name         tail
    Parser       firewall-logs
    Path         C:\Users\Fares\Downloads\firewall-log.log
    Tag          firewall.logs
    
[OUTPUT]
    name    	  es
    Host    	  192.168.204.146
    Port    	  9200
    Match   	  *
    HTTP_User     elastic
    HTTP_Passwd   =Op+25maKY3GqC=IrV7m
    Index         group1faresmorcy
    tls           on
    tls.verify    off 
    Trace_Output  on 
    Suppress_Type_Name on

[OUTPUT]
    name  stdout
    match *

Now, let's run Fluent Bit:

.\fluent-bit.exe -c 'C:\Program Files\fluent-bit\conf\fluent-bit.conf'

We need to duplicate some lines within the firewall-log.log file and save the changes.

Let's confirm whether the logs are successfully being forwarded to ELK.

Now, it is time to create a dashboard utilizing these logs.

First, I created a new data view using the group1faresmorcy index. Next, I will proceed with building a dashboard for this index.

C. SOAR

Using the Fluentbit index created in elastic, we need to extract all destination IP addresses.

First, we need to configure Ngrok to establish a secure connection between Tines and the Elasticsearch.

ngrok http https://192.168.204.146:9200/

Let's send an HTTP request using Tines to retrieve the information of the group1faresmorcy index.

First, let's examine this URL to determine the necessary information.

https://70fa-197-43-37-185.ngrok-free.app/group1faresmorcy/_search

Now, let's send an HTTP request to this URL to retrieve only the destination IP address for further analysis and action:

https://70fa-197-43-37-185.ngrok-free.app/group1faresmorcy/_search?_source=dstip&filter_path=hits.hits._source.dstip

We need to incorporate two additional configurations:

1. Basic Authentication

2. Disable SSL verification

Next, we will send the request and analyze the response.

Now, we need to extract the four destination IP addresses and submit them individually to VirusTotal for analysis.

Next, we will submit these IP addresses to VirusTotal to determine whether they are associated with any malicious activity.

Next, we need to determine whether the IP address is malicious.

Next, we will send it to our email account.

Bonus Challenge:

• Integrating additional threat intelligence feeds (ex: AbuseIPDB).

Let's search for the IP addresses flagged as malicious by VirusTotal on AbuseIPDB.

First, we need to create an account and obtain an API key, which will be used to perform IP searches on AbuseIPDB through Tines.

Based on the data obtained from AbuseIPDB, we can send details of the malicious IP address, its associated domain, and the number of reports to our Gmail account.

• Using winlogbeat index created extract logs with event id: [4720,4725,4726]

• Extract Most important details from extracted logs (ex: event.action, related users, targetUser).

First, let's rename the Winlogbeat index we initially created to a different name.

But first, we need to create a new index to reindex the data from the old index into the new one.

PUT /winlogbeat-fares-morcy
{
  "settings": {
    "number_of_shards": 1,
    "number_of_replicas": 1
  }
}

POST /_reindex
{
  "source": {
    "index": ".ds-winlogbeat-8.17.2-2025.02.24-000001"
  },
  "dest": {
    "index": "winlogbeat-fares-morcy"
  }
}

Let's verify that the logs are now present in the new index.

I have added additional columns to retrieve the necessary details and send them to our email account.

Now, let's make another story on tines and send HTTP Request to get the info of winlogbeat-fares-morcy index.

We now need to isolate each event individually to facilitate further analysis and actions.

We now need to send the important information to our email account, including details such as event.action, related users, and targetUser.