Splunk!

Task 1 – Capture the commands Eddie ran most often, starting with git. Looking only at his process launches as reported by Sysmon, record the most common git-related CommandLine that Eddie seemed to use.

index=main sourcetype=journald source=Journald:Microsoft-Windows-Sysmon/Operational CommandLine="git*" User=eddie

Statistics -> Quick Reports

The answer is “git status”

Task 2 – Looking through the git commands Eddie ran, determine the remote repository that he configured as the origin for the ‘partnerapi’ repo. The correct one!

index=main sourcetype=journald source=Journald:Microsoft-Windows-Sysmon/Operational CommandLine="git*" User=eddie partnerapi origin

The answer is “git@github.com:elfnp3/partnerapi.git”

Task 3 – Eddie was running Docker on his workstation. Gather the full command line that Eddie used to bring up a the partnerapi project on his workstation.

The answer is “docker compose up”

Taske 4 – Eddie had been testing automated static application security testing (SAST) in GitHub. Vulnerability reports have been coming into Splunk in JSON format via GitHub webhooks. Search all the events in the main index in Splunk and use the sourcetype field to locate these reports. Determine the name of the vulnerable GitHub repository that the elves cloned for testing and document it here. Inspect the repository.name field in Splunk.

The Answer is “https://github.com/snoopysecurity/dvws-node”

Task 5

The answer is “holiday-utils-js”

Taks 6

The answer is “/usr/bin/nc.openbsd”

Taks 7

The answer is “6”

Taks 8

The answer is “preinstall.sh”

The answer is “whiz“!