Please note that this activity is optional and will not affect your completion of the course. So far, you've learned that SIEM tools, such as Splunk, are an important part of a security analyst's toolbox because they provide a platform for storing, analyzing, and reporting on data from different sources. You also explored some basic searches using Splunk's querying language, called Search Processing Language (SPL), which included the use of pipes and wildcards. Creating effective searches is an important skill because it enables you to quickly and accurately find the information you are looking for within a large amount of data. Quick and accurate searching is especially useful during incident response, because you might need to swiftly identify and address a security incident. Effective search techniques also help you efficiently identify patterns, trends, and anomalies within data. Scenario Review the following scenario. Then complete the step-by-step instructions. You are a security analyst working at the e-commerce store Buttercup Games. You've been tasked with identifying whether there are any possible security issues with the mail server. To do so, you must explore any failed SSH logins for the root account. Note: Use the incident handler's journal you started in a previous activity to take notes during the activity and keep track of your findings. Step-By-Step Instructions Follow the instructions and answer the following questions to complete the activity. The following supporting materials will help you complete this activity. The data contains log and event information from Buttercup Games' mail servers and web accounts. This includes information like access and authentication logs, email logs, and more. To download this data, click the link then click the download icon. Link to supporting materials: tutorialdata.zip file OR If you don’t have a Google account, you can download the supporting materials directly from the following attachment. Step 10: Answer questions about the search results 1. Question 1 How many events are contained in the main index across all time? 1 point 100-1,000 10-99 10,000 Over 100,000 2. Question 2 Which field identifies the name of a network device or system from which an event originates? 1 point sourcetype host index source 3. Question 3 Which of the following hosts used by Buttercup Games contains log information relevant to financial transactions? 1 point www3 www2 vendor_sales www1 4. Question 4 How many failed SSH logins are there for the root account on the mail server? 1 point More than 100 One 100 None Key takeaways In this activity, you used Splunk Cloud to perform a search and investigation. Using Splunk Cloud, you were able to: Upload sample log data Search through indexed data Evaluate search results Identify different data sources Locate failed SSH login(s) for the root account If you would like to challenge yourself and explore more simulated incident investigations using Splunk, log in to Splunk and visit Splunk Boss of the SOC