COMP4040 Lab06 Report

Activities
Section A: Try to brute force to the server cslab.softether.net via ssh port 8922 (or try to login
with fake usernames including your nickname) then use (_source="klj23-03-authlog" and
_collector="klj23-03") [3h]
ssh leonardotorres@cslab.softether.net -p 8922
1. Panel-1: Create a table view the top10 most tried username.
Query
_source="klj23-03-authlog" and _collector="klj23-03" and "Failed password for invalid user" | parse
"* * *[*]: Failed password for invalid user * from * port * *" as datetime,hostname,
service,pid,username,src_ip,port,protocol | count username | order by _count desc | top 10
username by _count

View

Analyze
This table show the top 10 most username tries to connect to cslab.softeher.net via SSH, taking the
date range of the previous 3 hours as a range.

2. Panel-2: Filter and find your tried usernames.

Query
_source="klj23-03-authlog" and _collector="klj23-03" and ("leonardotorres" or "ivantorres" or
"ochoatorres") | parse "* * *[*]: Failed password for invalid user * from * port * *" as

1
 datetime,hostname, service,pid,username,src_ip,port,protocol | count username | order by _count
desc

View

Analyze
This table show my tried username to connect to cslab.softeher.net via SSH, taking the date range of
the previous 3 hours as a range.

3. Panel-3: Create a map to show failed users' locations.

Query
_source="klj23-03-authlog" and _collector="klj23-03" and "Invalid user" | parse "* * *[*]: Invalid
user * from * port *" as datetime,hostname, service,pid,username,src_ip,port | lookup latitude,
longitude from geo://location on ip = src_ip | count by latitude, longitude

View

2
 Analyze
This panel shows the map of attempts by users to login with invalid users via GEO localization on
MAP, taking the date range of the previous 3 hours as a range. This panel uses localization via geo,
using the IP address.

4. Panel-4: Create a list of failed users.

Query
_source="klj23-03-authlog" and _collector="klj23-03" and "Invalid user" | parse "* * *[*]: Invalid
user * from * port *" as datetime,hostname, service,pid,username,src_ip,port | count username |
order by _count desc

View

Analyze
This panel, which uses the last three hours' worth of dates as a range, displays a list of users'
unsuccessful attempts to log in. You can see my username, Leonardo Torres, and the user git, who
attempted to log in four times.

5. Panel-5: Find the valid usernames.

Query
_source="klj23-03-authlog" and _collector="klj23-03" and "session opened for" | parse "* * * *
session opened for user *(uid=0) by *" as datetime,hostname,service,cron,username,uid | count
username | order by _count desc

View

3
 Analyze
This panel shows the valid user session established with the remote server, which uses the last three
hours' worth of dates as a range.

Dashboard: J24C40Leonardo_Torres-L6D1

URL shared:

4
URL:
https://service.ca.sumologic.com/ui/#/dashboardv2/
SDjYGsXjKsmm1tLo8dU0fTeNamUTpH7rQRACZJCtncJL75ie2fUyGVCV2UCD?
from=1711204943372&to=1711215743372

5
Section B: Use (_sourceCategory="mjolnir/hunt") for the last 7d
1. Panel-1: Create a Pi chart based on the event type.
Query
_sourceCategory="mjolnir/hunt" | json "event_type" as event_type nodrop | count event_type

View

Analyze
This panel shows a pie graph with the percentage of each event type of the machine with the
system operating, taking the date range of the previous 7 days as a range. In this case only show one
type named “alert”.

2. Panel-2: Create a table for the top 10 destinations under attack (event_type = "alert")
Query
_sourceCategory="mjolnir/hunt" | json "event_type","dest_ip" as event_type,dest_ip nodrop |
where event_type="alert" | lookup city from geo://location on ip = dest_ip | count by city | order
by _count | top 10 city by _count

View

Analyze
This panel shows a table with the top 10 destinations under attack, with reference to the cities. The
first has a filter-only event type of equal alert, extracts the destination IP address, and gets the name
of cities using the method of geo localization. Taking the date range of the previous 7 days as a
range.

6
3. Panel-3: Visualize on a map source of attack (event_type = "alert")
Query
_sourceCategory="mjolnir/hunt" | json "event_type","dest_ip" as event_type,dest_ip nodrop |
where event_type="alert" | lookup latitude, longitude from geo://location on ip = dest_ip | count
by latitude, longitude
View

Analyze
This panel shows a map with the destinations under attack, with reference to the geo localization
about the IP address destiny. The first has a filter-only event type of equal alert. Taking the date
range of the previous 7 days as a range.

4. Panel-4: Show the table of the top 10 attackers

Query
_sourceCategory="mjolnir/hunt" | json "event_type","src_ip" as event_type,src_ip nodrop | where
event_type="alert" | lookup city from geo://location on ip = src_ip | count by city | order by _count
| top 10 city by _count
View

7
 Analyze
This panel shows a table with top 10 attackers’ source, with reference to the geo localization about
the IP address source. The first has a filter-only event type of equal alert. Taking the date range of
the previous 7 days as a range.

5. Panel-5: Show the top 10 attackers on the map.

Query
_sourceCategory="mjolnir/hunt" | json "event_type","src_ip" as event_type,src_ip nodrop | where
event_type="alert" | lookup latitude, longitude from geo://location on ip = src_ip | count by
latitude, longitude

View

Analyze
This panel shows a map with the target attacker’s, with reference to the geo localization about the
IP address source. The first has a filter-only event type of equal alert. Taking the date range of the
previous 7 days as a range.

8
6. Panel-6: Create a table of the top 5 destination ports.
Query
_sourceCategory="mjolnir/hunt" | json "event_type","dest_port" as event_type,dest_port nodrop |
where event_type="alert" | count by dest_port | order by _count | top 5 dest_port by _count
View

Analyze
This panel shows a table with top 5 ports using for attack. The first has a filter-only event type of
equal alert. Taking the date range of the previous 7 days as a range.

7. Panel-7: Create a graph to visualize event trends every 30 minutes (time slice 30m)

Query
_sourceCategory="mjolnir/hunt" | json "event_type" as event nodrop | timeslice 30m | count
event, _timeslice

View

Analyze
This panel shows a line graph with the number of events in each day each 30 minutes of the
machine with system operating, taking the date range of the previous 7 days as a range. You can
visualize the event type each day.

Dashboard: J24C40Leonardo_Torres-L6D2

9
URL shared:

10
URL:
https://service.ca.sumologic.com/ui/#/dashboardv2/dFX7uYtaF1J6QhfIu8fUU633dWQBunzvBFiNe0cjdO
aIxRZtNb10dS9cpDJV?from=1710622770475&to=1711227570475

11