From f92810b27e79a3350ce981f18adebcd926982a1a Mon Sep 17 00:00:00 2001 From: Joseph Shin <38485453+Sh0bra@users.noreply.github.com> Date: Thu, 13 Mar 2025 13:41:28 -0700 Subject: [PATCH 01/47] Create .readthedocs.yaml --- .readthedocs.yaml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 .readthedocs.yaml diff --git a/.readthedocs.yaml b/.readthedocs.yaml new file mode 100644 index 0000000..2742d87 --- /dev/null +++ b/.readthedocs.yaml @@ -0,0 +1,26 @@ +# Read the Docs configuration file +# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details + +# Required +version: 2 + +# Set the OS, Python version, and other tools you might need +build: + os: ubuntu-24.04 + tools: + python: "3.13" + +# Build documentation in the "source/" directory with Sphinx +sphinx: + configuration: source/conf.py + +formats: + - pdf + +# Optionally, but recommended, +# declare the Python requirements required to build your documentation +# See https://docs.readthedocs.io/en/stable/guides/reproducible-builds.html +python: + install: + - requirements: requirements.txt + From dada7496e62ea97a6985046be2fd32ea88a53329 Mon Sep 17 00:00:00 2001 From: Sh0bra Date: Thu, 13 Mar 2025 13:47:13 -0700 Subject: [PATCH 02/47] Changes to new team repo --- source/Splunk.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/Splunk.md b/source/Splunk.md index 2fc1f03..64a7192 100644 --- a/source/Splunk.md +++ b/source/Splunk.md @@ -1,4 +1,4 @@ -# Splunk +# Splunk THIS IS A TEST Splunk is a log aggregator used to centralize logs and data. At the SOC we are using it as a System Information and Event Management(SIEM) system. ## What you can do with Splunk: From 1881939619b182b61d86374d98d3d052d55f91ba Mon Sep 17 00:00:00 2001 From: Sh0bra Date: Thu, 13 Mar 2025 13:51:19 -0700 Subject: [PATCH 03/47] removed test text --- source/Splunk.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/Splunk.md b/source/Splunk.md index 64a7192..2fc1f03 100644 --- a/source/Splunk.md +++ b/source/Splunk.md @@ -1,4 +1,4 @@ -# Splunk THIS IS A TEST +# Splunk Splunk is a log aggregator used to centralize logs and data. At the SOC we are using it as a System Information and Event Management(SIEM) system. ## What you can do with Splunk: From 153a6e935f2bf85c61a0ac58eca98bbc93ac5236 Mon Sep 17 00:00:00 2001 From: Sh0bra Date: Thu, 13 Mar 2025 13:56:06 -0700 Subject: [PATCH 04/47] Added description o SUF --- source/Splunk.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source/Splunk.md b/source/Splunk.md index 2fc1f03..f0ea886 100644 --- a/source/Splunk.md +++ b/source/Splunk.md @@ -54,6 +54,8 @@ Splunk is a log aggregator used to centralize logs and data. At the SOC we are u Double click on the .msi file you downloaded and follow the instructions to install. ## How to setup the Splunk Universal Forwarder +The Splunk Universal Forwarder is installed on endpoint devices to gather logs and send them back to your Splunk Server. +Download the correct Splunk Universal Forwarder for the endpoint device. ## How to setup a Splunk Deployment Server From c6d0a2ca675cae419e0ba209348001da2b8b2e3e Mon Sep 17 00:00:00 2001 From: Sh0bra Date: Thu, 13 Mar 2025 14:03:57 -0700 Subject: [PATCH 05/47] Test message --- source/Splunk.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/Splunk.md b/source/Splunk.md index f0ea886..671d61e 100644 --- a/source/Splunk.md +++ b/source/Splunk.md @@ -56,6 +56,6 @@ Splunk is a log aggregator used to centralize logs and data. At the SOC we are u ## How to setup the Splunk Universal Forwarder The Splunk Universal Forwarder is installed on endpoint devices to gather logs and send them back to your Splunk Server. Download the correct Splunk Universal Forwarder for the endpoint device. - +Tommy joined the team ## How to setup a Splunk Deployment Server From ade80ff2f855c65c2c5e5035e9d1ed0a9867a424 Mon Sep 17 00:00:00 2001 From: Sh0bra Date: Thu, 13 Mar 2025 14:05:34 -0700 Subject: [PATCH 06/47] another one --- source/Splunk.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/Splunk.md b/source/Splunk.md index 671d61e..0885ec8 100644 --- a/source/Splunk.md +++ b/source/Splunk.md @@ -56,6 +56,6 @@ Splunk is a log aggregator used to centralize logs and data. At the SOC we are u ## How to setup the Splunk Universal Forwarder The Splunk Universal Forwarder is installed on endpoint devices to gather logs and send them back to your Splunk Server. Download the correct Splunk Universal Forwarder for the endpoint device. -Tommy joined the team +- GO to Splunk to download the SUF ## How to setup a Splunk Deployment Server From fca451fbf6e2a65277d31749b8f83dd91dd9d1f0 Mon Sep 17 00:00:00 2001 From: Tommy Phao <55013938+xdkaine@users.noreply.github.com> Date: Tue, 22 Apr 2025 15:10:06 -0700 Subject: [PATCH 07/47] Fixing typo --- source/Splunk_Lab.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/Splunk_Lab.md b/source/Splunk_Lab.md index 3fe0d8a..234e5ea 100644 --- a/source/Splunk_Lab.md +++ b/source/Splunk_Lab.md @@ -92,7 +92,7 @@ wget -O splunk-9.2.1-78803f08aabb-linux-2.6-amd64.deb "https://download.splunk.c
Navigate to the folder you downloaded the file and run the command -dpkg -i plunk-9.2.1-78803f08aabb-linux-2.6-amd64.deb +dpkg -i splunk-9.2.1-78803f08aabb-linux-2.6-amd64.deb Navigate to the folder /opt/splunk/bin and run From 1b8c0b73a9512e1b39edc92297878f3507966c1e Mon Sep 17 00:00:00 2001 From: Tommy Phao <55013938+xdkaine@users.noreply.github.com> Date: Tue, 22 Apr 2025 15:10:07 -0700 Subject: [PATCH 08/47] Fixing typo From 3ec9ca38a5106b460bfb04f26ede79c40b53b522 Mon Sep 17 00:00:00 2001 From: tommy phao Date: Wed, 27 Aug 2025 18:01:01 -0700 Subject: [PATCH 09/47] testing --- source/Test.md | 11 +++++++++++ source/index.md | 1 + 2 files changed, 12 insertions(+) create mode 100644 source/Test.md diff --git a/source/Test.md b/source/Test.md new file mode 100644 index 0000000..aa1d739 --- /dev/null +++ b/source/Test.md @@ -0,0 +1,11 @@ +# Test Page + +This is a test Markdown page for documentation purposes. + +## Section 1 + +Add your content here. + +## Section 2 + +More content can go here. diff --git a/source/index.md b/source/index.md index 11c3f52..d294095 100644 --- a/source/index.md +++ b/source/index.md @@ -9,4 +9,5 @@ Here lies the documentation of the Student run Security Operations Center at the Volunteering Opportunities Splunk Splunk Lab +Test ``` \ No newline at end of file From e290aab094dbbbc79616d03afe48bdb04eb83b24 Mon Sep 17 00:00:00 2001 From: Nich Rosen Date: Wed, 27 Aug 2025 18:06:51 -0700 Subject: [PATCH 10/47] removed test entry from table of contents --- source/index.md | 1 - 1 file changed, 1 deletion(-) diff --git a/source/index.md b/source/index.md index d294095..11c3f52 100644 --- a/source/index.md +++ b/source/index.md @@ -9,5 +9,4 @@ Here lies the documentation of the Student run Security Operations Center at the Volunteering Opportunities Splunk Splunk Lab -Test ``` \ No newline at end of file From 2adcd4963826e56cc709f9cecf4ff73e126d2032 Mon Sep 17 00:00:00 2001 From: tommy phao Date: Wed, 27 Aug 2025 18:35:09 -0700 Subject: [PATCH 11/47] Add Getting Started Guide and remove Test Page --- source/Test.md | 11 ----------- source/getting_started.md | 40 +++++++++++++++++++++++++++++++++++++++ source/index.md | 1 + 3 files changed, 41 insertions(+), 11 deletions(-) delete mode 100644 source/Test.md create mode 100644 source/getting_started.md diff --git a/source/Test.md b/source/Test.md deleted file mode 100644 index aa1d739..0000000 --- a/source/Test.md +++ /dev/null @@ -1,11 +0,0 @@ -# Test Page - -This is a test Markdown page for documentation purposes. - -## Section 1 - -Add your content here. - -## Section 2 - -More content can go here. diff --git a/source/getting_started.md b/source/getting_started.md new file mode 100644 index 0000000..b47e713 --- /dev/null +++ b/source/getting_started.md @@ -0,0 +1,40 @@ +# Getting Started Guide + +## Introduction + +Hello everyone! I am creating this page to help improve your start process at either the **Student Security Operations Center (SOC)** or the **Student Data Center (SDC)**. + +All operations done on either side will require you to connect to our VPN to access any resources we host. + +## VPN Access Setup + +1. **Request Access**: Please fill out this Microsoft Form for User Access to our VPN. +2. **Install VPN Client**: If you have never logged in to Kamino, please install Palo Alto's GlobalProtect application. We are now completing authentication using Cal Poly Pomona's SSO. +3. **Initial Connection**: + - After installing the application, you will be prompted with the following windows + - When asked to enter our Portal Address use: `mgmt.sdc.cpp.edu` + - This will prompt you to login using Cal Poly SSO + +> Note: Access to the Management VPN Portal depends on when you submitted the User Access Request through Microsoft Forms. + +## Accessing Kamino + +1. Once you are given access to Management Portal, head over to [https://kamino.sdc.cpp](https://kamino.sdc.cpp) +2. This is only available when you are connected to the VPN +3. Use your AD Credentials to login + +If you do not have credentials or do not remember the details, ask a Student Director to help resolve this for you. + +## Working with Pods + +1. After logging in to Kamino, you can provision pods using the Web Interface +2. Try using the premade templates as they are ideal for starting fresh without sitting through standard installation experience +3. Recommended setup: provision two pods + - One for your server + - One client to forward logs to said server + +Once configured, you should be able to remotely access the VPN using either SSH or Proxmox. + +--- + +**Known Issue (August 27)**: Students who provision pods on Kamino are not having them assigned in Proxmox, showing an empty list with just nodes. \ No newline at end of file diff --git a/source/index.md b/source/index.md index 11c3f52..5e60fbe 100644 --- a/source/index.md +++ b/source/index.md @@ -7,6 +7,7 @@ Here lies the documentation of the Student run Security Operations Center at the :maxdepth: 2 Volunteering Opportunities +Getting Started (August 2025) Splunk Splunk Lab ``` \ No newline at end of file From a05e91c6dcdfe9188ffe1392b93994a505e78b2f Mon Sep 17 00:00:00 2001 From: tommy phao Date: Wed, 27 Aug 2025 18:42:26 -0700 Subject: [PATCH 12/47] Update VPN Access Setup instructions and add note about initial connection --- source/getting_started.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/source/getting_started.md b/source/getting_started.md index b47e713..1baecc1 100644 --- a/source/getting_started.md +++ b/source/getting_started.md @@ -8,10 +8,10 @@ All operations done on either side will require you to connect to our VPN to acc ## VPN Access Setup -1. **Request Access**: Please fill out this Microsoft Form for User Access to our VPN. +1. **Request Access**: Please fill out this Microsoft Form for User Access to our VPN. [Form]((https://forms.cloud.microsoft/r/5BtvPPTJku)) 2. **Install VPN Client**: If you have never logged in to Kamino, please install Palo Alto's GlobalProtect application. We are now completing authentication using Cal Poly Pomona's SSO. 3. **Initial Connection**: - - After installing the application, you will be prompted with the following windows + - After installing the application, you will be prompted with the following windows - When asked to enter our Portal Address use: `mgmt.sdc.cpp.edu` - This will prompt you to login using Cal Poly SSO @@ -33,8 +33,6 @@ If you do not have credentials or do not remember the details, ask a Student Dir - One for your server - One client to forward logs to said server -Once configured, you should be able to remotely access the VPN using either SSH or Proxmox. - --- **Known Issue (August 27)**: Students who provision pods on Kamino are not having them assigned in Proxmox, showing an empty list with just nodes. \ No newline at end of file From 703d8471c6ba9d55a4bbb23af2fca65453e22403 Mon Sep 17 00:00:00 2001 From: Eric Heng Date: Thu, 28 Aug 2025 13:49:34 -0700 Subject: [PATCH 13/47] fixed markdown formatting --- source/getting_started.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/getting_started.md b/source/getting_started.md index 1baecc1..4f49499 100644 --- a/source/getting_started.md +++ b/source/getting_started.md @@ -8,7 +8,7 @@ All operations done on either side will require you to connect to our VPN to acc ## VPN Access Setup -1. **Request Access**: Please fill out this Microsoft Form for User Access to our VPN. [Form]((https://forms.cloud.microsoft/r/5BtvPPTJku)) +1. **Request Access**: Please fill out this Microsoft Form for User Access to our VPN. [Form](https://forms.cloud.microsoft/r/5BtvPPTJku) 2. **Install VPN Client**: If you have never logged in to Kamino, please install Palo Alto's GlobalProtect application. We are now completing authentication using Cal Poly Pomona's SSO. 3. **Initial Connection**: - After installing the application, you will be prompted with the following windows From b4e3ff0bdad3af90c7620533141b34a2ab61c75b Mon Sep 17 00:00:00 2001 From: Tommy Phao <55013938+xdkaine@users.noreply.github.com> Date: Sun, 7 Sep 2025 16:43:39 -0700 Subject: [PATCH 14/47] Update Splunk Lab with current status note idk i think we need to note this down immediately --- source/Splunk_Lab.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/source/Splunk_Lab.md b/source/Splunk_Lab.md index 234e5ea..494e31b 100644 --- a/source/Splunk_Lab.md +++ b/source/Splunk_Lab.md @@ -1,5 +1,7 @@ # Welcome to the Splunk Lab +# Note 9/7/25: This Splunk Lab is in the process of being updated! Some of the processes mentioned are no longer relevant/applicable. Please take the time to reach out to either SOC Student Directors in person or on Discord to get updated steps! + ## Overview In this lab we will teach you how to setup your own Splunk server. You will also learn how you can forward logs from different endpoint devices to your Splunk logs, aka ingesting logs. After you get comfortable ingesting logs we will also be generating our own log sources and learning how we can ingest those logs too. @@ -189,4 +191,4 @@ Stay tuned for a more advanced Splunk Lab where we plan to tackle the following -How do I scale my Splunk deployment? -How do I make my Splunk server more resilient? --How do I increase search performance? \ No newline at end of file +-How do I increase search performance? From 19b4091cc918281af477d4bf78b011ce057bf5bc Mon Sep 17 00:00:00 2001 From: Tommy Phao <55013938+xdkaine@users.noreply.github.com> Date: Sun, 7 Sep 2025 16:45:13 -0700 Subject: [PATCH 15/47] part 2 of the same change rofl --- source/Splunk_Lab.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/source/Splunk_Lab.md b/source/Splunk_Lab.md index 494e31b..1a02747 100644 --- a/source/Splunk_Lab.md +++ b/source/Splunk_Lab.md @@ -2,6 +2,9 @@ # Note 9/7/25: This Splunk Lab is in the process of being updated! Some of the processes mentioned are no longer relevant/applicable. Please take the time to reach out to either SOC Student Directors in person or on Discord to get updated steps! +## Note 9/7/25: This Splunk Lab is in the process of being updated! Some of the processes mentioned are no longer relevant/applicable. Please take the time to reach out to either SOC Student Directors in person or on Discord to get updated steps! + + ## Overview In this lab we will teach you how to setup your own Splunk server. You will also learn how you can forward logs from different endpoint devices to your Splunk logs, aka ingesting logs. After you get comfortable ingesting logs we will also be generating our own log sources and learning how we can ingest those logs too. From c810da7c04f95e5d4b12b564faa0fdcec8002a1c Mon Sep 17 00:00:00 2001 From: Tommy Phao <55013938+xdkaine@users.noreply.github.com> Date: Sun, 7 Sep 2025 16:46:47 -0700 Subject: [PATCH 16/47] undoing duplicate note page didnt rebuild and i thought the initial note didn't save rofl --- source/Splunk_Lab.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/source/Splunk_Lab.md b/source/Splunk_Lab.md index 1a02747..494e31b 100644 --- a/source/Splunk_Lab.md +++ b/source/Splunk_Lab.md @@ -2,9 +2,6 @@ # Note 9/7/25: This Splunk Lab is in the process of being updated! Some of the processes mentioned are no longer relevant/applicable. Please take the time to reach out to either SOC Student Directors in person or on Discord to get updated steps! -## Note 9/7/25: This Splunk Lab is in the process of being updated! Some of the processes mentioned are no longer relevant/applicable. Please take the time to reach out to either SOC Student Directors in person or on Discord to get updated steps! - - ## Overview In this lab we will teach you how to setup your own Splunk server. You will also learn how you can forward logs from different endpoint devices to your Splunk logs, aka ingesting logs. After you get comfortable ingesting logs we will also be generating our own log sources and learning how we can ingest those logs too. From 38a3499982081dddf33d26e5edf1d32768e036c0 Mon Sep 17 00:00:00 2001 From: Tommy Phao <55013938+xdkaine@users.noreply.github.com> Date: Sun, 7 Sep 2025 16:48:12 -0700 Subject: [PATCH 17/47] bruh idk iongetit --- source/Splunk_Lab.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/Splunk_Lab.md b/source/Splunk_Lab.md index 494e31b..b65a8d0 100644 --- a/source/Splunk_Lab.md +++ b/source/Splunk_Lab.md @@ -1,6 +1,6 @@ # Welcome to the Splunk Lab -# Note 9/7/25: This Splunk Lab is in the process of being updated! Some of the processes mentioned are no longer relevant/applicable. Please take the time to reach out to either SOC Student Directors in person or on Discord to get updated steps! +## Note 9/7/25: This Splunk Lab is in the process of being updated! Some of the processes mentioned are no longer relevant/applicable. Please take the time to reach out to either SOC Student Directors in person or on Discord to get updated steps! ## Overview In this lab we will teach you how to setup your own Splunk server. You will also learn how you can forward logs from different endpoint devices to your Splunk logs, aka ingesting logs. After you get comfortable ingesting logs we will also be generating our own log sources and learning how we can ingest those logs too. From 030fcdf6c9a6aa48a30399098e65b62981a47366 Mon Sep 17 00:00:00 2001 From: tommy phao Date: Tue, 9 Sep 2025 18:52:33 -0700 Subject: [PATCH 18/47] grok is this true --- source/index.md | 1 + source/missile_map.md | 121 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 122 insertions(+) create mode 100644 source/missile_map.md diff --git a/source/index.md b/source/index.md index 5e60fbe..e398d1d 100644 --- a/source/index.md +++ b/source/index.md @@ -10,4 +10,5 @@ Volunteering Opportunities Getting Started (August 2025) Splunk Splunk Lab +Missile Map ``` \ No newline at end of file diff --git a/source/missile_map.md b/source/missile_map.md new file mode 100644 index 0000000..49c76c9 --- /dev/null +++ b/source/missile_map.md @@ -0,0 +1,121 @@ +# How the Student SOC Implemented Missile Map! + +## Background + +After a major rebuild of the infrastructure at the Student Data Center, the Student Security Operations Center (SOC) found that many legacy monitoring processes no longer applied. One critical need was auditing GlobalProtect VPN activity to understand who was connecting to the network and from where. The SOC wanted better visibility into VPN usage and potential anomalies, especially given the changes post-rebuild. To achieve this, they leveraged Splunk SIEM for log collection and even integrated a special map visualization to track user VPN connections geographically. + +## Initial Challenges with VPN Log Queries + +In the beginning, querying the GlobalProtect VPN logs in Splunk for *"successful"* logins led to confusing and misleading results. The initial Splunk query was intended to filter for successful connection events, but it ended up including a huge volume of logs from around the world – even places like Russia, Africa, and Asia – suggesting hundreds of thousands of VPN login attempts. This was obviously alarming and pointed to something being off with the query or the logs forwarded. + +The root issue was that the log fields were ambiguous. Some events were being marked with fields: action or status with *"success"* even when the login actually failed. For example, certain logs showed an action field of *"success"* but, upon inspecting details, the same log would contain an error message like *"COPY AND PASTE WHAT IT REALLY WAS"*. In some cases, the username field (`src_user`) was literally set to `"success"`, which clearly was not a real user account but rather a misinterpreted field. These were false positives that made it look like users from all over the globe were connecting, when in reality they were failed login attempts or automated brute-force attempts being logged in a misleading way. + +To illustrate the problem, the SOC’s first query was roughly: + +```splunk +index="netfw" sourcetype="pan:globalprotect" "success" src_user=* +| iplocation src_ip +| eval start_lat=lat, start_lon=lon, end_lat=34.0597, end_lon=-117.8200 +| stats count by src_user, start_lat, start_lon, end_lat, end_lon, src_ip +``` +and +```splunk +index="netfw" sourcetype="pan:globalprotect" "success" +| iplocation src_ip +| eval start_lat=lat, start_lon=lon, end_lat=34.0597, end_lon=-117.8200 +| stats count by src_user, start_lat, start_lon, end_lat, end_lon, src_ip +``` + +This attempted to find any logs with the term *"success"* and map their source IP locations. However, it swept up events that were not true successes. The resulting visualization showed an explosion of connection lines from virtually every continent, which was not an accurate picture of actual VPN usage. As shown below, the initial query’s output (on a world map) was cluttered with false-positive connections: + +*Initial query results showing numerous false-positive "success" logs globally* + +The team investigated a few suspicious log entries to understand why they were being counted as successful. They found, for instance, logs where the user field was set to “success” and the action was “success” as well – yet further details in the log indicated a bad password. In contrast, a truly successful login log would show a real username and no such error. The screenshot below compares a suspicious log vs. a clean log in Splunk: the left side event is flagged as *"success"* but is actually a failed login attempt (with an error in the details), whereas the right side is a genuine successful VPN connection event. + +*Comparison of a suspicious "success" log (left) vs. a genuine successful login log (right)* + +This initial hurdle highlighted that not all *"success"* logs were equal. The SOC needed a better way to filter the data so that only true successful VPN connections would be visualized. + +## Portal Types Overview + +While auditing the GlobalProtect logs to solve the above mystery, the team discovered that logs referenced multiple “portal” types. GlobalProtect has a concept of portals and gateways, and the logs contained a field (`portal`) that could take on values like `gp-user`, `gp-user-portal`, `gp-mgmt`, `gp-mgmt-portal`, etc. Through careful analysis and by correlating with known VPN URLs, the SOC deciphered the meaning of each: + +* **`gp-mgmt-portal`**: This corresponds to the main GlobalProtect management portal – essentially the web interface or SSO login portal used by authorized users. In our case, this is the portal at `mgmt.sdc.cpp.edu` that staff would normally use to authenticate (it uses single-sign-on/SAML for authentication). It handles the user login process (authenticating credentials via SSO) before the VPN tunnel is established. +* **`gp-mgmt`**: This refers to the GlobalProtect gateway management process that takes over after a user is authenticated. Once you successfully log in via the portal, the system uses `gp-mgmt` to actually set up the VPN connection (assign an IP, establish the tunnel, etc.). In short, `gp-mgmt` events are part of establishing the connection once credentials are validated. +* **`gp-user-portal`**: This turned out to be a secondary (and deprecated) user portal that does not use SSO. In our environment this was the URL `vpn.sdc.cpp.edu`, which presents a simple username/password login screen. It was legacy and supposed to be retired, but our audit revealed it was still running. Essentially, `gp-user-portal` logs indicate someone using this older portal login page (likely with a local account credential). We only discovered its significance when we noticed logins coming from external universities and unexpected locations – those users were accessing this portal during special events. +* **`gp-user`**: Similar to `gp-mgmt` above, `gp-user` refers to the connection process initiated via the user portal. If someone logs in through the `gp-user-portal` (the old login page), the system then generates `gp-user` events to handle the VPN connection setup for that session. + +The SOC initially assumed only one portal was relevant (the main SSO portal `mgmt.sdc.cpp.edu`) and perhaps also the campus-wide VPN (`vpn.connect.cpp.edu` managed by central IT). The log analysis, however, exposed that two different portal interfaces were in play for the Student Data Center: the expected SSO portal and the forgotten legacy portal. This discovery was pivotal – it explained why there were logs of connections from places and organizations that didn’t line up with our usual user base. Those turned out to be external participants (for instance, students from other universities) who were given access during events like SWIFT competitions or tryouts, using the legacy portal that was opened up for them. + +## Security Concerns with the Legacy Portal + +Uncovering the existence of `vpn.sdc.cpp.edu` (the `gp-user-portal`) raised immediate security concerns. This portal uses only a basic username/password authentication without the protection of single sign-on or multifactor, and it was exposed to the internet for the sake of external user access. As a result, it had become a target for brute-force login attempts. The Splunk logs clearly showed automated attacks hitting this portal – the source of the “success” noise was largely bots or malicious actors trying to guess passwords on the public-facing login page. + +Having a deprecated portal publicly accessible is a risk, but at the time the SOC faced a dilemma: they needed this portal to remain available during certain external events (where non-Cal Poly users needed VPN access to participate, and those users could not use our SSO). During events like the SWIFT tryouts, the legacy portal was intentionally left open so outside participants could log in with credentials we provided them. This was a temporary necessity that unfortunately expanded our attack surface. + +The screenshot below shows what the `vpn.sdc.cpp.edu` login interface looks like – a simple login form without SSO. This simplicity is exactly what makes it a brute-force target, as any internet user can reach this page and attempt to log in: + +*Legacy VPN Portal login page (vpn.sdc.cpp.edu) with basic username/password prompt* + +### Brute-force exposure +With just a username and password field and no second-factor or SSO, bots around the world constantly probed this portal. The SOC observed many login attempts from foreign IPs (which initially masqueraded in the logs as “successful” due to the logging quirk). This underscored the importance of a plan to either better secure this portal (rate limiting, MFA, or network restrictions) or fully decommission it as soon as external-event needs allow. + +## Improved Log Fingerprinting for True Successes + +To filter out the noise and focus only on truly successful VPN connections, the SOC refined their Splunk queries using a more reliable field: `event_id`. By examining the available event identifiers in the GlobalProtect logs (Splunk makes it easy to see distinct field values, as shown below), they found that one specific event code consistently corresponds to a completed VPN login. The `event_id` field value `gateway-connected` is logged only when a GlobalProtect client has successfully connected to the gateway (i.e., the VPN tunnel is fully established)[1]. This is exactly the kind of event they wanted to track. + +*Splunk interface showing sample event_id field values (including "gateway-connected")* + +According to Palo Alto Networks’ documentation, a `gateway-connected` event “indicates a GlobalProtect client successful connection for tunnel or non-tunnel mode”[1] – in other words, a real VPN session. Armed with this knowledge, the SOC adjusted their Splunk search to zero in on those events and ignore the rest. They also narrowed the search to the relevant portals (`gp-mgmt` and `gp-user`, which are the ones that produce the gateway connection logs after authentication). + +The refined Splunk query looked something like this: + +```splunk +index="netfw" sourcetype="pan:globalprotect" (portal="gp-mgmt" OR portal="gp-user") event_id="gateway-connected" src_user=* +| iplocation src_ip +| eval start_lat=lat, start_lon=lon, end_lat=34.0597, end_lon=-117.8200 +| stats count by action, src_user, src_ip, start_lat, start_lon, end_lat, end_lon +``` + +Let’s break down what this does: +- **Base search**: We search the firewall logs (`index="netfw"`) of type `pan:globalprotect` for events where the `portal` field is either `gp-mgmt` or `gp-user` (i.e. the connection-establishment stage for either portal) and `event_id="gateway-connected"`. We also ensure `src_user=*` to pick up only events tied to a user account (excluding any system or empty entries). +- **Geo IP lookup**: Using Splunk’s `iplocation` command on the source IP (`src_ip`) populates latitude (`lat`) and longitude (`lon`) fields based on geo-IP data. +- **Define map coordinates**: We then create `start_lat`/`start_lon` from the looked-up coordinates (the user’s approximate location), and set a fixed `end_lat`/`end_lon` corresponding to our campus’s CLA Building location (roughly 34.06 N, -117.82 W in Pomona, CA). This essentially prepares the data for mapping an arc from the user to the campus. +- **Stats aggregation**: Finally, we use `stats count by ...` to group events. In practice, for visualization we might not even need the count, but this method ensures we have one line per unique combination of user and location. The `action` field (which in these events should indicate "success/allow") can also be included just for reference. + +With this refined “fingerprint” query, false positives disappeared. Only genuine successful VPN connection events were returned. The volume of events was now sane (e.g., dozens per day instead of thousands) and the sources were all expected user locations. This was the “silver bullet” the team was looking for to get clean data for visualization. + +## Missile Map Implementation (Geographic VPN Visualization) + +Having obtained clean data on successful VPN connections, the SOC proceeded to implement the Missile Map visualization in Splunk. Missile Map is a Splunk app/visualization that displays data as arcs on a world map[2] – much like the “cyber attack” maps often seen in security dashboards. Each arc requires a starting and ending coordinate. In our case, the starting point is the geographic location of the user’s IP address, and the ending point is the fixed location of Cal Poly Pomona’s CLA Tower (representing our data center). + +We configured the Missile Map by providing it the fields it expects (our query already yielded `start_lat`, `start_lon`, `end_lat`, `end_lon` for each event)[3]. We chose a fixed color for the arcs and set the map’s center/zoom to focus on the areas of interest. Every time a new VPN login occurs and meets our query criteria, the dashboard displays a new arc from the user’s city to campus. Because all arcs share the same destination (Pomona, CA), the visualization looks like a set of missiles or arrows converging on a single point – hence the name “Missile Map.” + +We also included additional context in the data points if needed. For example, we could label arcs with the username or mark if an event came from the legacy portal vs the main portal (using different colors or labels). In this case, since we filtered out the legacy portal’s unsuccessful noise and only tracked actual connections, most arcs represent valid user sessions. If any unusual connection does appear (say, a valid login from an atypical country), it stands out prominently on the map for further investigation. + +Below is a placeholder for what the final Missile Map dashboard looks like. The real visualization shows a world map with arcs originating from various user locations (across the U.S. and occasionally abroad) all terminating at the CLA Building location in California: + +*Missile Map visualization of VPN connections (each arc from user’s geolocation to campus)* + +*Figure: The Missile Map in Splunk showing successful VPN connections. Each arc represents a user VPN session connecting from the origin (determined by IP geolocation) to the campus network (destination fixed at CLA Building coordinates). We can see, for example, connections coming from other parts of California, some from out-of-state (perhaps students traveling or out-of-state participants during events), and so on. The map gives an immediate sense of where users are connecting from and can reveal patterns (like clusters of connections from an unexpected region).* + +By integrating this Missile Map, the Student SOC significantly improved its situational awareness. Rather than combing through text logs, analysts can glance at the dashboard and spot if something looks off (such as an arc from an unusual country or an unusually high number of arcs at once which might indicate a surge in usage or an event). + +## Data Anomalies & Lessons Learned + +Throughout this project, a few anomalies were discovered in the data, underscoring lessons for the team: +- **Geo-IP mismatches**: On a few occasions, the user’s IP address and the provided geolocation did not line up. For example, one user’s IP traced to a Southern California ISP, yet the latitude/longitude from `iplocation` placed the point in New York. In another case, a user’s IP was clearly from Florida, but the geo lookup showed a location in Illinois. These discrepancies might be due to outdated GeoIP data, VPN exit nodes, or how GlobalProtect reports location (possibly using a different source of geo info). It was a reminder that GeoIP isn’t 100% accurate – we saw “Florida user connecting from Illinois” which prompted us to double-check those cases manually. +- **False success logs**: We learned that not all log fields mean what one might assume at face value. The presence of *"success"* in a log message or an action field did not always indicate a successful login. This was a critical lesson: always validate using reliable fields (in our case, `event_id="gateway-connected"` was the reliable indicator of success). +- **Legacy portal noise**: The fact that a deprecated portal was still running led to a lot of noise in the logs. This taught us the importance of maintaining an accurate inventory of active services. If something is supposed to be retired but isn’t, it can both pose a security risk and muddy your monitoring data. We’ve since communicated this to the infrastructure team. The plan is to properly decommission or lock down `vpn.sdc.cpp.edu` when external events are not happening, and to explore more secure ways to grant guest access when they are. +- **Visualization value**: Implementing the Missile Map has proven the value of visualization in security operations. Issues that were not obvious from raw logs became very clear when plotted geographically. For instance, seeing a line from an unexpected country immediately raises a flag to investigate if that was a legitimate user or something that slipped through. +- **Continuous tuning**: Finally, we recognize that our queries and dashboards will need continuous tuning. As a next step, we might incorporate additional filters (for example, excluding any log where `src_user` equals `"success"` just as an extra sanity check, or updating our GeoIP database to the latest version to improve accuracy). We’re also considering setting up alerts for unusual patterns, such as multiple VPN connections from one foreign country in a short time or connections from countries where we normally have no users. + +## Summary + +The Student SOC’s implementation of the Missile Map was a success – both in terms of the technical Splunk solution and in the lessons learned along the way. We now have a clear, real-time view of VPN login activity, and we’ve hardened our approach to analyzing logs (focusing on the right markers and understanding the data better). This project not only helps us audit VPN usage but also has improved our security posture by highlighting an overlooked exposure and by giving us a tool to spot abnormal connection locations at a glance. The journey involved unraveling confusing logs, learning the ins and outs of GlobalProtect portals, and ultimately integrating an innovative visualization to make sense of it all. The result is an informative documentation and a powerful operations dashboard that can be used by future Student SOC members to monitor and investigate VPN activities efficiently. + +--- + +[1] [Event Descriptions for the GlobalProtect Logs in PAN-OS](https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/logging-for-globalprotect-in-pan-os/event-descriptions-for-the-globalprotect-logs-in-pan-os) + +[2, 3] [GitHub - lukemonahan/missile_map: Missile Map Splunk visualisation](https://github.com/lukemonahan/missile_map) From 6f828cca4784124fc272e76941879f0dd46c27b8 Mon Sep 17 00:00:00 2001 From: tommy phao Date: Fri, 12 Sep 2025 15:03:13 -0700 Subject: [PATCH 19/47] added link to install gp --- source/getting_started.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/getting_started.md b/source/getting_started.md index 4f49499..9d1b58d 100644 --- a/source/getting_started.md +++ b/source/getting_started.md @@ -9,7 +9,7 @@ All operations done on either side will require you to connect to our VPN to acc ## VPN Access Setup 1. **Request Access**: Please fill out this Microsoft Form for User Access to our VPN. [Form](https://forms.cloud.microsoft/r/5BtvPPTJku) -2. **Install VPN Client**: If you have never logged in to Kamino, please install Palo Alto's GlobalProtect application. We are now completing authentication using Cal Poly Pomona's SSO. +2. **Install VPN Client**: If you have never logged in to Kamino, please install Palo Alto's GlobalProtect application. We are now completing authentication using Cal Poly Pomona's SSO. [GlobalProtect](https://vpn.connect.cpp.edu) 3. **Initial Connection**: - After installing the application, you will be prompted with the following windows - When asked to enter our Portal Address use: `mgmt.sdc.cpp.edu` From e279dfe3f14354f9ace537db5317b72e152014bf Mon Sep 17 00:00:00 2001 From: Eric Heng Date: Fri, 12 Sep 2025 17:07:08 -0700 Subject: [PATCH 20/47] updated language --- source/Splunk_Lab.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/source/Splunk_Lab.md b/source/Splunk_Lab.md index b65a8d0..d64c5f2 100644 --- a/source/Splunk_Lab.md +++ b/source/Splunk_Lab.md @@ -3,29 +3,29 @@ ## Note 9/7/25: This Splunk Lab is in the process of being updated! Some of the processes mentioned are no longer relevant/applicable. Please take the time to reach out to either SOC Student Directors in person or on Discord to get updated steps! ## Overview -In this lab we will teach you how to setup your own Splunk server. You will also learn how you can forward logs from different endpoint devices to your Splunk logs, aka ingesting logs. After you get comfortable ingesting logs we will also be generating our own log sources and learning how we can ingest those logs too. +In this lab we will teach you how to setup your own Splunk server. You will also learn how you can forward logs from different endpoints to your Splunk logs, aka ingesting logs. After ingesting logs, we will also be generating our own log sources and learning how we can ingest those logs too. ### Technologies you will use -- Splunk Enterprise +- Splunk - Splunk Universal Forwarder - Linux - Debian - Windows - Sysmon -As more and more people complete the beginner lab we will start working on a more advanced lab for people interested in learning more about Splunk. +As more people complete the beginner lab, we will start working on a more advanced lab for people interested in learning more about Splunk. ## Lab Structure 1. We give you a task. We want you to figure out as much as you can by yourself so the instructions will be very minimal. -2. If you get stuck on a task feel free to take a look at the hints section. +2. If you get stuck on a task, feel free to take a look at the hints section. 3. Don't be discouraged as we also share the answers. ## Setup -You have 2 options for this lab. To follow along this lab you can either use the SDC cloud or use your local machine to build the lab. I recommend the SDC cloud as it is simpler than trying to install your own virtual machine on your own computer. +You have 2 options for this lab. To follow along this lab you can either use the SDC cloud or use your local machine to build the lab. I recommend the SDC cloud as it is simpler than trying to install your own virtual machines on your own computer. ### Cloud instance -1. First you will need to download and install [Pritunl](https://client.pritunl.com/#install) +1. First, download and install [GlobalProtect](https://foundation.cpp.edu/content/f/d/IT/Public-Installing%20Agent%20for%20VPN%20Connection.pdf) 2. Next contact the Student Data Center to get VPN credentials From 4aa9cfed1ddce85e9172f3d2be240e623fa1eec0 Mon Sep 17 00:00:00 2001 From: xdkaine <55013938+xdkaine@users.noreply.github.com> Date: Sat, 13 Sep 2025 13:45:14 -0700 Subject: [PATCH 21/47] Added Images (using our static-site as our CDN rofl) Updated error messages that were meant to be updated Updated a few queries to better improve the story. --- source/missile_map.md | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/source/missile_map.md b/source/missile_map.md index 49c76c9..64510f7 100644 --- a/source/missile_map.md +++ b/source/missile_map.md @@ -8,31 +8,32 @@ After a major rebuild of the infrastructure at the Student Data Center, the Stud In the beginning, querying the GlobalProtect VPN logs in Splunk for *"successful"* logins led to confusing and misleading results. The initial Splunk query was intended to filter for successful connection events, but it ended up including a huge volume of logs from around the world – even places like Russia, Africa, and Asia – suggesting hundreds of thousands of VPN login attempts. This was obviously alarming and pointed to something being off with the query or the logs forwarded. -The root issue was that the log fields were ambiguous. Some events were being marked with fields: action or status with *"success"* even when the login actually failed. For example, certain logs showed an action field of *"success"* but, upon inspecting details, the same log would contain an error message like *"COPY AND PASTE WHAT IT REALLY WAS"*. In some cases, the username field (`src_user`) was literally set to `"success"`, which clearly was not a real user account but rather a misinterpreted field. These were false positives that made it look like users from all over the globe were connecting, when in reality they were failed login attempts or automated brute-force attempts being logged in a misleading way. +The root issue was that the log fields were ambiguous. Some events were being marked with fields: action or status with *"success"* even when the login actually failed. For example, certain logs showed an action field of *"success"* but, upon inspecting details, the same log would contain an error message like *"Authentication failed: Invalid username or password +"*. In some cases, the username field (`src_user`) was literally set to `"success"`, which clearly was not a real user account but rather a misinterpreted field. These were false positives that made it look like users from all over the globe were connecting, when in reality they were failed login attempts or automated brute-force attempts being logged in a misleading way. + +![Raw user Logs](https://www.cppsoc.xyz/assets/documentation/missile-map/missile_map1.jpg) +![Redacted fields but user is known as 'success'](https://www.cppsoc.xyz/assets/documentation/missile-map/missile_map2.jpg) To illustrate the problem, the SOC’s first query was roughly: ```splunk -index="netfw" sourcetype="pan:globalprotect" "success" src_user=* -| iplocation src_ip -| eval start_lat=lat, start_lon=lon, end_lat=34.0597, end_lon=-117.8200 -| stats count by src_user, start_lat, start_lon, end_lat, end_lon, src_ip -``` -and -```splunk -index="netfw" sourcetype="pan:globalprotect" "success" +index="netfw" sourcetype="pan:globalprotect" status=success | iplocation src_ip | eval start_lat=lat, start_lon=lon, end_lat=34.0597, end_lon=-117.8200 -| stats count by src_user, start_lat, start_lon, end_lat, end_lon, src_ip +| stats count by start_lat, start_lon, end_lat, end_lon, src_ip ``` This attempted to find any logs with the term *"success"* and map their source IP locations. However, it swept up events that were not true successes. The resulting visualization showed an explosion of connection lines from virtually every continent, which was not an accurate picture of actual VPN usage. As shown below, the initial query’s output (on a world map) was cluttered with false-positive connections: - -*Initial query results showing numerous false-positive "success" logs globally* + *Note: image below was taken on 9/13 and I restricted the view to up to 9 hours for the purposes of proper and useful visualization* +![Redacted fields but user is known as 'success'](https://www.cppsoc.xyz/assets/documentation/missile-map/missile_map3.jpg) The team investigated a few suspicious log entries to understand why they were being counted as successful. They found, for instance, logs where the user field was set to “success” and the action was “success” as well – yet further details in the log indicated a bad password. In contrast, a truly successful login log would show a real username and no such error. The screenshot below compares a suspicious log vs. a clean log in Splunk: the left side event is flagged as *"success"* but is actually a failed login attempt (with an error in the details), whereas the right side is a genuine successful VPN connection event. *Comparison of a suspicious "success" log (left) vs. a genuine successful login log (right)* +![Logins where usernames are marked as 'success'](https://www.cppsoc.xyz/assets/documentation/missile-map/missile_map4.jpg) +![Splunk View of those incorrectly marked logs'](https://www.cppsoc.xyz/assets/documentation/missile-map/missile_map5.jpg) +Below is a proper login where an individual logged out and fields are marked properly, redacted parts are PII. +![Redacted Image of a Proper Login by Bill :D'](https://www.cppsoc.xyz/assets/documentation/missile-map/missile_map6.jpg) This initial hurdle highlighted that not all *"success"* logs were equal. The SOC needed a better way to filter the data so that only true successful VPN connections would be visualized. @@ -56,6 +57,7 @@ Having a deprecated portal publicly accessible is a risk, but at the time the SO The screenshot below shows what the `vpn.sdc.cpp.edu` login interface looks like – a simple login form without SSO. This simplicity is exactly what makes it a brute-force target, as any internet user can reach this page and attempt to log in: *Legacy VPN Portal login page (vpn.sdc.cpp.edu) with basic username/password prompt* +![Legacy Portal](https://www.cppsoc.xyz/assets/documentation/missile-map/missile_map7.jpg) ### Brute-force exposure With just a username and password field and no second-factor or SSO, bots around the world constantly probed this portal. The SOC observed many login attempts from foreign IPs (which initially masqueraded in the logs as “successful” due to the logging quirk). This underscored the importance of a plan to either better secure this portal (rate limiting, MFA, or network restrictions) or fully decommission it as soon as external-event needs allow. From de69f0783a80363f04b32fc68ef37a2f6cacdb09 Mon Sep 17 00:00:00 2001 From: xdkaine <55013938+xdkaine@users.noreply.github.com> Date: Sat, 13 Sep 2025 13:55:03 -0700 Subject: [PATCH 22/47] volunteer text --- source/Volunteers.md | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/source/Volunteers.md b/source/Volunteers.md index 8dacfec..997a4c7 100644 --- a/source/Volunteers.md +++ b/source/Volunteers.md @@ -20,4 +20,31 @@ All Cal Poly Pomona students are welcome to volunteer at the Security Operations **How can you start?** - Join our discord server -> [Join](https://discord.gg/yYGXJmb3d2) -- Visit the SOC on campus -> Building 98 5C-15 \ No newline at end of file +- Visit the SOC on campus -> Building 98 5C-15 + +--- + +## 📚 Contribute to Our Documentation! + +**Why is documentation important?** +- Documentation helps us keep a clear, detailed record of our work and processes. +- It empowers students to learn and improve their understanding of how the SDC and SOC operate. + +**How can you help?** +- Take initiative! Help us write and improve documentation to support our organization and your peers. +- Our GitHub Organization ([cpp-soc](https://wiki.cppsoc.xyz/)) is public and open for contributions via pull requests. + +**Getting Started:** +1. **Fork or create a new branch** from `main` or `master`. +2. **Create or edit a Markdown file** in + ``` + documentation/source/ + ``` +3. **For new pages:** + - Update + ``` + documentation/source/index.md + ``` + so your page appears in the sidebar! +4. **Adding images:** + - If you can't add images directly to RTD Source, you can host them at [cppsoc.xyz](https://cppsoc.xyz). From 6e6ba54a8e4c85433fe64d89bb3a4eefdfc35107 Mon Sep 17 00:00:00 2001 From: tommy phao Date: Mon, 15 Sep 2025 15:57:07 -0700 Subject: [PATCH 23/47] initial commit --- source/AD_Lab.md | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 source/AD_Lab.md diff --git a/source/AD_Lab.md b/source/AD_Lab.md new file mode 100644 index 0000000..fbf9d27 --- /dev/null +++ b/source/AD_Lab.md @@ -0,0 +1,33 @@ +# Active Directory Lab Setup + +## Introduction + +This guide provides a step-by-step walkthrough for setting up a basic Active Directory lab environment. You will learn how to configure a Domain Controller (DC), manage static IPs, create a domain, and join client machines to that domain. Additionally, we will cover DNS record creation and log forwarding. + +## Lab Objectives + +This lab simulates a typical corporate or homelab infrastructure, enabling you to: +- Centralize user authentication and management. +- Regulate user access to devices. +- Establish a secure process for network and computer access. + +This lab integrates concepts from **Networking**, **Infrastructure**, and **Security**. + +## Requirements + +To complete this lab, you will need the following: + +1. **GlobalProtect**: To access the SDC Environment. +2. **Windows Server 20XX**: To act as our Primary DC. +3. **Windows Server 20XX**: To act as our Secondary DC for fault tolerance. +4. **Windows 1X**: To act as a client machine. +5. **Windows 1X**: To act as another client machine. +6. **Linux**: To act as our Splunk Server for log forwarding and AD-based authentication. + +**Note on Fault Tolerance:** Having a secondary DC is crucial for redundancy and backup, as services can fail unexpectedly. + +These Windows VMs should be generated from a template. If not, ensure you have four VMs that can communicate with each other, preferably on the same VLAN. + +## Lab Setup: Primary Domain Controller + +Let's begin by configuring our first VM, **Windows Server 2025**, as the Primary DC. From af3bf5f0d70f89555ff9608f38222abfd1f7c779 Mon Sep 17 00:00:00 2001 From: tommy phao Date: Mon, 15 Sep 2025 17:22:43 -0700 Subject: [PATCH 24/47] updating language --- source/Splunk_Lab.md | 52 ++++++++++++++++++++++---------------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/source/Splunk_Lab.md b/source/Splunk_Lab.md index b65a8d0..1e291f4 100644 --- a/source/Splunk_Lab.md +++ b/source/Splunk_Lab.md @@ -1,9 +1,7 @@ # Welcome to the Splunk Lab -## Note 9/7/25: This Splunk Lab is in the process of being updated! Some of the processes mentioned are no longer relevant/applicable. Please take the time to reach out to either SOC Student Directors in person or on Discord to get updated steps! - ## Overview -In this lab we will teach you how to setup your own Splunk server. You will also learn how you can forward logs from different endpoint devices to your Splunk logs, aka ingesting logs. After you get comfortable ingesting logs we will also be generating our own log sources and learning how we can ingest those logs too. +In this lab we will teach you how to setup your own Splunk server. You will also learn how you can forward logs from different endpoint devices to your Splunk logs, aka ingesting logs. After you get comfortable ingesting logs we will also be generating our own log sources and learning how we can ingest those logs too. At the end of this lab you should be comfortable with operating between different operating systems, familiarity with terminal and how to parse different types of logs across different operating systems ### Technologies you will use - Splunk Enterprise @@ -21,44 +19,39 @@ As more and more people complete the beginner lab we will start working on a mor ## Setup -You have 2 options for this lab. To follow along this lab you can either use the SDC cloud or use your local machine to build the lab. I recommend the SDC cloud as it is simpler than trying to install your own virtual machine on your own computer. - -### Cloud instance - -1. First you will need to download and install [Pritunl](https://client.pritunl.com/#install) +To follow along this lab you can use the Student Data Center to provision your virtual machines and get comfortable with the remote/cloud environment. Setting this up locally on your own hardware is possible but these instructions will not outline the setup there. -2. Next contact the Student Data Center to get VPN credentials +### Setup #2 -3. Import the profile provided to you by the MC Hill bot. Dont enter a profile url +1. Start reading through [Getting Started](https://wiki.cppsoc.xyz/en/latest/getting_started.html) -4. Once Imported, connect to the sdc_vpn and use the credentials given to you +2. Request Login Credentials (AD) from a Student Director -5. Open up a web browser and navigate to https://kamino.calpolyswift.org/#/ +3. Login to [Kamino](https://kamino.sdc.cpp) -6. Register an account and login +4. Create a pod based off our Template: SOC intro splunk lab - Splunk Lab 2025 -7. Create a pod +5. Provisioning these pods takes a bit of time, refresh the page periodically to see if 3 Virtual Machines create and 1 pfSense Router -8. In a new tab navigate to https://elsa.sdc.cpp/ +6. Login to [Proxmox VE](https://proxmox.sdc.cpp) to see your provisioned virtual machines in detailed + - After you login we recommend changeing your view mode at the top left to 'Pool View' to better see the VMs and Resource Pool Assigned to you -9. Login using the account you created in step 6 - -10. Power on the VMs provided +7. Power on the VMs provided to you You are now ready to start the lab. +## Tip #1 + +The SDC is running into internet speed issues depending on where your Virtual Machine is being hosted at. In more detail, depending on your Virtual Machine's location, your download speeds over the WAN might be at kb/s when downloading packages etc. -### Local Instance +A cool workaround we have at the moment is that the LAN is not speed limited at all so if you have a machine that is on the same network (Your Laptop or PC connected to GlobalProtect VPN) you can use a command-line utitlty called 'scp' - Secure Copy to actually copy files through your remote shell over to the target machine. This will make more sense for Task #1 specifically but this is your introduction to the idea of 'scp'. -1. Download and install Virtual Box or Vmware Player -2. Download the Debian ISO file -3. Create a new VM using the Debian ISO file -4. Start the VM -Install Splunk on a debian machine. +## Tip #2 +On top of that, will that pfSense router provisoned to you, your VMs in your resource pool are 'externally' accessible! Externally in quotes because anyone on the GlobalProtect VPN can access it, if they know the subnet and IP of your machines. Not externally meaning on the WAN of the GlobalProtect router. So using 'scp' command-line in combination of knowing how the router is configured will allow you to do many more things outside of the 'Proxmox Virtual Environment' but allow you to SSH into your Virtual Machines and or RDP into your Windows Clients -## Task 1 - Setting up Splunk Server -After you complete the setup of the lab, we will now work with the vm called "debian". +## Task 1 - Setting up Splunk Enterprise Server +After you complete the setup of the lab, we will now work with the VM called "server-debian-clone". The task is to create our very own Splunk server. When I say create I simply mean install the Splunk Enterprise Trial. So see if you can install that on the debian vm. @@ -91,6 +84,13 @@ Download the Splunk Enterprise Trial with the command below wget -O splunk-9.2.1-78803f08aabb-linux-2.6-amd64.deb "https://download.splunk.com/products/splunk/releases/9.2.1/linux/splunk-9.2.1-78803f08aabb-linux-2.6-amd64.deb" + +If you are struggling to use wget, moreover download speeds are in the kb/s, your machine is most likely affected by the download speed issue. Try downloading that exact file onto your machine (yes, your macbook or laptop) and run the following command line utility + +scp ./splunk.deb root@172.16.x.xxx:/scp + +This block of code serves to be a basic usage of how scp command utility works and how you can use it right on your machine to communicate to your virtual machine. +
Navigate to the folder you downloaded the file and run the command From 355d0637f055334bfad6f0809ded55fb4e33d90a Mon Sep 17 00:00:00 2001 From: tommy phao Date: Mon, 15 Sep 2025 17:36:23 -0700 Subject: [PATCH 25/47] updated language --- source/Splunk_Lab.md | 47 ++++++++++++++++++++++++++++---------------- 1 file changed, 30 insertions(+), 17 deletions(-) diff --git a/source/Splunk_Lab.md b/source/Splunk_Lab.md index 1e291f4..909947f 100644 --- a/source/Splunk_Lab.md +++ b/source/Splunk_Lab.md @@ -40,15 +40,15 @@ To follow along this lab you can use the Student Data Center to provision your v You are now ready to start the lab. -## Tip #1 +## Tips -The SDC is running into internet speed issues depending on where your Virtual Machine is being hosted at. In more detail, depending on your Virtual Machine's location, your download speeds over the WAN might be at kb/s when downloading packages etc. +> **Tip #1: Slow Download Speeds?** +> The SDC is running into internet speed issues depending on where your Virtual Machine is being hosted. In more detail, depending on your Virtual Machine's location, your download speeds over the WAN might be at kb/s when downloading packages etc. +> +> A cool workaround we have at the moment is that the LAN is not speed limited at all. If you have a machine that is on the same network (Your Laptop or PC connected to GlobalProtect VPN), you can use a command-line utility called `scp` (Secure Copy) to actually copy files through your remote shell over to the target machine. This will make more sense for Task #1 specifically, but this is your introduction to the idea of `scp`. -A cool workaround we have at the moment is that the LAN is not speed limited at all so if you have a machine that is on the same network (Your Laptop or PC connected to GlobalProtect VPN) you can use a command-line utitlty called 'scp' - Secure Copy to actually copy files through your remote shell over to the target machine. This will make more sense for Task #1 specifically but this is your introduction to the idea of 'scp'. - -## Tip #2 - -On top of that, will that pfSense router provisoned to you, your VMs in your resource pool are 'externally' accessible! Externally in quotes because anyone on the GlobalProtect VPN can access it, if they know the subnet and IP of your machines. Not externally meaning on the WAN of the GlobalProtect router. So using 'scp' command-line in combination of knowing how the router is configured will allow you to do many more things outside of the 'Proxmox Virtual Environment' but allow you to SSH into your Virtual Machines and or RDP into your Windows Clients +> **Tip #2: External Accessibility** +> On top of that, with that pfSense router provisioned to you, your VMs in your resource pool are 'externally' accessible! 'Externally' in quotes because anyone on the GlobalProtect VPN can access it if they know the subnet and IP of your machines. This is not 'externally' as in on the WAN of the GlobalProtect router. So using the `scp` command-line in combination with knowing how the router is configured will allow you to do many more things outside of the 'Proxmox Virtual Environment', but allow you to SSH into your Virtual Machines and or RDP into your Windows Clients. ## Task 1 - Setting up Splunk Enterprise Server After you complete the setup of the lab, we will now work with the VM called "server-debian-clone". @@ -108,9 +108,7 @@ Login with the user account you created when installing Splunk - - -## Task 2 - Forwarding Logs to Splunk +## Task 2 - Forwarding Logs from a Windows Machine to your Splunk Server Congratulations if you made it this far that means you successfully setup your own Splunk server! If you havent already, I encourage you to take explore the UI of Splunk. It will be quite a lot to absorb at first but I promise you as you keep using Splunk you will get used to the UI. @@ -147,8 +145,9 @@ When you install the Splunk Universal Forwarder in the customize option make sur Download the Splunk Universal Forwarder. You can either log into the Splunk website with your account and download the windows version. Or do the same with this command
-wget -O splunkforwarder-9.2.1-78803f08aabb-x64-release.msi "https://download.splunk.com/products/universalforwarder/releases/9.2.1/windows/splunkforwarder-9.2.1-78803f08aabb-x64-release.msi" +Invoke-WebRequest -Uri "https://download.splunk.com/products/universalforwarder/releases/9.2.1/windows/splunkforwarder-9.2.1-78803f08aabb-x64-release.msi" -OutFile splunkforwarder-9.2.1-78803f08aabb-x64-release.msi +
Navigate to the folder you downloaded the file and run the msi file Agree to the license and install using custom options. Make sure to choose option local account. Select any logs you want to forward. Input the IP address of the Splunk server and use the default ports. @@ -163,21 +162,35 @@ You should see data in this index after a few minutes. -## Task 3 - Generating Custom Log Sources +## Task 3 - Forwarding Logs from a Ubuntu Client to your Splunk Server + +With this task, it will be similar in its function with the previous forwarder task. Your goal is to install a forwarder on a client, but this time linux based. + +There will be less of a GUI to use unlike Windows, so you will be mainly operating out of your terminal. + +I have removed the hints from this section but will give you the short run down of what you need: + +- Find a `.deb` package from [splunk.com](https://download.splunk.com) for a Universal Forwarder (UF) for a Debian-based machine. +- The installation steps will be similar to installing your Splunk Server, like reading through the EULA and starting the forwarder. +- You will also need to make `iptables` rules, similar to how you created firewall rules on Windows to communicate with your Splunk Server. + +Good Luck! + +If you struggle with this, that is okay, that was the goal of this task and instead of walking you through it, you can ask a Student Director for help! + +## Task 4 - Generating Custom Log Sources If you come this far pat yourself on the back! You essentially now have a good understanding on how logs are ingested into Splunk and you know how to query the data. +Task 4 is to install Sysmon and ingest the logs Sysmon generates into Splunk. -Task 3 is to install Sysmon and ingest the logs Sysmon generates into Splunk. - - If you enjoyed this lab and want to learn more feel free to reach out to us on Discord! -## Task 4 - Custom Indexes +## Task 5 - Custom Indexes Wow you really must like Splunk if you came this far ;) Notice how all your indexes are being sent to main by default. Imagine ingesting 100s of log sources into main. How messy does that look. It would also be a nightmare querying specific data and very inefficient. -Task 4 is to create a new index and change the behaviour of the Universal Forwarder. +Task 5 is to create a new index and change the behaviour of the Universal Forwarder. Let create an index called Sysmon and forward the Sysmon logs to this index called Sysmon instead of main. From 80fffae274114f3c7b5e6194223907c2f1d08435 Mon Sep 17 00:00:00 2001 From: tommy phao Date: Mon, 15 Sep 2025 17:41:50 -0700 Subject: [PATCH 26/47] we are no longer having this specific issue --- source/getting_started.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/source/getting_started.md b/source/getting_started.md index 9d1b58d..b3cd43f 100644 --- a/source/getting_started.md +++ b/source/getting_started.md @@ -33,6 +33,4 @@ If you do not have credentials or do not remember the details, ask a Student Dir - One for your server - One client to forward logs to said server ---- - -**Known Issue (August 27)**: Students who provision pods on Kamino are not having them assigned in Proxmox, showing an empty list with just nodes. \ No newline at end of file +--- \ No newline at end of file From 026607965751c64f5abba536f25e63eee0153eb6 Mon Sep 17 00:00:00 2001 From: tommy phao Date: Mon, 15 Sep 2025 17:42:50 -0700 Subject: [PATCH 27/47] updating index --- source/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/index.md b/source/index.md index e398d1d..6364bf2 100644 --- a/source/index.md +++ b/source/index.md @@ -7,8 +7,8 @@ Here lies the documentation of the Student run Security Operations Center at the :maxdepth: 2 Volunteering Opportunities -Getting Started (August 2025) +Getting Started (Updated August 2025) Splunk -Splunk Lab +Splunk Lab (Updated September 2025) Missile Map ``` \ No newline at end of file From d08e04af78f9cafe0cbefbe0133319b83184b75d Mon Sep 17 00:00:00 2001 From: tommy phao Date: Mon, 15 Sep 2025 17:48:17 -0700 Subject: [PATCH 28/47] improved markdown throughout Splunk Lab --- source/Splunk_Lab.md | 229 +++++++++++++++++++++++-------------------- 1 file changed, 124 insertions(+), 105 deletions(-) diff --git a/source/Splunk_Lab.md b/source/Splunk_Lab.md index 07000e8..460d6c9 100644 --- a/source/Splunk_Lab.md +++ b/source/Splunk_Lab.md @@ -1,9 +1,11 @@ # Welcome to the Splunk Lab ## Overview -In this lab we will teach you how to setup your own Splunk server. You will also learn how you can forward logs from different endpoint devices to your Splunk logs, aka ingesting logs. After you get comfortable ingesting logs we will also be generating our own log sources and learning how we can ingest those logs too. At the end of this lab you should be comfortable with operating between different operating systems, familiarity with terminal and how to parse different types of logs across different operating systems + +In this lab, we will teach you how to set up your own Splunk server. You will also learn how you can forward logs from different endpoint devices to your Splunk logs, aka ingesting logs. After you get comfortable ingesting logs, we will also be generating our own log sources and learning how we can ingest those logs too. At the end of this lab, you should be comfortable with operating between different operating systems, familiarity with terminal, and how to parse different types of logs across different operating systems. ### Technologies you will use + - Splunk - Splunk Universal Forwarder - Linux - Debian @@ -13,194 +15,211 @@ In this lab we will teach you how to setup your own Splunk server. You will also As more people complete the beginner lab, we will start working on a more advanced lab for people interested in learning more about Splunk. ## Lab Structure -1. We give you a task. We want you to figure out as much as you can by yourself so the instructions will be very minimal. -2. If you get stuck on a task, feel free to take a look at the hints section. -3. Don't be discouraged as we also share the answers. + +1. We give you a task. We want you to figure out as much as you can by yourself, so the instructions will be very minimal. +2. If you get stuck on a task, feel free to take a look at the hints section. +3. Don't be discouraged, as we also share the answers. ## Setup -To follow along this lab you can use the Student Data Center to provision your virtual machines and get comfortable with the remote/cloud environment. Setting this up locally on your own hardware is possible but these instructions will not outline the setup there. -### Setup #2 +To follow along with this lab, you can use the Student Data Center to provision your virtual machines and get comfortable with the remote/cloud environment. Setting this up locally on your own hardware is possible, but these instructions will not outline the setup there. -1. Start reading through [Getting Started](https://wiki.cppsoc.xyz/en/latest/getting_started.html) +1. Start reading through [Getting Started](https://wiki.cppsoc.xyz/en/latest/getting_started.html). -2. Request Login Credentials (AD) from a Student Director +2. Request Login Credentials (AD) from a Student Director. -3. Login to [Kamino](https://kamino.sdc.cpp) +3. Login to [Kamino](https://kamino.sdc.cpp). -4. Create a pod based off our Template: SOC intro splunk lab - Splunk Lab 2025 +4. Create a pod based off our Template: `SOC intro splunk lab - Splunk Lab 2025`. -5. Provisioning these pods takes a bit of time, refresh the page periodically to see if 3 Virtual Machines create and 1 pfSense Router +5. Provisioning these pods takes a bit of time; refresh the page periodically to see if 3 Virtual Machines and 1 pfSense Router are created. -6. Login to [Proxmox VE](https://proxmox.sdc.cpp) to see your provisioned virtual machines in detailed - - After you login we recommend changeing your view mode at the top left to 'Pool View' to better see the VMs and Resource Pool Assigned to you +6. Login to [Proxmox VE](https://proxmox.sdc.cpp) to see your provisioned virtual machines in detail. -7. Power on the VMs provided to you + > After you log in, we recommend changing your view mode at the top left to 'Pool View' to better see the VMs and Resource Pool Assigned to you. + +7. Power on the VMs provided to you. You are now ready to start the lab. ## Tips > **Tip #1: Slow Download Speeds?** -> The SDC is running into internet speed issues depending on where your Virtual Machine is being hosted. In more detail, depending on your Virtual Machine's location, your download speeds over the WAN might be at kb/s when downloading packages etc. -> -> A cool workaround we have at the moment is that the LAN is not speed limited at all. If you have a machine that is on the same network (Your Laptop or PC connected to GlobalProtect VPN), you can use a command-line utility called `scp` (Secure Copy) to actually copy files through your remote shell over to the target machine. This will make more sense for Task #1 specifically, but this is your introduction to the idea of `scp`. +> The SDC is running into internet speed issues depending on where your Virtual Machine is being hosted. In more detail, depending on your Virtual Machine's location, your download speeds over the WAN might be at kb/s when downloading packages, etc. +> +> A cool workaround we have at the moment is that the LAN is not speed-limited at all. If you have a machine that is on the same network (Your Laptop or PC connected to GlobalProtect VPN), you can use a command-line utility called `scp` (Secure Copy) to actually copy files through your remote shell over to the target machine. This will make more sense for Task #1 specifically, but this is your introduction to the `scp` command. > **Tip #2: External Accessibility** > On top of that, with that pfSense router provisioned to you, your VMs in your resource pool are 'externally' accessible! 'Externally' in quotes because anyone on the GlobalProtect VPN can access it if they know the subnet and IP of your machines. This is not 'externally' as in on the WAN of the GlobalProtect router. So using the `scp` command-line in combination with knowing how the router is configured will allow you to do many more things outside of the 'Proxmox Virtual Environment', but allow you to SSH into your Virtual Machines and or RDP into your Windows Clients. ## Task 1 - Setting up Splunk Enterprise Server -After you complete the setup of the lab, we will now work with the VM called "server-debian-clone". -The task is to create our very own Splunk server. When I say create I simply mean install the Splunk Enterprise Trial. So see if you can install that on the debian vm. +After you complete the setup of the lab, we will now work with the VM called "server-debian-clone". + +The task is to create our very own Splunk server. When I say create, I simply mean install the Splunk Enterprise Trial. So see if you can install that on the Debian VM. -If you are stuck or donno where to start check the hints. Good luck! +If you are stuck or don't know where to start, check the hints. Good luck! ### Hints -
+ +
Hint 1 -You can download the installer at https://www.splunk.com/ -
You will need a Splunk account. +You can download the installer at https://www.splunk.com/. +You will need a Splunk account.
-
+
Hint 2 -We need a way to install the package we just downloaded. In debian we can use the dpkg command to install packages. +We need a way to install the package we just downloaded. In Debian, we can use the `dpkg` command to install packages.
-
+
Hint 3 -Just because you installed it doesnt mean its running. +Just because you installed it doesn't mean it's running.
### Answer -
+
Answer -
+
You sure? -Download the Splunk Enterprise Trial with the command below -
- -wget -O splunk-9.2.1-78803f08aabb-linux-2.6-amd64.deb "https://download.splunk.com/products/splunk/releases/9.2.1/linux/splunk-9.2.1-78803f08aabb-linux-2.6-amd64.deb" - - -If you are struggling to use wget, moreover download speeds are in the kb/s, your machine is most likely affected by the download speed issue. Try downloading that exact file onto your machine (yes, your macbook or laptop) and run the following command line utility - -scp ./splunk.deb root@172.16.x.xxx:/scp - -This block of code serves to be a basic usage of how scp command utility works and how you can use it right on your machine to communicate to your virtual machine. - -
-Navigate to the folder you downloaded the file and run the command - -dpkg -i splunk-9.2.1-78803f08aabb-linux-2.6-amd64.deb - - -Navigate to the folder /opt/splunk/bin and run - -cd /opt/splunk/bin -./splunk start - - -Open up firefox and browse to localhost:8000 -Login with the user account you created when installing Splunk + +1. **Download the Splunk Enterprise Trial:** + Use the following command to download the installer: + ```bash + wget -O splunk-9.2.1-78803f08aabb-linux-2.6-amd64.deb "https://download.splunk.com/products/splunk/releases/9.2.1/linux/splunk-9.2.1-78803f08aabb-linux-2.6-amd64.deb" + ``` + > **Note on slow downloads:** If `wget` is slow, you can download the file on your local machine and use `scp` to transfer it to your VM. For example: + > ```bash + > scp ./splunk-9.2.1-78803f08aabb-linux-2.6-amd64.deb root@172.16.x.xxx:/path/on/vm + > ``` + +2. **Install the package:** + Navigate to the directory where you downloaded the file and run: + ```bash + dpkg -i splunk-9.2.1-78803f08aabb-linux-2.6-amd64.deb + ``` + +3. **Start Splunk:** + Change to the Splunk binary directory and start the service: + ```bash + cd /opt/splunk/bin + ./splunk start + ``` + You will be prompted to accept the license and create an administrator account. + +4. **Access Splunk Web:** + Open a web browser on your VM and go to `http://localhost:8000`. Log in with the credentials you just created. +
## Task 2 - Forwarding Logs from a Windows Machine to your Splunk Server -Congratulations if you made it this far that means you successfully setup your own Splunk server! -If you havent already, I encourage you to take explore the UI of Splunk. It will be quite a lot to absorb at first but I promise you as you keep using Splunk you will get used to the UI. +Congratulations! If you made it this far, that means you successfully set up your own Splunk server! -Now that we set up a Splunk server we need to figure out how we can ingest logs into it. We ingest logs using something called the Splunk Universal Forwarder. This is a tool installed on an endpoint device that tells the computer which logs to send and where to send them. +If you haven't already, I encourage you to explore the UI of Splunk. It will be quite a lot to absorb at first, but I promise you, as you keep using Splunk, you will get used to the UI. + +Now that we have set up a Splunk server, we need to figure out how we can ingest logs into it. We ingest logs using something called the **Splunk Universal Forwarder**. This is a tool installed on an endpoint device that tells the computer which logs to send and where to send them. Task 2 is to install the Splunk Universal Forwarder on the Windows Client and see if you can query the logs using the Splunk Search App. -If you are able to see data when searching index=main you have successfully completed the task. +If you are able to see data when searching `index=main`, you have successfully completed the task. ### Hints -
+ +
Hint 1 -You can also download the Splunk Universal Forwarder at https://www.splunk.com/ -
You will need a Splunk account. +You can also download the Splunk Universal Forwarder at https://www.splunk.com/. +You will need a Splunk account.
-
+
Hint 2 Did you configure your Splunk server to listen? Did you open up firewall ports?
-
+
Hint 3 -When you install the Splunk Universal Forwarder in the customize option make sure you are installing with the local account. Using a virtual account may not send logs due to permission issues. +When you install the Splunk Universal Forwarder, in the customize option, make sure you are installing with the local account. Using a virtual account may not send logs due to permission issues.
### Answer -
+ +
Answer -
+
You sure? -Download the Splunk Universal Forwarder. You can either log into the Splunk website with your account and download the windows version. Or do the same with this command -
- -Invoke-WebRequest -Uri "https://download.splunk.com/products/universalforwarder/releases/9.2.1/windows/splunkforwarder-9.2.1-78803f08aabb-x64-release.msi" -OutFile splunkforwarder-9.2.1-78803f08aabb-x64-release.msi - - -
-Navigate to the folder you downloaded the file and run the msi file -Agree to the license and install using custom options. Make sure to choose option local account. Select any logs you want to forward. Input the IP address of the Splunk server and use the default ports. - -Open up Windows Firewall and open up outbound ports for TCP AND UDP for 8089 and 9997. - -On your Splunk Server login using the credentials you created and go to Settings->Forwarding and Receiving and nder the Receive Data section click on +Add New. Enter 9997 as listening port and save. - -Go to your Splunk Search Head and search index=main. -You should see data in this index after a few minutes. - -
+ +1. **Download the Splunk Universal Forwarder:** + You can either log into the Splunk website with your account and download the Windows version, or use this command: + ```powershell + Invoke-WebRequest -Uri "https://download.splunk.com/products/universalforwarder/releases/9.2.1/windows/splunkforwarder-9.2.1-78803f08aabb-x64-release.msi" -OutFile splunkforwarder-9.2.1-78803f08aabb-x64-release.msi + ``` + +2. **Install the Forwarder:** + - Navigate to the folder where you downloaded the file and run the `.msi` installer. + - Agree to the license and install using custom options. + - Make sure to choose the **local account** option. + - Select any logs you want to forward. + - Input the IP address of the Splunk server and use the default ports. + +3. **Configure Firewall:** + - Open up Windows Firewall and create outbound rules for TCP and UDP for ports `8089` and `9997`. + +4. **Configure Splunk Server:** + - On your Splunk Server, log in and go to `Settings` -> `Forwarding and Receiving`. + - Under the "Receive Data" section, click on `+Add New`. + - Enter `9997` as the listening port and save. + +5. **Verify Data Ingestion:** + - Go to your Splunk Search Head and search `index=main`. + - You should see data in this index after a few minutes. + +
## Task 3 - Forwarding Logs from a Ubuntu Client to your Splunk Server -With this task, it will be similar in its function with the previous forwarder task. Your goal is to install a forwarder on a client, but this time linux based. +With this task, it will be similar in its function with the previous forwarder task. Your goal is to install a forwarder on a client, but this time, Linux-based. -There will be less of a GUI to use unlike Windows, so you will be mainly operating out of your terminal. +There will be less of a GUI to use, unlike Windows, so you will be mainly operating out of your terminal. -I have removed the hints from this section but will give you the short run down of what you need: +I have removed the hints from this section but will give you the short rundown of what you need: -- Find a `.deb` package from [splunk.com](https://download.splunk.com) for a Universal Forwarder (UF) for a Debian-based machine. -- The installation steps will be similar to installing your Splunk Server, like reading through the EULA and starting the forwarder. -- You will also need to make `iptables` rules, similar to how you created firewall rules on Windows to communicate with your Splunk Server. +- Find a `.deb` package from [splunk.com](https://download.splunk.com) for a Universal Forwarder (UF) for a Debian-based machine. +- The installation steps will be similar to installing your Splunk Server, like reading through the EULA and starting the forwarder. +- You will also need to make `iptables` rules, similar to how you created firewall rules on Windows, to communicate with your Splunk Server. Good Luck! -If you struggle with this, that is okay, that was the goal of this task and instead of walking you through it, you can ask a Student Director for help! +If you struggle with this, that is okay. That was the goal of this task, and instead of walking you through it, you can ask a Student Director for help! ## Task 4 - Generating Custom Log Sources -If you come this far pat yourself on the back! -You essentially now have a good understanding on how logs are ingested into Splunk and you know how to query the data. + +If you have come this far, pat yourself on the back! You essentially now have a good understanding of how logs are ingested into Splunk, and you know how to query the data. Task 4 is to install Sysmon and ingest the logs Sysmon generates into Splunk. -If you enjoyed this lab and want to learn more feel free to reach out to us on Discord! +If you enjoyed this lab and want to learn more, feel free to reach out to us on Discord! ## Task 5 - Custom Indexes -Wow you really must like Splunk if you came this far ;) -Notice how all your indexes are being sent to main by default. Imagine ingesting 100s of log sources into main. How messy does that look. It would also be a nightmare querying specific data and very inefficient. -Task 5 is to create a new index and change the behaviour of the Universal Forwarder. -Let create an index called Sysmon and forward the Sysmon logs to this index called Sysmon instead of main. +Wow, you really must like Splunk if you came this far! ;) + +Notice how all your indexes are being sent to `main` by default. Imagine ingesting hundreds of log sources into `main`. How messy does that look? It would also be a nightmare and very inefficient to query specific data. +Task 5 is to create a new index and change the behavior of the Universal Forwarder. Let's create an index called `sysmon` and forward the Sysmon logs to this index instead of `main`. +## What's next? -## Whats next? -Congratulations you have completed the Splunk Lab! +Congratulations, you have completed the Splunk Lab! -Hope you enjoyed the lab! If you want to work on more Splunk stuff or like what you see at the SOC, I encourage you to get involved and start working on your own cool project :). You are now dubbed Splunk Pro! +Hope you enjoyed the lab! If you want to work on more Splunk stuff or like what you see at the SOC, I encourage you to get involved and start working on your own cool project :). You are now dubbed a Splunk Pro! Stay tuned for a more advanced Splunk Lab where we plan to tackle the following questions: --How do I scale my Splunk deployment? --How do I make my Splunk server more resilient? --How do I increase search performance? +- How do I scale my Splunk deployment? +- How do I make my Splunk server more resilient? +- How do I increase search performance? From 1ce3df958cf737371c5822e4d14260c3cb5f45b7 Mon Sep 17 00:00:00 2001 From: tommy phao Date: Mon, 15 Sep 2025 17:54:18 -0700 Subject: [PATCH 29/47] updating getting started --- source/getting_started.md | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/source/getting_started.md b/source/getting_started.md index b3cd43f..96b813b 100644 --- a/source/getting_started.md +++ b/source/getting_started.md @@ -11,7 +11,7 @@ All operations done on either side will require you to connect to our VPN to acc 1. **Request Access**: Please fill out this Microsoft Form for User Access to our VPN. [Form](https://forms.cloud.microsoft/r/5BtvPPTJku) 2. **Install VPN Client**: If you have never logged in to Kamino, please install Palo Alto's GlobalProtect application. We are now completing authentication using Cal Poly Pomona's SSO. [GlobalProtect](https://vpn.connect.cpp.edu) 3. **Initial Connection**: - - After installing the application, you will be prompted with the following windows + - After installing the application, you will be prompted with the following windows ![GlobalProtect Management Portal](https://www.cppsoc.xyz/assets/documentation/getting-started/gp-mgmt.png) - When asked to enter our Portal Address use: `mgmt.sdc.cpp.edu` - This will prompt you to login using Cal Poly SSO @@ -21,16 +21,8 @@ All operations done on either side will require you to connect to our VPN to acc 1. Once you are given access to Management Portal, head over to [https://kamino.sdc.cpp](https://kamino.sdc.cpp) 2. This is only available when you are connected to the VPN -3. Use your AD Credentials to login +3. Use your Active Directory (AD) Credentials to Login If you do not have credentials or do not remember the details, ask a Student Director to help resolve this for you. -## Working with Pods - -1. After logging in to Kamino, you can provision pods using the Web Interface -2. Try using the premade templates as they are ideal for starting fresh without sitting through standard installation experience -3. Recommended setup: provision two pods - - One for your server - - One client to forward logs to said server - --- \ No newline at end of file From e993e94c25cffa2fb3fc6e2647dc2a252835e262 Mon Sep 17 00:00:00 2001 From: tommy phao Date: Mon, 15 Sep 2025 18:13:54 -0700 Subject: [PATCH 30/47] AI notice --- source/missile_map.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source/missile_map.md b/source/missile_map.md index 64510f7..85f4d26 100644 --- a/source/missile_map.md +++ b/source/missile_map.md @@ -121,3 +121,5 @@ The Student SOC’s implementation of the Missile Map was a success – both in [1] [Event Descriptions for the GlobalProtect Logs in PAN-OS](https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/logging-for-globalprotect-in-pan-os/event-descriptions-for-the-globalprotect-logs-in-pan-os) [2, 3] [GitHub - lukemonahan/missile_map: Missile Map Splunk visualisation](https://github.com/lukemonahan/missile_map) + +*AI used to improve language and markdown \ No newline at end of file From 3b33f016df5c659cb969bcd4354002722cf13ea3 Mon Sep 17 00:00:00 2001 From: tommy phao Date: Mon, 15 Sep 2025 18:38:23 -0700 Subject: [PATCH 31/47] updating steps --- source/AD_Lab.md | 109 ++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 108 insertions(+), 1 deletion(-) diff --git a/source/AD_Lab.md b/source/AD_Lab.md index fbf9d27..1ff9fae 100644 --- a/source/AD_Lab.md +++ b/source/AD_Lab.md @@ -28,6 +28,113 @@ To complete this lab, you will need the following: These Windows VMs should be generated from a template. If not, ensure you have four VMs that can communicate with each other, preferably on the same VLAN. +All these Virtual Machine's are going to be left in a setup phase, meaning you will be spending time download packages, setting passwords, etc. + ## Lab Setup: Primary Domain Controller -Let's begin by configuring our first VM, **Windows Server 2025**, as the Primary DC. +Let's begin by configuring our first VM, which will serve as the Primary Domain Controller (PDC). For this guide, we are using a **Windows Server 2019** virtual machine. + +
+1. Start the Windows Server 2019 - PDC virtual machine. You should be greeted with the Windows Setup screen. + +*Image of the Windows Setup screen.* + +
+
+2. Click Install Now. + +*Image showing the 'Install Now' button.* + +
+
+3. For the operating system, select Windows Server 2019 Standard Evaluation (Desktop Experience) and click Next. + +> **Note:** Choosing an option without "Desktop Experience" will result in a command-line-only interface (PowerShell). + +*Image of the OS selection screen.* + +
+
+4. Accept the license terms (EULA) and click Next. + +*Image of the EULA screen with the 'Next' button highlighted.* + +
+
+5. Select Custom: Install Windows only (advanced). + +> The "Upgrade" option is not applicable here since we are performing a clean installation. + +*Image of the installation type selection screen.* + +
+ +### Loading VirtIO Drivers (Proxmox) + +If you are using Proxmox or a similar KVM-based hypervisor, you will need to load VirtIO drivers for the installer to recognize the virtual hard disk. + +
+1. Click Load Driver. + +> **Note:** These drivers are necessary for virtualized hardware to perform correctly. In our lab template, the driver disk is pre-mounted. If you're setting up a VM from scratch in a Proxmox environment, you'll need to mount the VirtIO driver ISO yourself. + +*Image showing the 'Load Driver' button.* + +
+
+2. Click Browse. + +*Image showing the 'Browse' button.* + +
+
+3. Locate the virtual CD drive, which should be labeled something like virtio-win-x.x.xxx. + +*Image showing the file browser with the virtual CD drive highlighted.* + +
+
+4. Navigate to the vioscsi folder, then select the folder corresponding to your OS version (e.g., 2k19 for Windows Server 2019), and finally select the amd64 folder. Click OK. + +*Image showing the folder structure for the VirtIO driver.* + +
+
+5. The installer should find the Red Hat VirtIO SCSI pass-through controller driver. Select it and click Next to install it. + +*Image showing the driver selection screen with the correct driver highlighted.* + +
+ +### Partitioning and Installation + +
+1. After the driver is installed, you will see the virtual drive. Select it and click New. + +*Image showing the virtual drive and the 'New' button.* + +
+
+2. Allocate the maximum available space for the new partition. Windows Setup may create a small, separate "System Reserved" partition; this is normal. Click Apply and then OK. + +*Image showing the partition size allocation and confirmation prompt.* + +
+
+3. Select the largest partition (marked as "Primary") and click Next to begin the Windows installation. + +*Image showing the primary partition selected and the 'Next' button highlighted.* + +
+
+4. Windows will now install. This process may take some time. + +*Image of the Windows installation progress screen.* + +
+
+5. Once the installation is complete, the VM will restart, and you will be prompted to set a password for the local Administrator account. Choose a secure password and complete the setup. + +*Image of the password creation screen for the Administrator account.* + +
\ No newline at end of file From 358ceb02ddbda483ecf225effaef3c76e04a0774 Mon Sep 17 00:00:00 2001 From: tommy phao Date: Wed, 17 Sep 2025 11:11:39 -0700 Subject: [PATCH 32/47] new image --- source/AD_Lab.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/AD_Lab.md b/source/AD_Lab.md index 1ff9fae..cca8d75 100644 --- a/source/AD_Lab.md +++ b/source/AD_Lab.md @@ -43,7 +43,7 @@ Let's begin by configuring our first VM, which will serve as the Primary Domain
2. Click Install Now. -*Image showing the 'Install Now' button.* +![Install Now button](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/1.png)
From ed3a1bce58e8ee293eca9df9da71b9124f9cd7a8 Mon Sep 17 00:00:00 2001 From: tommy phao Date: Wed, 17 Sep 2025 11:15:17 -0700 Subject: [PATCH 33/47] new lab entry into index --- source/index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/source/index.md b/source/index.md index e398d1d..90865e0 100644 --- a/source/index.md +++ b/source/index.md @@ -10,5 +10,6 @@ Volunteering Opportunities Getting Started (August 2025) Splunk Splunk Lab +AD + Splunk Lab Missile Map ``` \ No newline at end of file From 4b389d0f2fb1fc8c82fafd8421dcd76df474f5aa Mon Sep 17 00:00:00 2001 From: tommy phao Date: Wed, 17 Sep 2025 11:28:01 -0700 Subject: [PATCH 34/47] images added for pdc - 2019 lol --- source/AD_Lab.md | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/source/AD_Lab.md b/source/AD_Lab.md index cca8d75..538ff3f 100644 --- a/source/AD_Lab.md +++ b/source/AD_Lab.md @@ -43,7 +43,7 @@ Let's begin by configuring our first VM, which will serve as the Primary Domain
2. Click Install Now. -![Install Now button](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/1.png) +![Image showing the 'Install Now' button.](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/1.png)
@@ -51,13 +51,13 @@ Let's begin by configuring our first VM, which will serve as the Primary Domain > **Note:** Choosing an option without "Desktop Experience" will result in a command-line-only interface (PowerShell). -*Image of the OS selection screen.* +![Image of the OS selection screen.](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/2.png)
4. Accept the license terms (EULA) and click Next. -*Image of the EULA screen with the 'Next' button highlighted.* +![Image of the EULA screen with the 'Next' button highlighted.](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/3.png)
@@ -65,7 +65,7 @@ Let's begin by configuring our first VM, which will serve as the Primary Domain > The "Upgrade" option is not applicable here since we are performing a clean installation. -*Image of the installation type selection screen.* +![Image of the installation type selection screen.](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/4.png)
@@ -78,31 +78,31 @@ If you are using Proxmox or a similar KVM-based hypervisor, you will need to loa > **Note:** These drivers are necessary for virtualized hardware to perform correctly. In our lab template, the driver disk is pre-mounted. If you're setting up a VM from scratch in a Proxmox environment, you'll need to mount the VirtIO driver ISO yourself. -*Image showing the 'Load Driver' button.* +![Image showing the 'Load Driver' button.](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/5.png)
2. Click Browse. -*Image showing the 'Browse' button.* +![Image showing the 'Browse' button.](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/6.png)
3. Locate the virtual CD drive, which should be labeled something like virtio-win-x.x.xxx. -*Image showing the file browser with the virtual CD drive highlighted.* +![Image showing the file browser with the virtual CD drive highlighted.](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/7.png)
4. Navigate to the vioscsi folder, then select the folder corresponding to your OS version (e.g., 2k19 for Windows Server 2019), and finally select the amd64 folder. Click OK. -*Image showing the folder structure for the VirtIO driver.* +![Image showing the folder structure for the VirtIO driver.](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/8.png)
5. The installer should find the Red Hat VirtIO SCSI pass-through controller driver. Select it and click Next to install it. -*Image showing the driver selection screen with the correct driver highlighted.* +![Image showing the driver selection screen with the correct driver highlighted.](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/9.png)
@@ -111,30 +111,30 @@ If you are using Proxmox or a similar KVM-based hypervisor, you will need to loa
1. After the driver is installed, you will see the virtual drive. Select it and click New. -*Image showing the virtual drive and the 'New' button.* +![Image showing the virtual drive and the 'New' button.](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/10.png)
2. Allocate the maximum available space for the new partition. Windows Setup may create a small, separate "System Reserved" partition; this is normal. Click Apply and then OK. -*Image showing the partition size allocation and confirmation prompt.* +![Image showing the partition size allocation and confirmation prompt.](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/11.png)
3. Select the largest partition (marked as "Primary") and click Next to begin the Windows installation. -*Image showing the primary partition selected and the 'Next' button highlighted.* +![Image showing the primary partition selected and the 'Next' button highlighted.](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/12.png)
4. Windows will now install. This process may take some time. -*Image of the Windows installation progress screen.* +![Image of the Windows installation progress screen.](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/13.png)
5. Once the installation is complete, the VM will restart, and you will be prompted to set a password for the local Administrator account. Choose a secure password and complete the setup. -*Image of the password creation screen for the Administrator account.* +![Image of the password creation screen for the Administrator account.](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/14.png)
\ No newline at end of file From cf54409aac609ad49f98616c3da99934bae2e38f Mon Sep 17 00:00:00 2001 From: tommy phao Date: Wed, 17 Sep 2025 11:32:05 -0700 Subject: [PATCH 35/47] fixed images --- source/AD_Lab.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/source/AD_Lab.md b/source/AD_Lab.md index 538ff3f..5bee904 100644 --- a/source/AD_Lab.md +++ b/source/AD_Lab.md @@ -125,16 +125,18 @@ If you are using Proxmox or a similar KVM-based hypervisor, you will need to loa ![Image showing the primary partition selected and the 'Next' button highlighted.](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/12.png) +![Image of the Windows installation progress screen.](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/13.png) +
4. Windows will now install. This process may take some time. -![Image of the Windows installation progress screen.](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/13.png) +![Image of the password creation screen for the Administrator account.](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/14.png)
5. Once the installation is complete, the VM will restart, and you will be prompted to set a password for the local Administrator account. Choose a secure password and complete the setup. -![Image of the password creation screen for the Administrator account.](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/14.png) +*No photo taken; but if you need help, reach out!*
\ No newline at end of file From 543776bf4591b9426e3356a6b8b2323c710495cf Mon Sep 17 00:00:00 2001 From: tommy phao Date: Fri, 19 Sep 2025 20:40:00 -0700 Subject: [PATCH 36/47] ok new part --- source/AD_Lab.md | 84 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 83 insertions(+), 1 deletion(-) diff --git a/source/AD_Lab.md b/source/AD_Lab.md index 5bee904..73fd1f7 100644 --- a/source/AD_Lab.md +++ b/source/AD_Lab.md @@ -139,4 +139,86 @@ If you are using Proxmox or a similar KVM-based hypervisor, you will need to loa *No photo taken; but if you need help, reach out!* -
\ No newline at end of file +
+ +### Post-Installation Setup + +Okay, now at this point of the setup, you have been interacting with this VM through the browser, through the Console tab. If that is your preference, you can continue to do this lab in that experience, but in my personal preference, I very much enjoy either my own machine and to RDP into client (specifically for Windows). + +I recommend you to use RDP instead of the browser in case of compatibility issues and overall better user experience. + +The following steps will explain you how to connect this device to the internet, setting an IP and enabling remote desktop. + +So first, now that your VM has finished setting up, let's login to your Administrator account you just setup for yourself. + +You might notice that your machine although you assigned virtual i/o drivers before hand is still having internet connectivity issues. + +That is okay, we will resolve that right now. + +Go ahead and open file explorer and navigate to the same virtio-win virtual CD Drive + +![File explorer showing virtio-win CD drive](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/15.png) + +scroll through the drive + +![Scrolling through the drive contents](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/16.png) + +find `virtio-win-gt-x64.msi` and run that installer + +![Running the virtio-win-gt-x64.msi installer](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/17.png) + +Proceed with next and accept the EULA + +![Installer EULA screen](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/18.png) + +Now after accepting the EULA, you will prompted with installing many different features, + +The following feature we are looking to add is marked as "Network", once you select it, click next. + +![Selecting Network feature in installer](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/19.png) + +Then click install. + +![Clicking install](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/20.png) + +After a Windows Pop-up will occur asking if you want to make your PC discoverable, you can click yes. + +![Windows discoverable PC pop-up](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/21.png) + +![Windows discoverable PC pop-up part 2](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/22.png) + +Now you the red internet icon you are seeing at the bottom, should have disappeared and your machine should look like you have internet now. + +A way to make sure your machine is reachable through the Internet, Open up Command Prompt + +Use `Win + R` or Windows Key and type "run" into Search to open the Run Page + +![Opening Run dialog](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/23.png) + +Program we want to open is `cmd.exe` and click ok + +![Running cmd.exe](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/24.png) + +Now that we have the Command Prompt open, lets ping a well known source that is reliably online, Google. + +type into your command prompt `ping google.com` + +Expected results are 4 packets sent with 100% received and 0% loss + +![Pinging google.com in command prompt](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/25.png) + +Now that we are aware this device is able to reach the actual Internet, now lets figure its local ip address to RDP into the machine. + +In the same command prompt box type in `ipconfig` + +![Running ipconfig in command prompt](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/26.png) + +Now that you see all these addresses, the one we are looking for is IPv4 Address, for my current machine its `192.168.1.116` + +This IP address is specific to this Virtual Machine and the way + +Now you need to understand that this IP address is local to the "Router" you are connected to. In your case we provision a virtual pfSense router to your pod that has an IP Address to the router, typically formatted in `172.16.x.x`, meaning that is your external address. But locally when you are connected to that LAN of this network, you are accessible as `192.168.1.116`, but externally your machine is reached as `172.16.x.116`. The `x` part in that external address will depend on your pod number, typically represented as `10xx_windows_ad_splunk_lab`. taking that `xx` in the pod number will be part of your WAN address. Even if you still cannot find out what your pod number is, you can remote into your virtual router and look at the WAN address that first comes up (If it says `172.16.1.1`, click enter to refresh the page and a different WAN should appear) + +This was a bit of a tangent and very surface level understanding on how the router connects, I hope I will shorten it and explain it better later. + +If you think you understand how to access the machine externally, try pinging your Windows VM from your own device while connected to the vpn. From f651bc8d435b3320b00ba8943bea5c88d033ca5b Mon Sep 17 00:00:00 2001 From: tommy phao Date: Fri, 19 Sep 2025 20:43:10 -0700 Subject: [PATCH 37/47] update --- source/AD_Lab.md | 53 +++++++++++++++++++++++++++++++++--------------- 1 file changed, 37 insertions(+), 16 deletions(-) diff --git a/source/AD_Lab.md b/source/AD_Lab.md index 73fd1f7..4ba3a5d 100644 --- a/source/AD_Lab.md +++ b/source/AD_Lab.md @@ -155,64 +155,85 @@ You might notice that your machine although you assigned virtual i/o drivers bef That is okay, we will resolve that right now. -Go ahead and open file explorer and navigate to the same virtio-win virtual CD Drive +
+1. Go ahead and open file explorer and navigate to the same virtio-win virtual CD Drive. ![File explorer showing virtio-win CD drive](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/15.png) -scroll through the drive +
+
+2. Scroll through the drive. ![Scrolling through the drive contents](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/16.png) -find `virtio-win-gt-x64.msi` and run that installer +
+
+3. Find virtio-win-gt-x64.msi and run that installer. ![Running the virtio-win-gt-x64.msi installer](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/17.png) -Proceed with next and accept the EULA +
+
+4. Proceed with next and accept the EULA. ![Installer EULA screen](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/18.png) -Now after accepting the EULA, you will prompted with installing many different features, - -The following feature we are looking to add is marked as "Network", once you select it, click next. +
+
+5. After accepting the EULA, you will be prompted with installing many different features. The feature we are looking to add is marked as "Network". Once you select it, click next. ![Selecting Network feature in installer](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/19.png) -Then click install. +
+
+6. Then click install. ![Clicking install](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/20.png) -After a Windows Pop-up will occur asking if you want to make your PC discoverable, you can click yes. +
+
+7. A Windows Pop-up will occur asking if you want to make your PC discoverable. You can click yes. ![Windows discoverable PC pop-up](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/21.png) ![Windows discoverable PC pop-up part 2](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/22.png) +
+ Now you the red internet icon you are seeing at the bottom, should have disappeared and your machine should look like you have internet now. -A way to make sure your machine is reachable through the Internet, Open up Command Prompt +A way to make sure your machine is reachable through the Internet, Open up Command Prompt. -Use `Win + R` or Windows Key and type "run" into Search to open the Run Page +
+1. Use Win + R or Windows Key and type "run" into Search to open the Run Page. ![Opening Run dialog](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/23.png) -Program we want to open is `cmd.exe` and click ok +
+
+2. The program we want to open is cmd.exe. Click OK. ![Running cmd.exe](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/24.png) -Now that we have the Command Prompt open, lets ping a well known source that is reliably online, Google. - -type into your command prompt `ping google.com` +
+
+3. Now that we have the Command Prompt open, lets ping a well known source that is reliably online, Google. Type into your command prompt ping google.com. Expected results are 4 packets sent with 100% received and 0% loss ![Pinging google.com in command prompt](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/25.png) +
+ Now that we are aware this device is able to reach the actual Internet, now lets figure its local ip address to RDP into the machine. -In the same command prompt box type in `ipconfig` +
+1. In the same command prompt box type in ipconfig. ![Running ipconfig in command prompt](https://www.cppsoc.xyz/assets/documentation/ad-lab/pdc/26.png) +
+ Now that you see all these addresses, the one we are looking for is IPv4 Address, for my current machine its `192.168.1.116` This IP address is specific to this Virtual Machine and the way From f4286f5b19a5c85d41e4cd6238ce68d50a58d23c Mon Sep 17 00:00:00 2001 From: xdkaine <55013938+xdkaine@users.noreply.github.com> Date: Sat, 20 Sep 2025 00:06:24 -0700 Subject: [PATCH 38/47] setting computer name and static ip --- source/AD_Lab.md | 154 ++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 153 insertions(+), 1 deletion(-) diff --git a/source/AD_Lab.md b/source/AD_Lab.md index 4ba3a5d..c01487c 100644 --- a/source/AD_Lab.md +++ b/source/AD_Lab.md @@ -242,4 +242,156 @@ Now you need to understand that this IP address is local to the "Router" you are This was a bit of a tangent and very surface level understanding on how the router connects, I hope I will shorten it and explain it better later. -If you think you understand how to access the machine externally, try pinging your Windows VM from your own device while connected to the vpn. +If you think you understand how to access the machine externally, try pinging your Windows VM from your own device while connected to the GlobalProtect VPN. If this still does not work and you cannot ping your virtual machine from your physical machine, check the IP address and make sure you understand how we are getting each octet of the address. + +If you can ping your machine from your physical machine, you should now know the address of the machine and can access it externally. Now go back to Proxmox and (hopefully) for the last time open up the console for the Windows VM, and enable Remote Desktop. Once enabled, attempt to remote into your machine, the computer name can either be the External IP of your VM or actual Computer Name if you know it. You might run into issues regarding Network Level Authentication, you must disable that feature which is nested within the settings of where you first enabled Remote Desktop + +At this point of the lab, you should have a ready Windows Server 2019 Machine and have an understanding on how the networking works within your deployed pod. +This part of the lab will now focus on on creating now setting up your domain and be more of a lab than tutorial. + +Open up *Server Manager* and browse around to see what you can do in this Server edition of Windows. From the *Server Manager*, you can see many different features typically not available on Home and even Pro editions of Windows. + +First thing we can do is change this *Computer name* to something more recognizable, so next time we remote in, we can just type in a name instead of remembering the IP Address. For the sake of this lab environment, we will have a consistent naming system for all the clients we interact with. Rename your Windows VM to FirstInitialLastName-DC01 (Ex: JMama-DC01) and then click Apply. + +Before restarting your computer, lets also set a static IP for your machine to ensure that when we restart your machine, if the IP changes we cannot remote back into the machine. If you are unsure about all the settings you need to set regarding the IPv4 settings, looking at ipconfig in Command Prompt will help guide you. + +After you set the computer name and a static ip for your machine, you should restart your VM through Windows to ensure all settings you just applied are set. + +Now that you have browsed around, locate the Manage > Add Roles and Features button at the top right of Server Manager and install the following items +- +## Lab: Prep the Primary Domain Controller (PDC) + +Goal: Reach the VM externally, RDP into it, rename it, set a static IP, and install core roles. + +
+Task 1 — Verify external reachability + +- Objective: Confirm your host can reach the VM from the VPN. +- Do: + - From your host (on GlobalProtect), ping the VM's external IP. + - On the VM, use ipconfig to understand its IPv4 and gateway. +- Success: 4 replies, 0% loss. + +
+💡 Networking Hints + +Your VM has two IP addresses: +- **LAN IP** (192.168.x.x): Internal to your pod's virtual network +- **WAN IP** (172.16.x.x): External address for accessing from your host + +The external IP follows this pattern: if your VM's LAN IP is `192.168.1.116`, your external IP is likely `172.16.x.116` where `x` matches your pod number. + +To find your pod number: +- Check your pod name format: `10xx_windows_ad_splunk_lab` +- The `xx` becomes part of your WAN address +- Or check the pfSense router console for the WAN address + +
+
+ +
+Task 2 — Enable Remote Desktop + +- Objective: RDP into the VM from your host. +- Do: + - Enable Remote Desktop on the VM. + - Connect using the external IP or the computer name. +- Success: You can open a remote session successfully. + +
+💡 RDP Troubleshooting Hints + +If RDP connection fails: +1. Ensure Remote Desktop is enabled in System Properties +2. Temporarily disable Network Level Authentication (NLA) +3. Check Windows Firewall settings +4. Use the external WAN IP, not the LAN IP +5. Try connecting with `Administrator` as the username + +
+
+ +
+Task 3 — Rename the server + +- Objective: Apply the lab naming convention. +- Do: Rename to FirstInitialLastName-DC01 (e.g., JMama-DC01). Do not reboot yet. +- Success: System properties show the new name (pending restart). + +
+💡 Naming Hints + +- Access via: System Properties > Computer Name tab > Change +- Use format: FirstInitialLastName-DC01 (e.g., JSmith-DC01) +- Click "Apply" but don't restart yet (save that for after static IP setup) + +
+
+ +
+Task 4 — Configure a static IPv4 + +- Objective: Ensure the server keeps a stable address. +- Do: + - Set IPv4 address, subnet mask, and default gateway to match your network. + - Preferred DNS: use your gateway or an external resolver temporarily (you will point it to this server after DNS is installed). +- Success: ipconfig displays the static IP you configured. + +
+💡 Static IP Configuration Hints + +Before setting static IP, run `ipconfig` to see current settings: +- **IP Address**: Use the current DHCP-assigned IP +- **Subnet Mask**: Typically `255.255.255.0` +- **Default Gateway**: Usually `192.168.1.1` +- **DNS**: Use gateway (192.168.1.1) or public DNS (8.8.8.8) temporarily + +Access via: Network and Sharing Center > Change adapter settings > Right-click network adapter > Properties > IPv4 + +
+
+ +
+Task 5 — Reboot and validate + +- Objective: Apply changes and confirm access. +- Do: Reboot the VM. RDP back in using the new name or static IP. +- Success: RDP works post-reboot and the new name/IP persist. + +
+💡 Validation Hints + +After reboot: +- Verify computer name: `hostname` in command prompt +- Verify static IP: `ipconfig` +- Test RDP: Connect from your host using the computer name or IP +- Test internet: `ping google.com` + +
+
+ +
+Task 6 — Install core roles + +- Objective: Prepare the server for domain services. +- Do: Server Manager > Manage > Add Roles and Features: + - Active Directory Domain Services (AD DS) + - DNS Server + - Group Policy Management +- Success: Roles show as Installed in Server Manager. + +
+💡 Role Installation Hints + +Installation wizard steps: +1. **Before You Begin**: Click Next +2. **Installation Type**: Role-based or feature-based installation +3. **Server Selection**: Select your server +4. **Server Roles**: Check the boxes for AD DS and DNS Server +5. **Features**: Group Policy Management will be under "Remote Server Administration Tools" +6. Follow prompts and install + +Note: You may see warnings about DNS delegation - ignore these for now. + +
+
\ No newline at end of file From 2ea7f8a634c44cf844068dda3fa37aa75831c153 Mon Sep 17 00:00:00 2001 From: xdkaine <55013938+xdkaine@users.noreply.github.com> Date: Sat, 20 Sep 2025 00:16:36 -0700 Subject: [PATCH 39/47] try this --- source/AD_Lab.md | 161 ++++++----------------------------------------- 1 file changed, 20 insertions(+), 141 deletions(-) diff --git a/source/AD_Lab.md b/source/AD_Lab.md index c01487c..b86b708 100644 --- a/source/AD_Lab.md +++ b/source/AD_Lab.md @@ -234,164 +234,43 @@ Now that we are aware this device is able to reach the actual Internet, now lets
-Now that you see all these addresses, the one we are looking for is IPv4 Address, for my current machine its `192.168.1.116` +Now that you see all these addresses, the one we are looking for is the IPv4 Address. In the example above, it is `192.168.1.116`. -This IP address is specific to this Virtual Machine and the way +This address is the VM’s local IP on the pod LAN. Your pod also has a virtual pfSense router that exposes the pod to the SDC network with a `172.16.x.x` range. From outside the pod (for example, from your laptop on GlobalProtect), reach this VM at `172.16.x.116`. The value of `x` maps to your pod number (from `10xx_windows_ad_splunk_lab`, use `xx`). If you are unsure, log in to the pfSense console and check the WAN address shown at boot. If you initially see `172.16.1.1`, press Enter to refresh until the correct WAN appears. -Now you need to understand that this IP address is local to the "Router" you are connected to. In your case we provision a virtual pfSense router to your pod that has an IP Address to the router, typically formatted in `172.16.x.x`, meaning that is your external address. But locally when you are connected to that LAN of this network, you are accessible as `192.168.1.116`, but externally your machine is reached as `172.16.x.116`. The `x` part in that external address will depend on your pod number, typically represented as `10xx_windows_ad_splunk_lab`. taking that `xx` in the pod number will be part of your WAN address. Even if you still cannot find out what your pod number is, you can remote into your virtual router and look at the WAN address that first comes up (If it says `172.16.1.1`, click enter to refresh the page and a different WAN should appear) - -This was a bit of a tangent and very surface level understanding on how the router connects, I hope I will shorten it and explain it better later. - -If you think you understand how to access the machine externally, try pinging your Windows VM from your own device while connected to the GlobalProtect VPN. If this still does not work and you cannot ping your virtual machine from your physical machine, check the IP address and make sure you understand how we are getting each octet of the address. - -If you can ping your machine from your physical machine, you should now know the address of the machine and can access it externally. Now go back to Proxmox and (hopefully) for the last time open up the console for the Windows VM, and enable Remote Desktop. Once enabled, attempt to remote into your machine, the computer name can either be the External IP of your VM or actual Computer Name if you know it. You might run into issues regarding Network Level Authentication, you must disable that feature which is nested within the settings of where you first enabled Remote Desktop - -At this point of the lab, you should have a ready Windows Server 2019 Machine and have an understanding on how the networking works within your deployed pod. -This part of the lab will now focus on on creating now setting up your domain and be more of a lab than tutorial. - -Open up *Server Manager* and browse around to see what you can do in this Server edition of Windows. From the *Server Manager*, you can see many different features typically not available on Home and even Pro editions of Windows. - -First thing we can do is change this *Computer name* to something more recognizable, so next time we remote in, we can just type in a name instead of remembering the IP Address. For the sake of this lab environment, we will have a consistent naming system for all the clients we interact with. Rename your Windows VM to FirstInitialLastName-DC01 (Ex: JMama-DC01) and then click Apply. - -Before restarting your computer, lets also set a static IP for your machine to ensure that when we restart your machine, if the IP changes we cannot remote back into the machine. If you are unsure about all the settings you need to set regarding the IPv4 settings, looking at ipconfig in Command Prompt will help guide you. - -After you set the computer name and a static ip for your machine, you should restart your VM through Windows to ensure all settings you just applied are set. - -Now that you have browsed around, locate the Manage > Add Roles and Features button at the top right of Server Manager and install the following items -- -## Lab: Prep the Primary Domain Controller (PDC) - -Goal: Reach the VM externally, RDP into it, rename it, set a static IP, and install core roles. - -
-Task 1 — Verify external reachability - -- Objective: Confirm your host can reach the VM from the VPN. -- Do: - - From your host (on GlobalProtect), ping the VM's external IP. - - On the VM, use ipconfig to understand its IPv4 and gateway. -- Success: 4 replies, 0% loss. +> **Note:** This is a simplified overview of the routing. Key takeaway: use `172.16.x.116` from outside the pod and `192.168.1.116` from within the pod LAN.
-💡 Networking Hints - -Your VM has two IP addresses: -- **LAN IP** (192.168.x.x): Internal to your pod's virtual network -- **WAN IP** (172.16.x.x): External address for accessing from your host - -The external IP follows this pattern: if your VM's LAN IP is `192.168.1.116`, your external IP is likely `172.16.x.116` where `x` matches your pod number. - -To find your pod number: -- Check your pod name format: `10xx_windows_ad_splunk_lab` -- The `xx` becomes part of your WAN address -- Or check the pfSense router console for the WAN address - -
+1. Connect to GlobalProtect.
-
-Task 2 — Enable Remote Desktop - -- Objective: RDP into the VM from your host. -- Do: - - Enable Remote Desktop on the VM. - - Connect using the external IP or the computer name. -- Success: You can open a remote session successfully. - -
-💡 RDP Troubleshooting Hints - -If RDP connection fails: -1. Ensure Remote Desktop is enabled in System Properties -2. Temporarily disable Network Level Authentication (NLA) -3. Check Windows Firewall settings -4. Use the external WAN IP, not the LAN IP -5. Try connecting with `Administrator` as the username - -
+2. From your device, ping the VM’s external IP (172.16.x.116).
- -
-Task 3 — Rename the server - -- Objective: Apply the lab naming convention. -- Do: Rename to FirstInitialLastName-DC01 (e.g., JMama-DC01). Do not reboot yet. -- Success: System properties show the new name (pending restart). -
-💡 Naming Hints - -- Access via: System Properties > Computer Name tab > Change -- Use format: FirstInitialLastName-DC01 (e.g., JSmith-DC01) -- Click "Apply" but don't restart yet (save that for after static IP setup) - -
+3. If ping fails, re-check both the local (192.168.x.x) and external (172.16.x.116) IPs and how x is derived from your pod.
-Task 4 — Configure a static IPv4 - -- Objective: Ensure the server keeps a stable address. -- Do: - - Set IPv4 address, subnet mask, and default gateway to match your network. - - Preferred DNS: use your gateway or an external resolver temporarily (you will point it to this server after DNS is installed). -- Success: ipconfig displays the static IP you configured. - -
-💡 Static IP Configuration Hints - -Before setting static IP, run `ipconfig` to see current settings: -- **IP Address**: Use the current DHCP-assigned IP -- **Subnet Mask**: Typically `255.255.255.0` -- **Default Gateway**: Usually `192.168.1.1` -- **DNS**: Use gateway (192.168.1.1) or public DNS (8.8.8.8) temporarily - -Access via: Network and Sharing Center > Change adapter settings > Right-click network adapter > Properties > IPv4 - +1. In Proxmox, open the Windows VM console.
-
-
-Task 5 — Reboot and validate - -- Objective: Apply changes and confirm access. -- Do: Reboot the VM. RDP back in using the new name or static IP. -- Success: RDP works post-reboot and the new name/IP persist. - -
-💡 Validation Hints - -After reboot: -- Verify computer name: `hostname` in command prompt -- Verify static IP: `ipconfig` -- Test RDP: Connect from your host using the computer name or IP -- Test internet: `ping google.com` - +2. Open System Properties > Remote and enable Remote Desktop.
-
-
-Task 6 — Install core roles +3. If you cannot connect due to Network Level Authentication, uncheck “Allow connections only from computers running Remote Desktop with Network Level Authentication.” +
-- Objective: Prepare the server for domain services. -- Do: Server Manager > Manage > Add Roles and Features: - - Active Directory Domain Services (AD DS) - - DNS Server - - Group Policy Management -- Success: Roles show as Installed in Server Manager. +Connect via RDP using either: +- The external IP (`172.16.x.116`), or +- The computer name (after you rename it below). -
-💡 Role Installation Hints +At this point, you should have a ready Windows Server 2019 VM and a basic understanding of the pod networking. -Installation wizard steps: -1. **Before You Begin**: Click Next -2. **Installation Type**: Role-based or feature-based installation -3. **Server Selection**: Select your server -4. **Server Roles**: Check the boxes for AD DS and DNS Server -5. **Features**: Group Policy Management will be under "Remote Server Administration Tools" -6. Follow prompts and install +From here, you will create the domain and proceed in a more lab-style format. -Note: You may see warnings about DNS delegation - ignore these for now. +Open *Server Manager* and review available features. Then: +1. Rename the computer to FirstInitialLastName-DC01 (example: JMama-DC01) and click Apply. +2. Configure a static IPv4 address that matches your pod network. Use `ipconfig` as a guide for subnet mask, default gateway, and DNS. +3. Restart the VM to apply the changes. -
-
\ No newline at end of file +Now that you have browsed around, locate the Manage > Add Roles and Features button at the top right of Server Manager and install the following items From 1d9286d92b856f9381236984db0ffb7668e20292 Mon Sep 17 00:00:00 2001 From: xdkaine <55013938+xdkaine@users.noreply.github.com> Date: Sat, 20 Sep 2025 00:20:52 -0700 Subject: [PATCH 40/47] try again --- source/AD_Lab.md | 63 +++++++++++++++++++++++++++++++----------------- 1 file changed, 41 insertions(+), 22 deletions(-) diff --git a/source/AD_Lab.md b/source/AD_Lab.md index b86b708..68e40db 100644 --- a/source/AD_Lab.md +++ b/source/AD_Lab.md @@ -234,43 +234,62 @@ Now that we are aware this device is able to reach the actual Internet, now lets
-Now that you see all these addresses, the one we are looking for is the IPv4 Address. In the example above, it is `192.168.1.116`. +Now that you see all these addresses, the one we are looking for is IPv4 Address, for my current machine its `192.168.1.116` -This address is the VM’s local IP on the pod LAN. Your pod also has a virtual pfSense router that exposes the pod to the SDC network with a `172.16.x.x` range. From outside the pod (for example, from your laptop on GlobalProtect), reach this VM at `172.16.x.116`. The value of `x` maps to your pod number (from `10xx_windows_ad_splunk_lab`, use `xx`). If you are unsure, log in to the pfSense console and check the WAN address shown at boot. If you initially see `172.16.1.1`, press Enter to refresh until the correct WAN appears. +This IP address is specific to this Virtual Machine and the way -> **Note:** This is a simplified overview of the routing. Key takeaway: use `172.16.x.116` from outside the pod and `192.168.1.116` from within the pod LAN. +Now you need to understand that this IP address is local to the "Router" you are connected to. In your case we provision a virtual pfSense router to your pod that has an IP Address to the router, typically formatted in `172.16.x.x`, meaning that is your external address. But locally when you are connected to that LAN of this network, you are accessible as `192.168.1.116`, but externally your machine is reached as `172.16.x.116`. The `x` part in that external address will depend on your pod number, typically represented as `10xx_windows_ad_splunk_lab`. taking that `xx` in the pod number will be part of your WAN address. Even if you still cannot find out what your pod number is, you can remote into your virtual router and look at the WAN address that first comes up (If it says `172.16.1.1`, click enter to refresh the page and a different WAN should appear) + +This was a bit of a tangent and very surface level understanding on how the router connects, I hope I will shorten it and explain it better later. + +If you think you understand how to access the machine externally, try pinging your Windows VM from your own device while connected to the GlobalProtect VPN. If this still does not work and you cannot ping your virtual machine from your physical machine, check the IP address and make sure you understand how we are getting each octet of the address. + +### Enabling Remote Desktop Access
-1. Connect to GlobalProtect. -
-
-2. From your device, ping the VM’s external IP (172.16.x.116). +1. If you can ping your machine from your physical machine, you should now know the address of the machine and can access it externally. Go back to Proxmox and open the console for the Windows VM one more time to enable Remote Desktop. + +> **Note:** You can access the machine using either the External IP of your VM or the actual Computer Name if you know it. You might encounter issues regarding Network Level Authentication, which must be disabled in the Remote Desktop settings. +
+ +At this point of the lab, you should have a ready Windows Server 2019 Machine and have an understanding of how the networking works within your deployed pod. This part of the lab will now focus on setting up your domain and will be more hands-on. + +### Server Manager Configuration +
-3. If ping fails, re-check both the local (192.168.x.x) and external (172.16.x.116) IPs and how x is derived from your pod. +1. Open Server Manager and browse around to see what features are available in this Server edition of Windows. + +> From the Server Manager, you can see many different features typically not available on Home and even Pro editions of Windows. +
+### Setting Computer Name and Static IP +
-1. In Proxmox, open the Windows VM console. +1. Change the Computer name to something more recognizable so you can type in a name instead of remembering the IP Address when remoting in. + +> For the sake of this lab environment, we will have a consistent naming system for all clients. Rename your Windows VM to **FirstInitialLastName-DC01** (e.g., **JMama-DC01**) and then click **Apply**. +
+
-2. Open System Properties > Remote and enable Remote Desktop. +2. Before restarting your computer, set a static IP for your machine to ensure that when you restart, the IP doesn't change and you can still remote back into the machine. + +> **Tip:** If you are unsure about all the settings you need for the IPv4 configuration, running `ipconfig` in Command Prompt will help guide you with the current network settings. +
+
-3. If you cannot connect due to Network Level Authentication, uncheck “Allow connections only from computers running Remote Desktop with Network Level Authentication.” -
+3. After you set the computer name and static IP for your machine, restart your VM through Windows to ensure all settings are applied. -Connect via RDP using either: -- The external IP (`172.16.x.116`), or -- The computer name (after you rename it below). +> This restart ensures that both the computer name change and static IP configuration take effect properly. -At this point, you should have a ready Windows Server 2019 VM and a basic understanding of the pod networking. +
-From here, you will create the domain and proceed in a more lab-style format. +### Installing Server Roles and Features -Open *Server Manager* and review available features. Then: -1. Rename the computer to FirstInitialLastName-DC01 (example: JMama-DC01) and click Apply. -2. Configure a static IPv4 address that matches your pod network. Use `ipconfig` as a guide for subnet mask, default gateway, and DNS. -3. Restart the VM to apply the changes. +
+1. Now that you have browsed around, locate the Manage > Add Roles and Features button at the top right of Server Manager and install the following items: -Now that you have browsed around, locate the Manage > Add Roles and Features button at the top right of Server Manager and install the following items +
From fa76dd1a48be73529161470fce0e862858e8989a Mon Sep 17 00:00:00 2001 From: xdkaine <55013938+xdkaine@users.noreply.github.com> Date: Sat, 20 Sep 2025 01:47:04 -0700 Subject: [PATCH 41/47] ad ds guide --- source/AD_Lab.md | 106 ++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 104 insertions(+), 2 deletions(-) diff --git a/source/AD_Lab.md b/source/AD_Lab.md index 68e40db..827e070 100644 --- a/source/AD_Lab.md +++ b/source/AD_Lab.md @@ -253,7 +253,7 @@ If you think you understand how to access the machine externally, try pinging yo
-At this point of the lab, you should have a ready Windows Server 2019 Machine and have an understanding of how the networking works within your deployed pod. This part of the lab will now focus on setting up your domain and will be more hands-on. +At this point of the lab, you should have a ready Windows Server 2019 Machine and have an understanding of how the networking works within your deployed pod. This next part of the lab will now focus on setting up your domain and will be more hands-on and less of a tutorial. ### Server Manager Configuration @@ -290,6 +290,108 @@ At this point of the lab, you should have a ready Windows Server 2019 Machine an ### Installing Server Roles and Features
-1. Now that you have browsed around, locate the Manage > Add Roles and Features button at the top right of Server Manager and install the following items: +1. Now that you have browsed around, locate the Manage > Add Roles and Features button at the top right of Server Manager. + +Install the following server roles and features: +- **Active Directory Domain Services** +- **Active Directory Federation Services** +- **Active Directory Lightweight Directory Services** +- **Active Directory Rights Management Services** +- **DNS Server** + +
+ +
+2. Proceed through the Add Roles and Features Wizard, accepting any dependency services that are required. + +> **Note:** The wizard may prompt you to install additional features that are dependencies for the roles you selected. Accept these to ensure proper functionality. + +
+ +
+3. Once the feature installation completes, restart your server. + +> After restarting, your Server Manager may show red indicators - this is normal and expected at this stage. + +
+ +### Promoting to Domain Controller + +
+1. We are going to configure this server step by step to handle all the issues. Open the AD DS tab and promote this machine to being a Domain Controller. + +> **Note:** You will likely see a yellow message saying "configuration required" - this is what we're addressing now. + +
+ +
+2. When you attempt to promote this machine to a Domain Controller, an Active Directory Domain Services Configuration Wizard should appear. Work through the wizard. + +> Continue through the initial setup screens of the configuration wizard. + +
+ +
+3. When it comes to choosing your domain, use a similar naming style as we used for the machine names. Create a new forest and set your domain to FirstInitialLastName.soc (e.g., tphao.soc). + +> **Important:** This domain name will be used throughout your other DNS services like Splunk later in the lab. + +
+ +
+4. Continue through the wizard and complete promoting this VM to being a Domain Controller. + +> Follow the remaining prompts in the wizard, accepting the default settings unless you have specific requirements. + +
+ +### Post-Promotion Configuration + +
+1. Once promotion is complete, a restart will occur where the Group Policy Client gets installed. You should see a user appear with the first part of the root domain you chose (e.g., JMama\ADMINISTRATOR). + +> Log in with the password you set beforehand - this is now your Administrator account for your Domain. + +
+ +
+2. Now that you have completed the domain setup, you can explore your domain by opening Active Directory Users and Computers. + +> Right-click and manage the new domain you created. You can see default created organizational units (OUs), users, group policy objects, etc. + +
+ +### Lab Progress Check + +At this point in the lab, you should be proud of what you have accomplished: + +- ✅ Deployed a Windows Server 2019 Virtual Machine +- ✅ Loaded necessary drivers for Virtual Hard Disk and Virtual Networking +- ✅ Utilized the virtual router and 1:1 NAT to remotely access your machine +- ✅ Set static names and IP addresses for VM stability +- ✅ Installed Windows Server features like Active Directory Domain Services +- ✅ Promoted the VM to a Domain Controller +- ✅ Created a domain for clients to join + +### Final Verification + +
+1. As a final check before continuing, open PowerShell and run the following command to verify domain membership: + +```powershell +Get-CimInstance Win32_ComputerSystem | Select-Object Domain, PartOfDomain +``` + +Your results should look similar to this: + +``` +Domain PartOfDomain +------ ------------ +tphao.soc True +```
+ +## What's Next? + +We are going to proceed with adding clients to this domain and joining Windows 10 client machines to our newly created domain! From 37e6dbb1c810e9f2dace499bf552badb18af3736 Mon Sep 17 00:00:00 2001 From: xdkaine <55013938+xdkaine@users.noreply.github.com> Date: Sat, 20 Sep 2025 02:04:03 -0700 Subject: [PATCH 42/47] win10 --- source/AD_Lab.md | 82 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 81 insertions(+), 1 deletion(-) diff --git a/source/AD_Lab.md b/source/AD_Lab.md index 827e070..c4b249a 100644 --- a/source/AD_Lab.md +++ b/source/AD_Lab.md @@ -30,7 +30,7 @@ These Windows VMs should be generated from a template. If not, ensure you have f All these Virtual Machine's are going to be left in a setup phase, meaning you will be spending time download packages, setting passwords, etc. -## Lab Setup: Primary Domain Controller +## Primary Domain Controller Let's begin by configuring our first VM, which will serve as the Primary Domain Controller (PDC). For this guide, we are using a **Windows Server 2019** virtual machine. @@ -359,6 +359,8 @@ Install the following server roles and features: > Right-click and manage the new domain you created. You can see default created organizational units (OUs), users, group policy objects, etc. +> Let's open up the folder called Users and create a user inside there. I am going to call mine Test and use this as an account to test if my clients join the domain successfully and I can login under this domain. +
### Lab Progress Check @@ -395,3 +397,81 @@ tphao.soc True ## What's Next? We are going to proceed with adding clients to this domain and joining Windows 10 client machines to our newly created domain! + +## Lab Setup: Windows Client + +Now that you are experienced in deploying virtual machines in our environment, the instructions will be less guided and focus on specific goals and objectives. + +### Windows 10 Installation + +
+1. Start up one of your two Windows 10 virtual machines and proceed with completing the installation on the VM. + +> Follow the standard Windows 10 installation process. The steps should be familiar from the Windows Server installation you just completed. + +
+ +### Client Configuration + +
+1. Once Windows 10 boots, set a static IP for this machine to ensure network stability. + +> Use a different IP address than your Domain Controller, but within the same subnet (e.g., if your DC is `192.168.1.116`, use `192.168.1.117` for the client). + +
+
+2. Set a common name for this PC following our naming convention: FirstInitialLastName-client01 (e.g., JMama-client01). + +> This naming convention helps maintain consistency across your lab environment and makes it easier to identify different machines. + +
+ +### Joining the Domain + +
+1. Now we are going to join the domain we created earlier (e.g., JMama.soc). Locate the field where you can join this computer to that domain. + +> **Hint:** Look in the System Properties under "Computer name, domain, and workgroup settings." You'll need to change from a workgroup to a domain. + +
+
+2. When prompted for credentials during the domain join process, use your Domain Administrator account. + +> Use the domain administrator credentials you set up on your Domain Controller (e.g., `JMama\Administrator`). + +
+ +### Domain Login Testing + +
+1. If configured correctly and joining the domain was successful, log out and log back in using the test account we created on the Domain Controller. + +> Switch from the local machine login to the domain login. You should be able to select your domain from the login screen and use the test account credentials. + +
+
+2. If you forgot your test account password, resetting it on the Domain Controller is easy - simply right-click the user in Active Directory Users and Computers and select "Reset Password". + +> This demonstrates the centralized user management capability of Active Directory. + +
+ +### Verification + +
+1. To verify successful domain join, open PowerShell on the client machine and run the domain verification command: + +```powershell +Get-CimInstance Win32_ComputerSystem | Select-Object Domain, PartOfDomain +``` + +Your results should show: +- **Domain**: Your domain name (e.g., `JMama.soc`) +- **PartOfDomain**: `True` + +
+ +Congratulations! You now have a Windows 10 client successfully joined to your Active Directory domain. This client can now authenticate against your Domain Controller and access domain resources based on the permissions you configure. + +Congratulations! You now have a Windows 10 client successfully joined to your Active Directory domain. This client can now authenticate against your Domain Controller and access domain resources based on the permissions you configure. + From 0fcfc8a586eb30079195861fbe8165494e26e403 Mon Sep 17 00:00:00 2001 From: xdkaine <55013938+xdkaine@users.noreply.github.com> Date: Sat, 20 Sep 2025 02:06:42 -0700 Subject: [PATCH 43/47] extra junk --- source/AD_Lab.md | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/source/AD_Lab.md b/source/AD_Lab.md index c4b249a..9968c62 100644 --- a/source/AD_Lab.md +++ b/source/AD_Lab.md @@ -456,22 +456,5 @@ Now that you are experienced in deploying virtual machines in our environment, t -### Verification - -
-1. To verify successful domain join, open PowerShell on the client machine and run the domain verification command: - -```powershell -Get-CimInstance Win32_ComputerSystem | Select-Object Domain, PartOfDomain -``` - -Your results should show: -- **Domain**: Your domain name (e.g., `JMama.soc`) -- **PartOfDomain**: `True` - -
- -Congratulations! You now have a Windows 10 client successfully joined to your Active Directory domain. This client can now authenticate against your Domain Controller and access domain resources based on the permissions you configure. - Congratulations! You now have a Windows 10 client successfully joined to your Active Directory domain. This client can now authenticate against your Domain Controller and access domain resources based on the permissions you configure. From c73c96be14a72aa3a01b979e55202be8338a36f9 Mon Sep 17 00:00:00 2001 From: xdkaine <55013938+xdkaine@users.noreply.github.com> Date: Sat, 20 Sep 2025 02:19:34 -0700 Subject: [PATCH 44/47] yay --- source/AD_Lab.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/source/AD_Lab.md b/source/AD_Lab.md index 9968c62..bd8a515 100644 --- a/source/AD_Lab.md +++ b/source/AD_Lab.md @@ -394,7 +394,7 @@ tphao.soc True -## What's Next? +### What's Next? We are going to proceed with adding clients to this domain and joining Windows 10 client machines to our newly created domain! @@ -418,6 +418,8 @@ Now that you are experienced in deploying virtual machines in our environment, t > Use a different IP address than your Domain Controller, but within the same subnet (e.g., if your DC is `192.168.1.116`, use `192.168.1.117` for the client). +> Note for the DNS settings, set your primary DNS to be the same IP as your domain controller! +
2. Set a common name for this PC following our naming convention: FirstInitialLastName-client01 (e.g., JMama-client01). From 4769db31a57f42d639cb69e82eb328a0da72d54f Mon Sep 17 00:00:00 2001 From: xdkaine <55013938+xdkaine@users.noreply.github.com> Date: Sat, 20 Sep 2025 02:24:54 -0700 Subject: [PATCH 45/47] win client 1 done --- source/AD_Lab.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/source/AD_Lab.md b/source/AD_Lab.md index bd8a515..92ad7d8 100644 --- a/source/AD_Lab.md +++ b/source/AD_Lab.md @@ -398,7 +398,7 @@ tphao.soc True We are going to proceed with adding clients to this domain and joining Windows 10 client machines to our newly created domain! -## Lab Setup: Windows Client +## Windows Client - 1 Now that you are experienced in deploying virtual machines in our environment, the instructions will be less guided and focus on specific goals and objectives. @@ -458,5 +458,7 @@ Now that you are experienced in deploying virtual machines in our environment, t
-Congratulations! You now have a Windows 10 client successfully joined to your Active Directory domain. This client can now authenticate against your Domain Controller and access domain resources based on the permissions you configure. +### What's Next? + +Congratulations! You now have a Windows 10 client successfully joined to your Active Directory domain. This client can now authenticate against your Domain Controller and access domain resources based on the permissions you configure. From 9a502bef6da6321aa9ecb30f7f4a9925da685af3 Mon Sep 17 00:00:00 2001 From: xdkaine <55013938+xdkaine@users.noreply.github.com> Date: Tue, 23 Sep 2025 22:39:32 -0700 Subject: [PATCH 46/47] added a newer query --- source/missile_map.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/source/missile_map.md b/source/missile_map.md index 85f4d26..7206807 100644 --- a/source/missile_map.md +++ b/source/missile_map.md @@ -78,6 +78,13 @@ index="netfw" sourcetype="pan:globalprotect" (portal="gp-mgmt" OR portal="gp-use | eval start_lat=lat, start_lon=lon, end_lat=34.0597, end_lon=-117.8200 | stats count by action, src_user, src_ip, start_lat, start_lon, end_lat, end_lon ``` +*As of 9/23, 'sourcetype' was no longer a applicable field to search by or to be included when we searched on Splunk. It could be fixed, but below is the refined search query. +```splunk +index="netfw" (portal="gp-mgmt" OR portal="gp-user") event_id="gateway-connected" src_user=* +| iplocation src_ip +| eval start_lat=lat, start_lon=lon, end_lat=34.0597, end_lon=-117.8200 +| stats count by action, src_user, src_ip, start_lat, start_lon, end_lat, end_lon +``` Let’s break down what this does: - **Base search**: We search the firewall logs (`index="netfw"`) of type `pan:globalprotect` for events where the `portal` field is either `gp-mgmt` or `gp-user` (i.e. the connection-establishment stage for either portal) and `event_id="gateway-connected"`. We also ensure `src_user=*` to pick up only events tied to a user account (excluding any system or empty entries). From e224b4bd18e4c856939ed22c012f5ffcef242866 Mon Sep 17 00:00:00 2001 From: tommy phao Date: Thu, 2 Oct 2025 18:08:21 -0700 Subject: [PATCH 47/47] test will revert --- source/AD_Lab.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/AD_Lab.md b/source/AD_Lab.md index 92ad7d8..ee68a77 100644 --- a/source/AD_Lab.md +++ b/source/AD_Lab.md @@ -1,4 +1,4 @@ -# Active Directory Lab Setup +# Active Directory Lab Setup test ## Introduction