Threat Hunting and Log Analysis Workshop - Part 1

CTF Scenario

In this scenario, you have been tapped as an expert to help an organization investigate a potential breach.The threat hunting team lead has a hypothesis that the attackers were able to obtain access through the ssh daemon in April. Your task is to test that hypothesis and provide a report of activity during that period. In this directory is auth.log data.

Workshop Resource Link:

You first need to stand up a Gravwell instance and ingest the data (via the GUI is easiest). Then, please answer the questions below using Gravwell search.

Useful links for standup and ingestions are: