CTF Scenario

In this scenario, you have been tapped as an expert to help an organization investigate a potential breach.The threat hunting team lead has a hypothesis that the attackers were able to obtain access through the ssh daemon in April. Your task is to test that hypothesis and provide a report of activity during that period.

In this directory is auth.log data. You first need to stand up a Gravwell instance and ingest the data (via the GUI is easiest). Then, please answer the questions below using Gravwell search.

Useful links for standup and ingestions are:
https://www.gravwell.io/community-edition - Get a Community Edition license
https://docs.gravwell.io/quickstart/quickstart.html
https://hub.docker.com/r/gravwell/gravwell/
https://github.com/gravwell/gravwell/tree/master/ingesters

Search questions

If you have never used a tool like Gravwell before, this page (particularly the video) can help: https://docs.gravwell.io/gravwell.html

The following questions serve as a bit of a "roadmap" to this hunt:
How many entries are there for this time period?
How many failed entries are there for this time period?
Provide a time series bar chart of users who have successfully logged in during this time period and the query used to generate it.
Provide a geographical map of all login attempts (successful or not) during this time period and the query used to generate it. (our network enrichment kit will help)
How many successful logins occurred during this period?
Provide a stackgraph chart of the count of successful authorizations by accounts and their login methods.

Extrapolations:
Do you confirm or reject the threat hunting hypothesis?
If confirm, please explain your thoughts and provide evidence of compromise.
If reject, please explain your thoughts and provide any evidence or searches backing that conclusion.