Member-only story
THM - Investigating with Splunk
4 min readSep 24, 2025
A writeup for “Investigating with Splunk” on TryHackMe
Investigate anomalies using Splunk.
The room involves log analysis with Splunk in relation to a potential backdoor created by an attacker.
How many events were collected and ingested in the index main?
All you need to do is connect to the machine and load all the logs for the main index.
Remember to set the time period to ‘All time’.
Press enter or click to view image in full size![]()
On one of the infected hosts, the adversary was successful in creating a backdoor user. What is the new username?
We can find the answer by filtering the logs based on the EventID field.
The code for a created user event is 4720.
Be careful of the typosquatting in the username, there is a 1 instead of an l.
index="main" EventID=4720
