updated splunk

misc/threat_intelligence/splunk.md

@@ -1,6 +1,5 @@
 # Splunk
 
-
 ## Splunk Bar
     * Messages
     * Settings
@@ -8,7 +7,15 @@
     * Help
     * Find 
 
+## Architectural Components 
+    * __Forwarder__, as an agent
+    * __Indexer__, receives data from forwarder, normalizes it
+    * __Search Head__, look into indices 
+
 ## Search & Reporting
+
+The bread and butter of Splunk. Events can be found and searched here.
+
 * Tip: If you want to land into the Search app upon login automatically, you can do so by editing the user-prefs.conf file. 
 ```sh
 C:\Program Files\Splunk\etc\apps\user-prefs\default\user-prefs.conf
@@ -29,12 +36,15 @@ C:\Program Files\Splunk\etc\apps\user-prefs\default\user-prefs.conf
     * Visualization
  
 ## Adding Data
+
+Multiple different log sources can be added as events.
 * [Adding Data Docs](https://docs.splunk.com/Documentation/Splunk/8.1.2/Data/Getstartedwithgettingdatain#Use_apps_to_get_data_in)
 
 * `Settings > Data > Data Inputs` contains further sources
 * Add data after that via `Add Data`
 
 ## Queries
+
 * [Metadata](http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Metadata)
 * [Metalore](https://www.splunk.com/blog/2017/07/31/metadata-metalore.html)
 ```sh
@@ -48,16 +58,20 @@ C:\Program Files\Splunk\etc\apps\user-prefs\default\user-prefs.conf
     ```
 
 ## Sigma 
+
 * [Sigma Repo](https://github.com/Neo23x0/sigma)
 * [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches)
 * [Conversion](https://uncoder.io/)
     * E.g. : `sigma: APT29` as input
 
 ## Dashboard
+
+Create visualizations and group them.
 ```sh 
 source="<source>" | top limit=5 EventID
 ```
 * Visualization > choose Chart > "Save As" (top right) > DashboardName 
 
 ## Alerting
+
 * [Workflow](https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/Alert/AlertWorkflowOverview)