From c5770dee83695271736451ee34f81e6e3f9778a2 Mon Sep 17 00:00:00 2001 From: whx Date: Fri, 4 Nov 2022 19:45:49 +0100 Subject: [PATCH] updated splunk --- misc/threat_intelligence/splunk.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/misc/threat_intelligence/splunk.md b/misc/threat_intelligence/splunk.md index 61e3887..2a7c06b 100644 --- a/misc/threat_intelligence/splunk.md +++ b/misc/threat_intelligence/splunk.md @@ -1,6 +1,5 @@ # Splunk - ## Splunk Bar * Messages * Settings @@ -8,7 +7,15 @@ * Help * Find +## Architectural Components + * __Forwarder__, as an agent + * __Indexer__, receives data from forwarder, normalizes it + * __Search Head__, look into indices + ## Search & Reporting + +The bread and butter of Splunk. Events can be found and searched here. + * Tip: If you want to land into the Search app upon login automatically, you can do so by editing the user-prefs.conf file. ```sh C:\Program Files\Splunk\etc\apps\user-prefs\default\user-prefs.conf @@ -29,12 +36,15 @@ C:\Program Files\Splunk\etc\apps\user-prefs\default\user-prefs.conf * Visualization ## Adding Data + +Multiple different log sources can be added as events. * [Adding Data Docs](https://docs.splunk.com/Documentation/Splunk/8.1.2/Data/Getstartedwithgettingdatain#Use_apps_to_get_data_in) * `Settings > Data > Data Inputs` contains further sources * Add data after that via `Add Data` ## Queries + * [Metadata](http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Metadata) * [Metalore](https://www.splunk.com/blog/2017/07/31/metadata-metalore.html) ```sh @@ -48,16 +58,20 @@ C:\Program Files\Splunk\etc\apps\user-prefs\default\user-prefs.conf ``` ## Sigma + * [Sigma Repo](https://github.com/Neo23x0/sigma) * [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) * [Conversion](https://uncoder.io/) * E.g. : `sigma: APT29` as input ## Dashboard + +Create visualizations and group them. ```sh source="" | top limit=5 EventID ``` * Visualization > choose Chart > "Save As" (top right) > DashboardName ## Alerting + * [Workflow](https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/Alert/AlertWorkflowOverview)