whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

updated splunk

This commit is contained in:
Stefan Friese 2022-11-04 19:45:49 +01:00
parent ce0d513354
commit c5770dee83
1 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
misc/threat_intelligence/splunk.md
View File

@ -1,6 +1,5 @@
# Splunk # Splunk
## Splunk Bar ## Splunk Bar
* Messages * Messages
* Settings * Settings
@ -8,7 +7,15 @@
* Help * Help
* Find * Find
## Architectural Components
* __Forwarder__, as an agent
* __Indexer__, receives data from forwarder, normalizes it
* __Search Head__, look into indices
## Search & Reporting ## Search & Reporting
The bread and butter of Splunk. Events can be found and searched here.
* Tip: If you want to land into the Search app upon login automatically, you can do so by editing the user-prefs.conf file. * Tip: If you want to land into the Search app upon login automatically, you can do so by editing the user-prefs.conf file.
```sh ```sh
C:\Program Files\Splunk\etc\apps\user-prefs\default\user-prefs.conf C:\Program Files\Splunk\etc\apps\user-prefs\default\user-prefs.conf
@ -29,12 +36,15 @@ C:\Program Files\Splunk\etc\apps\user-prefs\default\user-prefs.conf
* Visualization * Visualization
## Adding Data ## Adding Data
Multiple different log sources can be added as events.
* [Adding Data Docs](https://docs.splunk.com/Documentation/Splunk/8.1.2/Data/Getstartedwithgettingdatain#Use_apps_to_get_data_in) * [Adding Data Docs](https://docs.splunk.com/Documentation/Splunk/8.1.2/Data/Getstartedwithgettingdatain#Use_apps_to_get_data_in)
* `Settings > Data > Data Inputs` contains further sources * `Settings > Data > Data Inputs` contains further sources
* Add data after that via `Add Data` * Add data after that via `Add Data`
## Queries ## Queries
* [Metadata](http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Metadata) * [Metadata](http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Metadata)
* [Metalore](https://www.splunk.com/blog/2017/07/31/metadata-metalore.html) * [Metalore](https://www.splunk.com/blog/2017/07/31/metadata-metalore.html)
```sh ```sh
@ -48,16 +58,20 @@ C:\Program Files\Splunk\etc\apps\user-prefs\default\user-prefs.conf
``` ```
## Sigma ## Sigma
* [Sigma Repo](https://github.com/Neo23x0/sigma) * [Sigma Repo](https://github.com/Neo23x0/sigma)
* [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) * [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches)
* [Conversion](https://uncoder.io/) * [Conversion](https://uncoder.io/)
* E.g. : `sigma: APT29` as input * E.g. : `sigma: APT29` as input
## Dashboard ## Dashboard
Create visualizations and group them.
```sh ```sh
source="<source>" | top limit=5 EventID source="<source>" | top limit=5 EventID
``` ```
* Visualization > choose Chart > "Save As" (top right) > DashboardName * Visualization > choose Chart > "Save As" (top right) > DashboardName
## Alerting ## Alerting
* [Workflow](https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/Alert/AlertWorkflowOverview) * [Workflow](https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/Alert/AlertWorkflowOverview)