GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → MHaggis → sysmon-splunk-app

MHaggis / sysmon-splunk-app

Licence: MIT license
Sysmon Splunk App

Labels

splunksysmon

Projects that are alternatives of or similar to sysmon-splunk-app

TA-Sysmon-deploy
Deploy and maintain Symon through the Splunk Deployment Sever
Stars: ✭ 31 (-26.19%)
Mutual labels:  splunk, sysmon
Sigma
Generic Signature Format for SIEM Systems
Stars: ✭ 4,418 (+10419.05%)
Mutual labels:  splunk, sysmon
SysmonResources
Consolidation of various resources related to Microsoft Sysmon & sample data/log
Stars: ✭ 64 (+52.38%)
Mutual labels:  sysmon
Splunk TA paloalto
The Palo Alto Networks Add-on for Splunk allows a Splunk® Enterprise or Splunk Cloud administrator to collect data from Palo Alto Networks Next-Generation Firewall devices and Advanced Endpoint Protection.
Stars: ✭ 15 (-64.29%)
Mutual labels:  splunk
SplunkScriplets
Various Splunk Scripts and applets, all in one place
Stars: ✭ 24 (-42.86%)
Mutual labels:  splunk
TA ETW
Splunk Technology Add-On (TA) for collecting ETW events from Windows systems
Stars: ✭ 17 (-59.52%)
Mutual labels:  splunk
vault-plugin-splunk
Vault plugin to securely manage Splunk admin accounts and password rotation
Stars: ✭ 23 (-45.24%)
Mutual labels:  splunk
Zircolite
A standalone SIGMA-based detection tool for EVTX, Auditd and Sysmon for Linux logs
Stars: ✭ 443 (+954.76%)
Mutual labels:  sysmon
detection-rules
Threat Detection & Anomaly Detection rules for popular open-source components
Stars: ✭ 34 (-19.05%)
Mutual labels:  splunk
splunk-connect-for-ethereum
Splunk Connect for Ethereum
Stars: ✭ 50 (+19.05%)
Mutual labels:  splunk
system-monitor
Qt based replacement for gnome system monitor
Stars: ✭ 16 (-61.9%)
Mutual labels:  sysmon
splunk modinput prometheus
A Splunk modular input for ingesting Prometheus metrics
Stars: ✭ 40 (-4.76%)
Mutual labels:  splunk
evtx2json
A tool to convert Windows evtx files (Windows Event Log Files) into JSON format and log to Splunk (optional) using HTTP Event Collector.
Stars: ✭ 38 (-9.52%)
Mutual labels:  splunk
splunk-hec-go
Splunk HTTP Event Collector (HEC) Golang library
Stars: ✭ 19 (-54.76%)
Mutual labels:  splunk
splunk-connect-for-syslog
Splunk Connect for Syslog
Stars: ✭ 111 (+164.29%)
Mutual labels:  splunk
twitter-aws-comprehend
An app to analyze tweets using Amazon Comprehend's Sentiment Analysis service
Stars: ✭ 13 (-69.05%)
Mutual labels:  splunk
SWELF
Simple Windows Event Log Forwarder (SWELF). Its easy to use/simply works Log Forwarder and EVTX Parser. Almost in full release here at https://github.com/ceramicskate0/SWELF/releases/latest.
Stars: ✭ 23 (-45.24%)
Mutual labels:  sysmon
SysmonConfigPusher
Pushes Sysmon Configs
Stars: ✭ 59 (+40.48%)
Mutual labels:  sysmon
semantic logger
Semantic Logger is a feature rich logging framework, and replacement for existing Ruby & Rails loggers.
Stars: ✭ 730 (+1638.1%)
Mutual labels:  splunk
TA-opnsense
Splunk Add on for OPNsense firewall
Stars: ✭ 13 (-69.05%)
Mutual labels:  splunk
View All Similar Projects ➔

Sysmon Splunk app

This is combined Splunk App effort between @jarrettp and @m_haggis.

Joint Contributor Credits

  • Gibin John (beahunt3r)
  • Vineet Bhatia (threathunting)

What is in the App:

Dashboards:
  • Sysmon Overview - Shows basic overview and usage for Sysmon events.
  • Investigator - Allows searching of events for specific hosts, users.
  • Network Overview
  • File Creation Overview
  • Process Overview
  • Suspicious Indicators - Collection of some known IOC
  • Registry Overview
  • Network Connections
  • Process Finder - Helps find unique hash values based on percentage
  • Process Timeline - Uses LogonGuid to map timeline of processes. Allows clicking for drilldown.
Reports:
  • Over 40+ reports
Alerts:
  • 19 Pre-built alerts

Setup

Deploy Sysmon-TA

Download and deploy this app to your Splunk Search Head.

A macro is used for all saved searches, you will need to modify it for your environment to ensure the proper Sysmon sourcetype/index is searched.

Macros: Settings --> Advanced Search --> Search Macros. Edit to your environment

Default - sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"

Thats it.

Install Sysmon

Install

Run with administrator rights

sysmon.exe -accepteula -i sysmonconfig-export.xml

Update existing configuration

Run with administrator rights

sysmon.exe -c sysmonconfig-export.xml

Upon installation, Sysmon will begin logging events to the operational event log “C:\Windows\System32\ winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx”.

Sysmon configuration

Sysmon resources and example configuration files may be found here

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].