mhaggis / sysmon-splunk-app Goto Github PK

View Code? Open in Web Editor NEW

45.0 14.0 16.0 42 KB

Sysmon Splunk App

License: MIT License

sysmon splunk

sysmon-splunk-app's Introduction

Sysmon Splunk app

This is combined Splunk App effort between @jarrettp and @m_haggis.

Joint Contributor Credits

Gibin John (beahunt3r)
Vineet Bhatia (threathunting)

What is in the App:

Dashboards:

Sysmon Overview - Shows basic overview and usage for Sysmon events.
Investigator - Allows searching of events for specific hosts, users.
Network Overview
File Creation Overview
Process Overview
Suspicious Indicators - Collection of some known IOC
Registry Overview
Network Connections
Process Finder - Helps find unique hash values based on percentage
Process Timeline - Uses LogonGuid to map timeline of processes. Allows clicking for drilldown.

Reports:

Over 40+ reports

Alerts:

19 Pre-built alerts

Setup

Deploy Sysmon-TA

Download and deploy this app to your Splunk Search Head.

A macro is used for all saved searches, you will need to modify it for your environment to ensure the proper Sysmon sourcetype/index is searched.

Macros: Settings --> Advanced Search --> Search Macros. Edit to your environment

Default - sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"

Thats it.

Install Sysmon

Install

Run with administrator rights

sysmon.exe -accepteula -i sysmonconfig-export.xml

Update existing configuration

Run with administrator rights

sysmon.exe -c sysmonconfig-export.xml

Upon installation, Sysmon will begin logging events to the operational event log “C:\Windows\System32\ winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx”.

Sysmon configuration

Sysmon resources and example configuration files may be found here

sysmon-splunk-app's People

Contributors

Stargazers

Watchers

Forkers

skywalka olafhartong jrwalzer thiruyadav warmiceberg threathunting gavzik gavz splunk-app-and-ta-development mmg1 rkondracki manbearrexsaurus regalleuchte ilyashub amiryektaie

sysmon-splunk-app's Issues

Cloud vetting

Michael,

With the increasing push to get apps in the Cloud, is there a possibility you could get this vetted for use in the Cloud?

Thanks in advance for your time and effort.

Best Regards,
Johann

I've been trying to run this config on Splunk 7.0.2 with Sysmon 7.01 and a cfg on Schema 4.00 and it appears that the parsing isn't working on the app anymore. Are there any plans to update this as it worked great with 6.02

use Computer or ComputerName

Dashboard Splunk App
Sysmon App for Splunk sysmon-splunk-app 2.0.0 App(3544)
on the Status dashboard runs a query
sysmon | stats count by Computer | sort - count
While the TA
TA-microsoft-sysmon 8.0.0 (app1914)
returns the field ComputerName
(So dashboard doesnot return anything in the search)

could the splunk search be changed
many thanks

Sysmon for Splunk App not displaying any data from Windows Event Collector forwarded logs.

Sysmon for Splunk App not displaying any data from Windows Event Collector (we are using Windows Event Collector as a single forwarder). How might I troubleshoot and reconfigure if necessary in my deployed environment?

Sysmon data is in Splunk.
sourcetype = WinEventLog:ForwardedEvents

I can see logs in Splunk when I search under the data feed Host (in my environment is is called): WinEvtCollector

I tried to adjust the macro using the above sourcetype but that did not work. I think I'm missing some fundamental piece of info here.

Maybe because I'm collecting my logs from a single Windows Event Forwarder and not the individual boxes themselves (maybe)?

It looks like the app is based on the idea that a person would be sending their logs from the windows box straight into the Splunk instance and not through a Windows Event Collector.

Can you provide me any help in understanding this so that I can utilize your app? It looks amazing.

Critical Process Report

The Critical Process Report appears to be expecting the executable names to be preceded by *\, but they are expanded simply as the exe name (i.e. cmd.exe). So, the report returns nothing as written.

app. wont show data

Hi, i see that there is received data in index sysmon, but this app. don`t recognize them, when i try to shows last 24h for example process, he cannot find anything (event count 0)?

Installed the Sysmon App - not seeing any data

So I installed you Sysmon app, already have the Splunk TA Sysmon app installed. I am able to query the data, etc.

The Sysmon App however sees no data.

Is this app still being maintained?

Hi. Just wondering if this app is still being maintained? I see that since the latest update Splunk have made som changes in default sourcetype for sysmon events, and also made some other changes that need to be addressed.

I wanted to make some other performance updates to the app as well, and some visual changes, etc. If this app is not being maintained anymore, with your permission, could I make a new sysmon app, inspired by your sysmon app, and upload it to Splunkbase, of course giving credit to you guys? :)

newbie question :)

hi, i stuck on first step "Make sure the threathunting index is present on your indexers"
how to give rights to app to see other indexes?

tnx.