Splunk App

It’s simple. I know. It will get you to where you need to be though, I promise. The magic of this app is not the dashboard pictured above, but it is the gold that is in the saved searches that I want to point you to.

Naming Scheme

I attempted to name the saved searches what they are and I hope they make sense. I will continuously be updating this app with new saved searches.

Powershell — All PoSh by computer

Powershell — EncodedCommand

Powershell — EventDescription

schtasks — run

schtasks — delete

schtasks — create

schtasks — change

schtasks — all

If you plan to contribute — I hope this makes sense, if not — let’s discuss and make this better.

Saved Searches

Threat hunting is many things and I believe this App+Sysmon will get you started in the right direction of hunting and finding bad things quickly. Out of the box, I have created reports for the many things that are top of mind across the industry.

Installutil.exe

msbuild.exe

powershell.exe encoded

rundll32.exe

Critical Process Check

In total out of the box you get 47 searches that will help you get started with Sysmon and threat hunting. How about that for sharing!?

Many of these came from TomU talk at BotConf and my previous experience with using Carbon Black in Splunk.

Additional items may be reviewed here:

Help!

Hit me up on twitter or in the comments here.

Thank you

Indirectly the following have contributed to this app, either in Sysmon or in Splunk. Thank you for sharing.

InfoSec Taylor Swift

Tom Ueltschi — @c_APT_ure

Future for the App