# Using Splunk Applications

## Splunk Applications

Splunk applications, or apps, are packages that we add to our Splunk Enterprise or Splunk Cloud deployments to extend capabilities and manage specific types of operational data. Each application is tailored to handle data from specific technologies or use cases, effectively acting as a pre-built knowledge package for that data. Apps can provide capabilities ranging from custom data inputs, custom visualizations, dashboards, alerts, reports, and more.

In this segment, we'll be leveraging the `Sysmon App for Splunk` developed by Mike Haag.

To download, add, and use this application, follow the steps delineated below:

1. Sign up for a free account at [splunkbase](https://splunkbase.splunk.com/)

<figure><img src="/files/b4CWlIqhwOi945lRjn48" alt=""><figcaption></figcaption></figure>

2. Once registered, log into your account
3. Head over to the [Sysmon App for Splunk](https://splunkbase.splunk.com/app/3544) page to download the application.

<figure><img src="/files/YCzWNPfRFeRfTQkmKOrZ" alt=""><figcaption></figcaption></figure>

4. Add the application as follows to your search head.

<figure><img src="/files/aIX9PUPwevfffpqLs9bF" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/XlcZtl9Dk8519muEvZAH" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/Ko7n8jmOnvS52oSM6qKP" alt=""><figcaption></figcaption></figure>

5. Adjust the application's [macro](https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Definesearchmacros) so that events are loaded as follows.

<figure><img src="/files/XwX4UjtYzz73a5HYIG8g" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/Fh99gzKaWgnsa6V0Ndq0" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/VBj7kJn1kE0Fpc2C4f04" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/0QWkmFkRcP6la8TqVdt9" alt=""><figcaption></figcaption></figure>

Let's access the Sysmon App for Splunk by locating it in the "Apps" column on the Splunk home page and head over to the `File Activity` tab.

<figure><img src="/files/G7AhqVtmiT1FOPfI6pQg" alt=""><figcaption></figcaption></figure>

Let's now specify "All time" on the time picker and click "Submit". Results are generated successfully; however, no results are appearing in the "Top Systems" section.

<figure><img src="/files/7XWD0kZx57Ve7Kczt4zY" alt=""><figcaption></figcaption></figure>

We can fix that by clicking on "Edit" (upper right hand corner of the screen) and editing the search.

<figure><img src="/files/wQ68iRzYz9myr4eyPEiA" alt=""><figcaption></figcaption></figure>

The Sysmon Events with ID 11 do not contain a field named `Computer`, but they do include a field called `ComputerName`. Let's fix that and click "Apply"

<figure><img src="/files/JwD6rGD9SKlKNGpvyhk5" alt=""><figcaption></figcaption></figure>

Results should now be generated successfully in the "Top Systems" section.

<figure><img src="/files/HNHVNjlCWvbujpG80oFi" alt=""><figcaption></figcaption></figure>

## Practical Exercises

1\) Access the Sysmon App for Splunk and go to the "Reports" tab. Fix the search associated with the "Net - net view" report and provide the complete executed command as your answer. Answer format: net view /Domain:\_.local

<figure><img src="/files/7sbZcl5Q5A0qNWtYjQah" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/aZknWWDbKbcvVin39JMb" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/6KF4JJ3FpfAyyPPXxiT3" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/UBemZGhZSuEA6YkeSrmZ" alt=""><figcaption></figcaption></figure>

Answer:  net view /DOMAIN:uniwaldo.local

2\) Access the Sysmon App for Splunk, go to the "Network Activity" tab, and choose "Network Connections". Fix the search and provide the number of connections that SharpHound.exe has initiated as your answer.

<figure><img src="/files/twWRXzdtJM8naVpYzUYj" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/rAn4ACt6dviSw7N6DJJD" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/MjB4u0VK1vwglmpgqUNU" alt=""><figcaption></figcaption></figure>

```
sysmon EventCode=3 Image="*SharpHound.exe" | stats count
```

<figure><img src="/files/vQlYHqcQu1yFBoitrSeA" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/m4frdd1xZX2LrTO0K3qq" alt=""><figcaption></figcaption></figure>

Answer:  6


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://faresbltagy.gitbook.io/footprintinglabs/soc-hackthebox-notes-and-labs/understanding-log-sources-and-investigating-with-splunk-module/using-splunk-applications.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.