Using Splunk Applications

Splunk Applications

Splunk applications, or apps, are packages that we add to our Splunk Enterprise or Splunk Cloud deployments to extend capabilities and manage specific types of operational data. Each application is tailored to handle data from specific technologies or use cases, effectively acting as a pre-built knowledge package for that data. Apps can provide capabilities ranging from custom data inputs, custom visualizations, dashboards, alerts, reports, and more.

In this segment, we'll be leveraging the Sysmon App for Splunk developed by Mike Haag.

To download, add, and use this application, follow the steps delineated below:

  1. Sign up for a free account at splunkbase

  1. Once registered, log into your account

  2. Head over to the Sysmon App for Splunk page to download the application.

  1. Add the application as follows to your search head.

  1. Adjust the application's macro so that events are loaded as follows.

Let's access the Sysmon App for Splunk by locating it in the "Apps" column on the Splunk home page and head over to the File Activity tab.

Let's now specify "All time" on the time picker and click "Submit". Results are generated successfully; however, no results are appearing in the "Top Systems" section.

We can fix that by clicking on "Edit" (upper right hand corner of the screen) and editing the search.

The Sysmon Events with ID 11 do not contain a field named Computer, but they do include a field called ComputerName. Let's fix that and click "Apply"

Results should now be generated successfully in the "Top Systems" section.

Practical Exercises

1) Access the Sysmon App for Splunk and go to the "Reports" tab. Fix the search associated with the "Net - net view" report and provide the complete executed command as your answer. Answer format: net view /Domain:_.local

Answer: net view /DOMAIN:uniwaldo.local

2) Access the Sysmon App for Splunk, go to the "Network Activity" tab, and choose "Network Connections". Fix the search and provide the number of connections that SharpHound.exe has initiated as your answer.

sysmon EventCode=3 Image="*SharpHound.exe" | stats count

Answer: 6

PreviousIntroduction To Splunk & SPLNextIntrusion Detection With Splunk (Real-world Scenario)

Last updated