Splunk Applications

Splunk applications, or apps, are packages that we add to our Splunk Enterprise or Splunk Cloud deployments to extend capabilities and manage specific types of operational data. Each application is tailored to handle data from specific technologies or use cases, effectively acting as a pre-built knowledge package for that data. Apps can provide capabilities ranging from custom data inputs, custom visualizations, dashboards, alerts, reports, and more.

Splunk Apps enable the coexistence of multiple workspaces on a single Splunk instance, catering to different use cases and user roles. These ready-made apps can be found on Splunkbase.

To download, add, and use this application, follow the steps delineated below:

  1. Sign up for a free account at splunkbase

  2. Once registered, log into your account

  3. Head over to the Sysmon App for Splunk page to download the application.

OR

Go to https://github.com/MHaggis/sysmon-splunk-app?tab=readme-ov-file

download zip file

  1. Add the application as follows to your search head.

Manage Apps -> Install App from file -> select zip file to upload

  1. Adjust the application's macro so that events are loaded as follows.

Select sysmon App for splunkm -> settings -> Advanced search -> search macros -> Add new

name: sysmon

definition : index="main" sourcetype="WinEventLog:Sysmon"

then save.

  1. Let's access the Sysmon App for Splunk by locating it in the "Apps" column on the Splunk home page and head over to the File Activity tab.

  2. Let's now specify "All time" on the time picker and click "Submit". Results are generated successfully; however, no results are appearing in the "Top Systems" section.

  3. We can fix that by clicking on "Edit" (upper right hand corner of the screen) and editing the search.

  4. The Sysmon Events with ID 11 do not contain a field named Computer, but they do include a field called ComputerName. Let's fix that and click "Apply"

  5. Results should now be generated successfully in the "Top Systems" section.

Assessment:

  1. Access the Sysmon App for Splunk and go to the "Reports" tab. Fix the search associated with the "Net - net view" report and provide the complete executed command as your answer. Answer format: net view /Domain:_.local

Steps:

start a new search : * OriginalFileName="net.exe"

under selected fields choose : ParentCommandLine open all events within this field

select c:\windows\system32\cmd.exe /c net view /DOMAIN:uniwaldo.local full search query = * OriginalFileName="net.exe" ParentCommandLine="*" ParentCommandLine="c:\windows\system32\cmd.exe /c net view /DOMAIN:uniwaldo.local"

OR

*OriginalFileName="net.exe" CommandLine="net view /DOMAIN:uniwaldo.local"

Answer:

net view /DOMAIN:uniwaldo.local

event.code=1

  1. Access the Sysmon App for Splunk, go to the "Network Activity" tab, and choose "Network Connections". Fix the search and provide the number of connections that SharpHound.exe has initiated as your answer.

Steps:

verbose: all time

modify the search query to become

sourcetype="WinEventLog:Sysmon" EventCode=3 Image="*SharpHound.exe" | stats count

Answer: 6

PreviousIntroduction To Splunk & SPLNextIntrusion Detection With Splunk (Real-world Scenario)

Last updated