App Splunk Sysmon Hunter Save

Splunk App to assist Sysmon Threat Hunting

Project README

Sysmon Hunter

Setup

Download and deploy this app to your Splunk Search Head.

A macro is used for all saved searches, you will need to modify it for your environment to ensure the proper Sysmon sourcetype/index is searched.

Macros: Settings --> Advanced Search --> Search Macros. Edit to your environment

Default - sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"

Thats it.

Install Sysmon

Install

Run with administrator rights

sysmon.exe -accepteula -i sysmonconfig-export.xml

Update existing configuration

Run with administrator rights

sysmon.exe -c sysmonconfig-export.xml

Upon installation, Sysmon will begin logging events to the operational event log “C:\Windows\System32\ winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx”.

Sysmon configuration

I recommend going with @SwiftOnSecurity latest config located here:

https://github.com/SwiftOnSecurity/sysmon-config

Additionally, other example Sysmon configs may be found here

Contributing

PLEASE CONTRIBUTE AND SHARE!

Thank you

@SwiftOnSecurity @c_APT_ure

Open Source Agenda is not affiliated with "App Splunk Sysmon Hunter" Project. README Source: MHaggis/app_splunk_sysmon_hunter

Stars

Open Issues

Last Commit

7 years ago

Repository

MHaggis/app_splunk_sysmon_hunter

License

GPL-3.0

Open Source Agenda Badge

<a href="https://www.opensourceagenda.com/projects/app-splunk-sysmon-hunter"><img src="https://www.opensourceagenda.com/projects/app-splunk-sysmon-hunter/reviews/badge.svg" alt="Open Source Agenda"></a>

Submit Review Review Your Favorite Project

Submit Resource Articles, Courses, Videos

Submit Article Submit a post to our blog

From the blog

Dec 11, 2022

How to Choose Which Programming Language to Learn First?

From the blog

Dec 11, 2022