Adding Olaf's Threat Hunting App. Fixes. Updates.

2018-12-11 00:52:46 -08:00
parent c31165e0cd
commit 8b9178685a
12 changed files with 190 additions and 101 deletions
--- a/Vagrant/resources/splunk_server/force-directed-app-for-splunk_200.tgz
+++ b/Vagrant/resources/splunk_server/force-directed-app-for-splunk_200.tgz
--- a/Vagrant/resources/splunk_server/lookup-file-editor_305.tgz
+++ b/Vagrant/resources/splunk_server/lookup-file-editor_305.tgz
--- a/Vagrant/resources/splunk_server/macros.conf
+++ b/Vagrant/resources/splunk_server/macros.conf
@@ -0,0 +1,71 @@
+[sysmon]
+definition = index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
+iseval = 0
+
+[windows-app]
+definition = index=wineventlog source="WinEventLog:Application"
+iseval = 0
+
+[powershell]
+definition = index=powershell OR (index=wineventlog source="WinEventLog:Windows PowerShell" OR source="WinEventLog:Microsoft-Windows-PowerShell/Operational")
+iseval = 0
+
+[windows-security]
+definition = index=wineventlog source="WinEventLog:Security"
+iseval = 0
+
+[pan_threat]
+definition = index=pan_logs sourcetype="pan:threat"
+iseval = 0
+
+[domain]
+definition = WINDOMAIN
+iseval = 0
+
+[windows]
+definition = index=wineventlog source="WinEventLog:System" OR source="WinEventLog:Security"
+iseval = 0
+
+[windows-system]
+definition = index=wineventlog source="WinEventLog:System"
+iseval = 0
+
+[no-domain]
+definition = "WINDOMAIN\\*"
+iseval = 0
+
+[process_create_whitelist]
+definition = search NOT [| inputlookup threathunting_process_create_whitelist.csv | fields mitre_technique_id host_fqdn user_name process_path process_parent_path process_command_line hash_sha256]
+iseval = 0
+
+[network_whitelist]
+definition = search NOT [| inputlookup threathunting_network_whitelist.csv | fields mitre_technique_id host_fqdn user_name dst_ip	dst_port src_ip process_path]
+iseval = 0
+
+[process_access_whitelist]
+definition = search NOT [| inputlookup threathunting_process_access_whitelist.csv | fields mitre_technique_id host_fqdn process_path target_process_path process_granted_access]
+iseval = 0
+
+[image_load_whitelist]
+definition = search NOT [| inputlookup threathunting_image_load_whitelist.csv | fields mitre_technique_id host_fqdn process_path driver_loaded driver_is_signed driver_signature driver_signatureStatus]
+iseval = 0
+
+[file_access_whitelist]
+definition = search NOT [| inputlookup threathunting_file_access_whitelist.csv | fields mitre_technique_id host_fqdn process_path file_path]
+iseval = 0
+
+[registry_whitelist]
+definition = search NOT [| inputlookup threathunting_registry_whitelist.csv | fields mitre_technique_id host_fqdn event_type process_path registry_key_path registry_key_details]
+iseval = 0
+
+[pipe_created_whitelist]
+definition = search NOT [| inputlookup threathunting_pipe_created_whitelist.csv | fields mitre_technique_id host_fqdn process_path pipe_name]
+iseval = 0
+
+[wmi_whitelist]
+definition = search NOT [| inputlookup threathunting_wmi_whitelist.csv | fields mitre_technique_id host_fqdn process_path pipe_name]
+iseval = 0
+
+[remote_thread_whitelist]
+definition = search NOT [| inputlookup threathunting_remote_thread_whitelist.csv | fields mitre_technique_id host_fqdn process_name target_process_path target_process_address]
+iseval = 0
--- a/Vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz
+++ b/Vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz
--- a/Vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz
+++ b/Vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz
--- a/Vagrant/resources/splunk_server/threathunting_11.tgz
+++ b/Vagrant/resources/splunk_server/threathunting_11.tgz