From a422ad844231ff4e8d316fb7d72af2e56541313f Mon Sep 17 00:00:00 2001 From: mdtro Date: Sat, 6 Feb 2021 01:01:08 -0600 Subject: [PATCH] add custom props.conf for Splunk TA for Zeek and update logger_bootstrap --- Vagrant/logger_bootstrap.sh | 4 ++++ Vagrant/resources/splunk_server/zeek_ta_props.conf | 12 ++++++++++++ 2 files changed, 16 insertions(+) create mode 100644 Vagrant/resources/splunk_server/zeek_ta_props.conf diff --git a/Vagrant/logger_bootstrap.sh b/Vagrant/logger_bootstrap.sh index e6d58a9..cc65dc5 100644 --- a/Vagrant/logger_bootstrap.sh +++ b/Vagrant/logger_bootstrap.sh @@ -195,6 +195,10 @@ install_splunk() { cp /vagrant/resources/splunk_server/windows_ta_props.conf /opt/splunk/etc/apps/Splunk_TA_windows/default/props.conf cp /vagrant/resources/splunk_server/sysmon_ta_props.conf /opt/splunk/etc/apps/TA-microsoft-sysmon/default/props.conf + # Add props.conf to Splunk Zeek TA to properly parse timestamp + # and avoid grouping events as a single event + cp /vagrant/resources/splunk_server/zeek_ta_props.conf /opt/splunk/etc/apps/Splunk_TA_bro/local/props.conf + # Add custom Macro definitions for ThreatHunting App cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/default/macros.conf # Fix props.conf in ThreatHunting App diff --git a/Vagrant/resources/splunk_server/zeek_ta_props.conf b/Vagrant/resources/splunk_server/zeek_ta_props.conf new file mode 100644 index 0000000..8bf46c5 --- /dev/null +++ b/Vagrant/resources/splunk_server/zeek_ta_props.conf @@ -0,0 +1,12 @@ +[zeek:json] +DATETIME_CONFIG = +INDEXED_EXTRACTIONS = json +KV_MODE = none +LINE_BREAKER = ([\r\n]+) +NO_BINARY_CHECK = true +category = Structured +description = Zeek JSON sourcetype with fixed timestamp parsing. +disabled = false +pulldown_type = true +TIMESTAMP_FIELDS = ts +TIME_FORMAT = %s.%6N \ No newline at end of file