This app is dedicated to my daughter. May this app improve the security of organisations great and small.
Please find documentation here: https://github.com/doksu/splunk_auditd/wiki
- 'Update auditd_hosts lookup' and 'Update auditd_indices lookup' now have earliest times by default to prevent those scheduled searches from running for long periods is large environments (especially where SmartStore is used) (Thanks Martin Mueller)
- Distribution lookup updated
- Decoding of spaces in proctitle field to process_name fixed (Thanks Rafael de Vega for the pull request https://github.com/doksu/splunk_auditd/pull/27)
.conf 2019 release - be sure to watch "ATT&CKing Linux with SPL" session to see the new features below.
- MITRE ATT&CK eventtypes and tag
- MITRE ATT&CK in Auditd data model
- SOFTWARE_UPDATE events now supported (mapped to CIM)
Splunk .conf 2018 Edition!
- App renamed from TA_linux-auditd to TA-linux_auditd to conform with Splunk's current naming convention
- Enriched audit events are now supported to accommodate environments with inconsistent uid/gid allocation
- New auditd event types now supported
- Host Inventory lookup now has an automatically updating last_boot field which can be used to indicate uptime
- Additional distribution releases now supported
- Unused capture groups in some transform regexes updated
- Unused default/data/ui/nav removed (v3.0.1)
- Indices spelling mistake corrected throughout app
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.