ThreatHunting
Overview
Details
You obviously need to be ingesting Sysmon data into Splunk, a good configuration can be found in the details
Required actions after deployment:
Make sure the threathunting index is present on your indexers
Edit the macro's to suit your environment
Install the required addons
Install the lookup csv's or create them yourself, empty csv's are here > https://github.com/olafhartong/ThreatHunting/raw/master/files/ThreatHunting.tar.gz
More documentation is available at > https://github.com/olafhartong/threathunting/wiki
This app is maintained on GitHub > https://github.com/olafhartong/threathunting
This is a Splunk application containing several dashboards and over 120 reports that will facilitate initial hunting indicators to investigate.
You obviously need to be ingesting Sysmon data into Splunk, a good configuration can be found here
Note:
This application is not a magic bullet, it will require tuning and real investigative work to be truly effective in your environment.
Try to become best friends with your system administrators. They will be able to explain a lot of the initially discovered indicators.
Big credit goes out to MITRE for creating the ATT&CK framework!
Pull requests / issue tickets and new additions will be greatly appreciated!
Mitre ATT&CK
I strive to map all searches to the ATT&CK framework.
A current ATT&CK navigator export of all linked configurations is found here and can be viewed here
App Prerequisites
Install the following apps to your SearchHead:
- Punchcard Visualization
- Force Directed Visualization
- Sankey Diagram Visualization
- Lookup File Editor
Required actions after deployment
- Make sure the threathunting index is present on your indexers
- Edit the macro's to suit your environment > https://YOURSPLUNK/en-US/manager/ThreatHunting/admin/macros
- The app is shipped without whitelist lookup files, you'll need to create them yourself. This is so you won't accidentally overwrite them on an upgrade of the app. Install the lookup csv's or create them yourself, empty csv's are here
Usage
A more detailed explanation of all functions can be found here
Release Notes
Version 1.4.1
New Features
- NEW REQUIREMENT : Link Analysis app >> LINK
- Initial mapping of Windows 4768/9 events in props.conf
- Pipe Drilldown dashboard
- File create whitelist macro
- File create Drilldown dashboard
- Added Stacking tools section
- Added Mitre ATT&CK stacking page
- Added DNS stacking page with beaconing detection
- Added DNS whitelist
- Added User drilldown page
- Added Macro drilldown dashboard
- Added 24 new searches
- Added Credits pane
Changes
- Renamed pipe_created_whitelist macro to pipe_whitelist
- Renamed pipe_created_whitelist csv to pipe_whitelist throughout the app
- Replaced the force directed visual by link analysis for network connection drilldown
- Added a few fields to props.conf, including Sysmon DNS events
- Extended T1218,T1216,T1081,T1075 searches
- Rebuilt the whitelisting, searches are a LOT quicker now and take less resources
- Added original_file_name to event_id 1 and 7
- Top triggered techniques drilldown changed to technique_id
- more details on GitHub
Version 1.3.4
### Updates 1.3.4
New Features
- Added Technique and Host filtering options to the threat hunting overview page
- Added Timeline graph to the overview page
- Added Technique and Host filtering options to the mitre att&ck overview page
- Added New Files created page, based on Sysmon event_id 11
- Added File Create whitelist editor page
- Initial mapping of Windows 4688 events in props.conf
- Added 4688 events to 70 reports
- Added indextime macro
Changes
- Automated search distribution
- Index time searches instead of _time
- Cleaned up the code a bit
Bugfixes
- Fixed the Tactics and Technique(ID) filters on the mitre att&ck overview page
- Added the Initial Access tactic and properly sorted them on all pages
- Re-added the computer investigator page
- Changed sourcetype to source in macros
Version 1.2
This is a Splunk application containing several hunting dashboards and over 120 reports that will facilitate initial hunting indicators to investigate.
You obviously need to be ingesting Sysmon data into Splunk, a good configuration can be found in the details
Required actions after deployment:
Make sure the threathunting index is present on your indexers
Edit the macro's to suit your environment
Install the required addons
Install the lookup csv's or create them yourself, empty csv's are here > https://github.com/olafhartong/ThreatHunting/raw/master/files/ThreatHunting.tar.gz
More documentation is available at > https://github.com/olafhartong/threathunting/wiki
This app is maintained on GitHub > https://github.com/olafhartong/threathunting
Changelog:
V1.2
Several bug fixes, AppInspect improvements, ensured overall code consistency
Version 1.1
BlackHat Europe Arsenal Edition