Splunk app with security alerts to generate detections via Microsoft Sysmon and Windows Event Logs
This app provides alerts built with splunk search macros to detect a wide variety of suspicious activity in Windows environment. It is designed for 'blue-team' team members to identify suspicious activity in Windows environment.
The app consists of a number of search macros which are also used in Splunk alerts to raise Triggered alerts. The macros are listed in
Advanced Search >
Search Macros with
sysmon_detect_* being the detection rules leveraging Sysmon and Windows Event logs.
Other macros include:
sysmon_search - Base search used to search Sysmon logs. Used across most detection rules.
winlog_search - Base search used to search Windows Event logs. Used across most detection rules.
sysmon_rename_fields - Search used to rename/create new fields in Sysmon. Used across most detection rules.
sysmon_rename_fields - Search used to rename/create new fields in Windows Event Logs. Used across most detection rules.
sysmon_create_alert - Search used to add an alert to a lookup table. The fields in lookup table are based on Mitre Attack Framework
Install the app via Splunk
Ensure that the Sysmon logs and Windows Event logs are enabled from relevant universal forwarder.
Refer to this guide on how to forward Sysmon Logs to Splunk.
Refer to this guide on how to forward Windows Event Logs to Splunk.
By default, the app searches
sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational (Sysmon logs) and
sourcetype=WinEventLog:* (Windows Event logs).
If that is not the case, update the
winlog_search search macros with the log locations.
Currently, the following detections (as search macros / alerts) have been been added to this splunk app:
sysmon_detect_adhunttool - Detects ADHunt tool
sysmon_detect_windows_powershell_suspicious_command_exec - Detects strings that contain suspicious powershell patterns typically associated with malware
sysmon_detect_windows_powershell_long_command_exec - Detects very long powershell strings typically associated with malware
sysmon_detect_windows_network_connections_beaconing - Detects regular outbound network connections/beacons
sysmon_detect_windows_dns_connections_beaconing - Detects regular windows DNS connections/beacons
sysmon_detect_rubeus_via_command_line_params - Detects rubeus hacking tool in the use via command line params
sysmon_detect_kerberoasting_4769 - Detects Kerberoasting for SPNs via Event ID 4769
sysmon_detect_nopac_computer_account_creation_cve_2021_42278 - Detects NoPAC commuter account creation
sysmon_detect_unusual_shell_commands - Detects unusual shell commands being called indicating a hacker or windows administrator activity
sysmon_detect_spn_shell_command_kerberoasting - Detects calling of setspn command used to identify kerberoasting
sysmon_detect_pass_the_hash - Detect pass-the-hash attempts via windows event logs
Currently, the following detections (as search macros / alerts) have been been added to this app:
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.