Splunk prerequisites list for parsing of attack data #751
Comments
|
Hi guys @ionsor @patel-bhavin , I am trying to use some of the sysmon logs found here and I am running into an issue where even though I choose the right data source of XmlWinEventLog:Microsoft-Windows-Sysmon/Operational when uploading the data using the GUI to Splunk I get an error saying "Not Found" see the attached picture. While doing some search I also came across this https://docs.splunk.com/Documentation/Splunk/9.1.2/Data/Uploaddata which states that "The Splunk Add-On for Sysmon is not supported for use with data loaded using the Upload Data functionality. For best results, use one of the supported options to collect Windows Sysmon events as described in the Splunk Add-On for Sysmon manual.
|
I would like to suggest as improvement to add details ( or a file ) with prerequisites for ingesting the attack data in a new Splunk instance. If the data is ingested in the UI using the Add data wizard, the data is not parsed, in order for Sysmon for Windows telemetry to be parsed the Add-on "Splunk Add-on for Sysmon" ( https://splunkbase.splunk.com/app/5709/ ) must be installed.
And attack data like https://github.com/splunk/attack_data/tree/master/datasets/malware/cyclopsblink requires "Add-on for Linux Sysmon" ( https://splunkbase.splunk.com/app/6176/ )
This becomes even more complicated since some people might be confused by other add-ons in the Splunk store which are not supported anymore, but may be still found and downloaded from the store.
I think it would make this open source project more accessible if the prerequisites for running the attack data in a freshly installed instance of Splunk it would be specified.
The text was updated successfully, but these errors were encountered: