{"id":13599070,"url":"https://github.com/mf1d3l/Splunk4DFIR","last_synced_at":"2025-04-10T12:31:17.875Z","repository":{"id":216963099,"uuid":"742763820","full_name":"mf1d3l/Splunk4DFIR","owner":"mf1d3l","description":"Harness the power of Splunk for your investigations","archived":false,"fork":false,"pushed_at":"2024-07-27T14:37:21.000Z","size":1358,"stargazers_count":60,"open_issues_count":0,"forks_count":8,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-08-02T17:35:53.333Z","etag":null,"topics":["dfir","incident-response","splunk","threat-hunting"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mf1d3l.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-01-13T09:47:38.000Z","updated_at":"2024-07-27T17:31:27.000Z","dependencies_parsed_at":"2024-02-10T11:31:02.034Z","dependency_job_id":"afa076e9-0e22-4fc7-964f-89973dc3a7a0","html_url":"https://github.com/mf1d3l/Splunk4DFIR","commit_stats":null,"previous_names":["mf1d3l/splunk4dfir"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mf1d3l%2FSplunk4DFIR","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mf1d3l%2FSplunk4DFIR/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mf1d3l%2FSplunk4DFIR/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mf1d3l%2FSplunk4DFIR/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mf1d3l","download_url":"https://codeload.github.com/mf1d3l/Splunk4DFIR/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248217126,"owners_count":21066633,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dfir","incident-response","splunk","threat-hunting"],"created_at":"2024-08-01T17:00:59.447Z","updated_at":"2025-04-10T12:31:17.860Z","avatar_url":"https://github.com/mf1d3l.png","language":"Shell","funding_links":[],"categories":["Other Lists"],"sub_categories":["🛡️ DFIR:"],"readme":"# Splunk4DFIR\n\n## Description\n\nQuickly spin up a splunk instance with Docker to browse through logs and tools output during your investigations. \n\n![](doc/images/splunk4dfir_demo.png)\n\nThis is a simple quality of life improvement project built upon the amazing work below:\n\n- https://github.com/omerbenamram/evtx\n- https://github.com/whikernel/evtx2splunk\n- https://github.com/splunk/docker-splunk\n- https://github.com/SigmaHQ\n- https://github.com/Yamato-Security/hayabusa\n- https://github.com/mthcht/ThreatHunting-Keywords\n- https://github.com/mthcht/awesome-lists\n- https://github.com/magicsword-io/LOLDrivers\n- https://github.com/ufrisk/MemProcFS\n\nSplunk4DFIR is made of 3 main components: \n  - some basic data ingestion configuration modules and scripts\n  - a collection of ready to use dashboards to get started visualizing the data\n  - savedsearches translated from [sigma rules](https://github.com/SigmaHQ/sigma) to run against the data for triage\n\nThe app comes with pre-compiled sigma rules in its savedsearches.conf file but the philosophy of the project is to allow you to easily import any ruleset you want with the [pysigma pipelines](sigma/pipelines) provided, see [Sigma Rules Support](#sigma-rules-support)\n\n## Motivation\n\nSOC to DFIR is getting a natural career path and considering the current market shares of Splunk and Crowdstrike, familiarity with SPL(-like) query languages is getting widespread within the DFIR community. This project enables you to quickly spin up in no time on whatever workstation you have in your hands a lightweight environment to demonstrate your SPL-fu and save the day.\n\nIn DFIR it is common to juggle between different VMs and operating systems to be able to use all your favourite tools. Using Docker is convenient for portability.\n\nWhen it comes to evtx files specifically, key differenciator of this project is that it provides a light ananalysis environment that can run on a single linux host where most splunk lab environment typically requires a dedicated windows host because official Splunk evtx ingestors rely on underlying windows OS APIs.  \n\n\n## HOW-TO\n\nDrop your files under the appropriate folder in `artifacts/` then build and run the container.\n\n```\nsudo docker build -t splunk4dfir .\nsudo docker run --name splunk4dfir -e SPLUNK_START_ARGS=--accept-license -e SPLUNK_PASSWORD=changeme -e SPLUNK_APPS_URL=\"/mnt/resources/sankey-diagram-custom-visualization_130.tgz\" -p 8000:8000 -p 8089:8089 -v ./artifacts:/mnt/artifacts -v ./resources:/mnt/resources splunk4dfir:latest start\n```\n\ngoto: http://127.0.0.1:8000/en-US/app/Splunk4DFIR/search\n\nSome errors during build may be due to an older version of docker that doesnt use BuildKit by default, you may try the following workaround in this case: `sudo DOCKER_BUILDKIT=1 docker build -t splunk4dfir .`\n\nIf you dont see data being ingested, check the permissions of your artifacts files.\n\n## Supported inputs\n\n- `artifacts/json/`: drop there arbitrary json files\n- `artifacts/csv/`: drop there arbitrary csv files\n- `artifacts/cloudtrail/`: drop there exported cloudtrail logs\n- `artifacts/evtx/`: drop there windows logs evtx files\n- `artifacts/zeek/`: drop there your json zeek files\n- `artifacts/suricata/`: drop there your eve.json suricata file\n- `artifacts/supertimelines/`: drop there your plaso l2tcsv outputs\n- `artifacts/memprocfs/`: drop there your MemProcFS forensic json output files\n- `artifacts/syslog/`: drop there linux syslog logs\n- `artifacts/gcp/`: drop there exported Google Cloud Plateform Audit logs\n- `artifacts/elastic_agent/`: drop there exported elastic agent json logs\n\nadditionnaly some [macros](Splunk4DFIR/default/macros.conf) are configurable to point to specific tools output sourcetypes such as:\n\n- `autorunsc`: points to autorunsc csv output files\n- `prefetch`: points to PECmd csv output files\n- `amcache`: points to AmcacheParser csv output files\n- `shimcache`: points to AppCompatCacheParser csv output files\n- `timeline`: points to simple timeline files\n- `winevtx`: points to EvtxECmd csv output files\n- `hayabusa`: points to hayabusa csv output files\n\n\n## Ingest evtx as json\n\nOnce splunk is up and running you can trigger the evtx logs ingestion with: \n\n```\nsudo docker exec -it splunk4dfir sudo /opt/splunk/etc/apps/Splunk4DFIR/bin/ingest_evtx.sh\n```\n\n## Enable saved seaches\n\nScheduled searches are disabled by default you can enable them all with:\n\n```\nsudo docker exec  -it splunk4dfir sudo /opt/splunk/etc/apps/Splunk4DFIR/bin/set_savedsearches.sh enable\n```\n\nand disable them all with:\n\n```\nsudo docker exec  -it splunk4dfir sudo /opt/splunk/etc/apps/Splunk4DFIR/bin/set_savedsearches.sh disable\n```\n\nSearches will only match for  data ingested recently not to flood the notables index with duplicates.\n\n## Sigma Rules support\n\nYou can import sigma rules as savedsearches using the command below as an example for importing windows rules. Pysigma pipeline config files are also available for other rulesets. \n\n```\nsudo docker build -t sigma-cli sigma/\nsudo docker run -it --name sigma-cli --rm -v ./Splunk4DFIR/default:/mnt/output -v ./sigma/rules/:/mnt/rules -v ./sigma/pipelines:/mnt/pipelines sigma-cli:latest pipenv run sigma convert -t splunk -p /mnt/pipelines/evtx2splunk.yml /mnt/rules/sigma/rules/windows/ -s  -o /mnt/output/savedsearches.conf\n```\n\nWhen dealing with evtx files, the evtx to json import + sigma rule to splunk scheduled alert conversion approach has the benefit of providing you with the all the events. However it doesnt scale very well. It is better suited for investigating just a handful of endpoint logs.\n\nIf you need to triage evtx accross a very large fleet of endpoint I rather recommend to start processing with [hayabusa](https://github.com/Yamato-Security/hayabusa) and import the hayabusa outputs into splunk. The Splunk4DFIR app has a dashboard to visualise hayabusa outputs.\n\nSome rulesets can be found already compiled [here](sigma/compiled/)\n\n\n## Pcap to Zeek\n\nDrop you pcap file under `artifacts/pcap/`, then build and run the zeek container to generate zeek json output files. \n\n```\nsudo docker build -t zeek zeek/\nsudo docker run -it -v ./artifacts:/mnt/artifacts --name zeek --rm zeek /opt/zeek/bin/zeek -r /mnt/artifacts/pcap/packetcapture.pcapng LogAscii::use_json=T Log::default_logdir=/mnt/artifacts/zeek/\n```\n\n## Pcap to suricata alerts\n\nDrop you pcap file under `artifacts/pcap/`, then build and run the suricata container to generate the eve.json file. \n\n```\nsudo docker build -t suricata suricata/\nsudo docker run -it -v ./artifacts:/mnt/artifacts --name suricata --rm suricata suricata -S /var/lib/suricata/rules/suricata.rules -r /mnt/artifacts/pcap/packetcapture.pcapng -l /mnt/artifacts/suricata\n```\n\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmf1d3l%2FSplunk4DFIR","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmf1d3l%2FSplunk4DFIR","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmf1d3l%2FSplunk4DFIR/lists"}