Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/fox-it/dissect-add-on-for-splunk

A splunk plugin that provides sourcetyping for ingestion and processing of dissect records
https://github.com/fox-it/dissect-add-on-for-splunk

Last synced: 4 months ago
JSON representation

A splunk plugin that provides sourcetyping for ingestion and processing of dissect records

Awesome Lists containing this project

README 

          
# Dissect technology add-on for Splunk



Provides sourcetyping for ingestion and processing of dissect records. 



## Prerequisites and dependencies

When ingested Dissect output contains Evtx records they are correctly interpreted according to CIM if the Splunk Windows TA is installed. 

To achieve this, the XmlWinEventLog of the Windows TA is altered to perform KV_MODE field extractions. 

Therefore, be carefull to use this app in a production monitoring environment.



App dependencies:

- Splunk Windows TA



## Installation

The latest verion can be downloaded and installed directly from [Splunkbase](https://splunkbase.splunk.com/app/7580).

Alternatively it can be downloaded from the Releases page on [Github](https://github.com/fox-it/dissect-add-on-for-splunk/releases).



## Usage

Most basic usage is to create a tcp input in Splunk and configure it with the wanted dissect sourcetype.

You can now use rdump from the Dissect suite to push data to the Splunk server tcp port. See Dissect documentation on how to use rdump.

(https://docs.dissect.tools/en/stable/tools/rdump.html)



In short this boils down to:



```bash target-query  -f evtx | rdump -w splunk://: ```



## Author

Released as open source by Fox-IT (https://www.fox-it.com) part of NCC Group Plc (https://www.nccgroup.com).



Developed by the Dissect Team (dissect@fox-it.com) and made available at https://github.com/fox-it/dissect-add-on-for-splunk



## License

License terms: AGPL3 (https://www.gnu.org/licenses/agpl-3.0.html).