attack_data

attack_data copied to clipboard

I would like to suggest as improvement to add details ( or a file ) with prerequisites for ingesting the attack data in a new Splunk instance. If the data is ingested in the UI using the Add data wizard, the data is not parsed, in order for Sysmon for Windows telemetry to be parsed the Add-on "Splunk Add-on for Sysmon" ( https://splunkbase.splunk.com/app/5709/ ) must be installed. And attack data like https://github.com/splunk/attack_data/tree/master/datasets/malware/cyclopsblink requires "Add-on for Linux Sysmon" ( https://splunkbase.splunk.com/app/6176/ ) This becomes even more complicated since some people might be confused by other add-ons in the Splunk store which are not supported anymore, but may be still found and downloaded from the store.

I think it would make this open source project more accessible if the prerequisites for running the attack data in a freshly installed instance of Splunk it would be specified.

@ionsor : I think it's a great idea and it would certainly make easier! we will have evaluate how to programmatically add these fields.

With that said, we currently use this attack data to test our detections in security_content using these TA's

Hi guys @ionsor @patel-bhavin , I am trying to use some of the sysmon logs found here and I am running into an issue where even though I choose the right data source of XmlWinEventLog:Microsoft-Windows-Sysmon/Operational when uploading the data using the GUI to Splunk I get an error saying "Not Found" see the attached picture.

While doing some search I also came across this https://docs.splunk.com/Documentation/Splunk/9.1.2/Data/Uploaddata which states that "The Splunk Add-On for Sysmon is not supported for use with data loaded using the Upload Data functionality. For best results, use one of the supported options to collect Windows Sysmon events as described in the Splunk Add-On for Sysmon manual. " Does that mean that the datasets here coming from sysmon will not work?