• Stars
    star
    1,090
  • Rank 42,497 (Top 0.9 %)
  • Language
  • License
    MIT License
  • Created about 6 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A Splunk app mapped to MITRE ATT&CK to guide your threat hunts

Logo

ThreatHunting | A Splunk app mapped to MITRE ATT&CK to guide your threat hunts

license Maintenance GitHub last commit Arsenal Arsenal Twitter

This is a Splunk application containing several dashboards and over 130 reports that will facilitate initial hunting indicators to investigate.

You obviously need to be ingesting Sysmon data into Splunk, a good configuration can be found here

Note: This application is not a magic bullet, it will require tuning and real investigative work to be truly effective in your environment. Try to become best friends with your system administrators. They will be able to explain a lot of the initially discovered indicators.

Big credit goes out to MITRE for creating the ATT&CK framework!

Pull requests / issue tickets and new additions will be greatly appreciated!

Mitre ATT&CK

I strive to map all searches to the ATT&CK framework. A current ATT&CK navigator export of all linked configurations is found here and can be viewed here Mapping

Required actions after deployment

  • Follow all the steps on the About page in the app, make sure all requirements are met.
  • Make sure the threathunting index is present on your indexers
  • Edit the macro's to suit your environment > https://YOURSPLUNK/en-US/manager/ThreatHunting/admin/macros (make sure the sourcetype is correct)
  • The app is shipped without whitelist lookup files, you'll need to create them yourself. This is so you won't accidentally overwrite them on an upgrade of the app.
  • Install the lookup csv's or create them yourself, empty csv's are here

A step by step guide kindly written by Kirtar Oza can be found here

Usage

A more detailed explanation of all functions can be found here or in this blog post

More Repositories

1

sysmon-modular

A repository of sysmon configuration modules
PowerShell
2,381
star
2

sysmon-cheatsheet

All sysmon event types and their fields explained
507
star
3

ATTACKdatamap

A datasource assessment on an event level to show potential coverage or the MITRE ATT&CK framework
PowerShell
342
star
4

MDE-AuditCheck

MDE relies on some of the Audit settings to be enabled
PowerShell
92
star
5

Presentations

My conference presentations
63
star
6

detection-sources

51
star
7

DefenderHarvester

Expose a lot of MDE telemetry that is not easily accessible in any searchable form
Go
48
star
8

TA-Sysmon-deploy

Deploy and maintain Symon through the Splunk Deployment Sever
Batchfile
31
star
9

WDACme

A WDAC configuration repository with the sole intention of enriching MDE
20
star
10

parsoalto

Palo Alto Networks Rule Parser
PHP
16
star
11

Sentinel-template-parser

Azure Sentinel Template parser
PowerShell
15
star
12

SA-Threat-Hunting

Splunk app for Threat hunting
13
star
13

sysmon-modular-linux

A repository of Sysmon For Linux configuration modules
12
star
14

sysmon-parser

Automatically generated Sysmon parser for Azure Sentinel
PowerShell
10
star
15

unfetter-discover

Unfetter-Discover Vagrant script for the Unfetter-Discover docker release
Shell
8
star
16

scripts

just random simple scripts
Shell
5
star
17

disposable-windows

A packer project to quickly have a test / dev / IR box
2
star
18

olafhartong

2
star
19

Clear-dminline

After migrating a Cisco ASA config to a Palo Alto config you remain with all these horrible DMINLINE objects, this tool resolves all members and replaces the ogroup object by its members
Python
2
star
20

BHCEupload

A small go tool to upload JSON files to the BloodHound community edition API
Go
1
star