splunk / attack_data Goto Github PK

I would like to suggest as improvement to add details ( or a file ) with prerequisites for ingesting the attack data in a new Splunk instance. If the data is ingested in the UI using the Add data wizard, the data is not parsed, in order for Sysmon for Windows telemetry to be parsed the Add-on "Splunk Add-on for Sysmon" ( https://splunkbase.splunk.com/app/5709/ ) must be installed.
And attack data like https://github.com/splunk/attack_data/tree/master/datasets/malware/cyclopsblink requires "Add-on for Linux Sysmon" ( https://splunkbase.splunk.com/app/6176/ )
This becomes even more complicated since some people might be confused by other add-ons in the Splunk store which are not supported anymore, but may be still found and downloaded from the store.

I think it would make this open source project more accessible if the prerequisites for running the attack data in a freshly installed instance of Splunk it would be specified.

The current code allows us to update timestamps to current time via update_timestamp: True. Could we also have a similar parameter to update the host before indexing in Splunk? Certain detections may rely on the host field or only trigger on activities happening on multiple hosts.

Question cancelled

Hi Folks,

We would like to integrate your ATT&CK data in CyCAT.org which is another open source project. But we have seen that a lot of yaml files don't include an ID/UUID? Do you plan to add one? It would help a lot to uniquely identify the rule.

Thanks a lot.

Cheers

Datasets are awesome and reading the description really makes me want to see what command was used and at what exact timestamp so I can analyze logs near/around it. Currently user is left to just the logs and hopefully they can find what happened and when.

It would be great to come up with some standardized way of tracking attack commands + timing. Obviously this initially might be restricted to only shell commands (GUI clicks are out of scope).

I'd propose looking to include any Ansible automated logs (do they show this?) for the Atomic Red things ... as well as linux typescript or bash_history with timestamping.

Today a user cannot point to a folder and ingest all datasets with the tool.

I have installed splunk es app and uploaded botsv1.stream_http.json

but incident_review and ess_security_posture is not hitting any event

how do I make splunk es to check my uploaded logs and generate a list of alerts like below. Please note that I am not checking the logs forwarded by agent, but the log files uploaded on the browser side

thank you

Hi,

When I trying to run replay.py I am getting below error that syntax is invalid.

python bin/replay.py -c bin/replay.yml
File "bin/replay.py", line 55
print (line.replace(original_time, new_time),end ='')
^
SyntaxError: invalid syntax

Please help me to resolve the issue.

Thanks.

Are Windows logs preferred over Linux? There does not seem to be any Linux Audit log data provided in the repo.

git@splunk:/tmp$ git clone [email protected]:splunk/attack_data.git
Cloning into 'attack_data'...
[email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.