Splunk Configuration Details (Velocidex#2594)

Added configurations stanzas for Splunk to facilitate the correct timestamp extraction and data indexing.
vividDuck · Mar 29, 2023 · f522ad1 · f522ad1
1 parent f573317
commit f522ad1
Showing 1 changed file with 33 additions and 0 deletions.
diff --git a/artifacts/definitions/Splunk/Flows/Upload.yaml b/artifacts/definitions/Splunk/Flows/Upload.yaml
@@ -19,6 +19,39 @@ description: |
        * Go to Settings > Data Inputs > HTTP Event Collector > Global Settings
        * Ensure `All Tokens` is set to ENABLED
        * Copy the HTTP Port Number for this event
+    4. Configure your Splunk props.conf and tranforms.conf
+       * Add the following to props.conf
+         [vql]
+         INDEXED_EXTRACTIONS = json
+         DATETIME_CONFIG = CURRENT
+         TZ = GMT
+         category = Custom
+         pulldown_type = 1
+         TRANSFORMS-vql-sourcetype = vql-sourcetype,vql-timestamp
+         TRUNCATE = 512000
+       * Add the following to transforms.conf
+         [vql-sourcetype]
+         INGEST_EVAL = sourcetype=lower(_index)
+         [vql-timestamp]
+         INGEST_EVAL = _time=case( \
+                       _index="artifact_Linux_Search_FileFinder",strptime(CTime,"%Y-%m-%dT%H:%M:%SZ"), \
+                       _index="artifact_System_VFS_ListDirectory",strptime(ctime,"%Y-%m-%dT%H:%M:%S.%NZ"), \
+                       _index="artifact_Windows_Timeline_MFT",strptime(event_time,"%Y-%m-%dT%H:%M:%S.%NZ"), \
+                       _index="artifact_Windows_NTFS_MFT",strptime(Created0x10,"%Y-%m-%dT%H:%M:%S.%NZ"), \
+                       _index="artifact_Windows_EventLogs_Evtx",strptime(TimeCreated,"%Y-%m-%dT%H:%M:%SZ"), \
+                       _index="artifact_Custom_Windows_EventLogs_System_7045",strptime(TimeCreated,"%Y-%m-%dT%H:%M:%SZ"), \
+                       _index="artifact_Windows_EventLogs_RDPAuth",strptime(EventTime,"%Y-%m-%dT%H:%M:%SZ"), \
+                       _index="artifact_Windows_Analysis_EvidenceOfExecution_UserAssist",strptime(LastExecution,"%Y-%m-%dT%H:%M:%SZ"), \
+                       _index="artifact_Windows_Analysis_EvidenceOfExecution_Amcache",strptime(KeyMTime,"%Y-%m-%dT%H:%M:%SZ"), \
+                       _index="artifact_Windows_System_Amcache_InventoryApplicationFile",strptime(LastModified,"%Y-%m-%dT%H:%M:%SZ"), \
+                       _index="artifact_Windows_Search_FileFinder",strptime(CTime,"%Y-%m-%dT%H:%M:%S.%NZ"), \
+                       _index="artifact_Windows_Applications_NirsoftBrowserViewer",strptime(Visited,"%Y-%m-%dT%H:%M:%SZ"), \
+                       _index="artifact_Windows_Registry_RecentDocs",strptime(LastWriteTime,"%Y-%m-%dT%H:%M:%SZ"), \
+                       _index="artifact_Custom_Windows_Application_IIS_IISLogs",strptime(event_time,"%Y-%m-%dT%H:%M:%SZ"), \
+                       _index="artifact_MacOS_Applications_Chrome_History",strptime(last_visit_time,"%Y-%m-%dT%H:%M:%SZ"), \
+                       _index="artifact_Windows_Registry_UserAssist",strptime(LastExecution,"%Y-%m-%dT%H:%M:%SZ") \
+                       )
+
 
        > Note: `Enable SSL` only works if SSL is properly configured on your
        Splunk server -- meaning you have proper certificates and DNS. If you are