For the lastest installation instructions for this repo please see this blog post: IR TALES: THE QUEST FOR THE HOLY SIEM: SPLUNK + SYSMON + OSQUERY + ZEEK
vim macos-workshop/ChooseYourSIEMAdventure/hosts.iniand add the Graylog server IP address under[splunk]vim macos-workshop/ChooseYourSIEMAdventure/group_vars/all.ymland set:base_domain–<external_domain - group_vars/all.yml>timezone– OPTIONAL – The default timezone is UTC+0siem_username– Ignore this settingsiem_password– Set the Splunk admin password
vim macos-workshop/ChooseYourSIEMAdventure/group_vars/splunk.ymland set:hostname– Set the desired hostname for the serversplunk_version– Set the desired version of Splunk to usesplunk_dl_url– Set to the URL to download Splunkbeats_port– OPTIONAL – Set the port to ingest logs using BEATs clientselastic_version– OPTIONAL – Set the desired version of Logstash to use with Splunk – best to leave as defaultelastic_repo_version– Change the repo version to install Logstash
ansible-playbook -i hosts.ini deploy_splunk.yml -u ubuntu --key-file terraform/ssh_keys/id_rsa
- SSH into Elastic EC2 instance
sudo suapt install certbot python3-certbot-nginx -ycertbot --nginx -d splunk.<external domain>- Enter the e-mail for the admin of the domain
- Enter
Afor Terms of Service - Enter
Nto share e-mail with EFF - Enter
2to redirect HTTP traffic to HTTPS - Review NGINX config:
/etc/nginx/conf.d/graylog.conf systemctl restart nginx
- Open browser to
https://splunk.<external domain>and login - Enter
adminfor username - Enter
<siem_password>into Password - Settings > Users and Authentication > Users
- Select "New User" in top right
- Enter
threathunterinto name - Enter
threathunterinto full name - Leave e-mail blank
- Enter a password for the user
- UNcheck
Require password change on first login 
- Select "Create user"
- Settings > Data > Indexes
- Select "New index" in the top right
- Enter
osqueryinto Index name - Select
Eventsfor Index Data Type - Ensure "Search & Reporting" is selected for App
- Select "Save"
- Repeat for the test index
- Apps > Find More Apps
- Search for
osquery - Select "Install" for add-on for Osquery
- Enter Splunk account credentials
- Install app
- Restart Splunk
- Apps > Find More Apps
- Search for
Sysmon - Select "Install" for Splunk Add-On for Microsoft Sysmon
- Enter Splunk account credentials
- Install app
- Restart Splunk
- Settings > Data > Data inputs
- Type > HTTP Event Collector
- Select "New Token" in the top right
- Select Source
- Enter
osquery-hec-tokeninto Name 
- Select "Next"
- Input Settings
- Select
osquery:resultsfor sourcetype - Select
osqueryfor allowed indexes- 
- Select "Next"
- Review
- Select "Next"
- Done
- Repeat for test index
- Settings > Data > Data inputs
- Type > HTTP Event Collector
- Copy HEC tokens
- SSH into Splunk EC2 instance
sudo susystemctl stop logstashrm /etc/logstash/conf.d/3*-output-*.conf- Delete all the outputs
curl https://raw.githubusercontent.com/OTRF/macos-workshops/main/conf/splunk/30-output-logstash-service.conf?token=AIRH4CATUWWQ5SJO44XIHGLA3UJTU --output 30-output-splunk-osquery.confsed -i "s#{{ logstash_type }}#osquery_json#g" 30-output-splunk-osquery.conf- Set Logstash type
sed -i "s#{{ hec_token }}#<osquery-hec-token>#g" 30-output-splunk-osquery.conf- Set Splunk HEC token
sed -i "s#{{ splunk_source_type }}#osquery:results#g" 30-output-splunk-osquery.conf- Set Splunk source type
tail -f /var/log/logstash/logstash-plain
- SSH into Splunk
/opt/splunk/bin/splunk stop/opt/splunk/bin/splunk clean eventdata -index <index name>
- How to Set up Splunk HEC the Smart Way
- What is the reseasoning behind the Sysmon sourcetype?
- How to create HEC token through an API call?
- Using the AUTH LOGIN sessionkey with Curl SplunkAPI
- Using Ansible uri module to add users to splunk via REST API
- Splunk REST API Reference Manual
- Remove indexes and indexed data