Skip to content

This helps you to quickly take advantage of the attack_data datasets from Splunk for your environment

License

Notifications You must be signed in to change notification settings

OutpostSecurity/splunk_attack_data

Repository files navigation

This project is meant to help accelerate your ability to script importing attack datasets from Splunk. Be sure to review the readme and install steps from https://github.com/splunk/attack_data

Setup

Install git on the server

sudo yum -y install git

Install pip on the server

sudo yum -y install pip

Download the repository with this command:

git clone https://github.com/splunk/attack_data

Configure LFS

Install git-lfs

sudo yum -y install git-lfs

Initiate LFS

git lfs install --skip-smudge

Move into the attack_data directory and do a full lfs pull. This will be roughly 12gb since it downloads all of the datasets. Alternatively, you can download select datasets and can see how on https://github.com/splunk/attack_data

cd attack_data/
git lfs pull

Setup Virtual Environment

We now setup a python virtual environment for running the replay files.

cd attack_data
pip install virtualenv
virtualenv venv
source venv/bin/activate
pip install -r bin/requirements.txt
deactivate

Configure Replay Datasets

Copy the replay files to attack_data/bin/

replay_malware1.yml
replay_malware2.yml
replay_malware3.yml
replay_malware4.yml
replay_suspicious_behaviour.yml
replay_ttp1.yml

Be sure to edit each replay file to connect to the splunk instance you have:

splunk:
  # connects to host on port 8089 make sure you have access to <host>:8089
  host: localhost
  username: admin
  password: changeme

Also do a find and replace on the following in each replay file to set the inddex you want to send the data to.

index: mordor

Copy data load scripts to the directory above attack_data and make them executable

splunk_dataload1.sh
splunk_dataload2.sh
chmod u+x splunk_dataload*

*Patch attack_data/bin/replay.py

Add - from shutil import copyfileobj
--
Replace - 
kwargs_submit['rename-source'] = dataset['replay_parameters']['source']
results = index.upload(fullpath, **kwargs_submit)

With -
kwargs_submit['source'] = dataset['replay_parameters']['source']
with index.attached_socket(**kwargs_submit) as index_socket, open(fullpath, 'rb') as logfile:
    copyfileobj(logfile, index_socket)![image](https://github.com/OutpostSecurity/splunk_attack_data/assets/72515718/aa6877aa-c9f0-4945-b855-18a26ba252cb)

Run Replay

To run the data load replays we setup:

./splunk_dataload1.sh
./splunk_dataload2.sh

Happy Threat Hunting :)

About

This helps you to quickly take advantage of the attack_data datasets from Splunk for your environment

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages