Giter Site home page Giter Site logo

splunk-app-and-ta-development / darkfalcon Goto Github PK

View Code? Open in Web Editor NEW

This project forked from mattimustang/darkfalcon

0.0 1.0 0.0 56 KB

Splunk-based dashboards and visuals for working with the MITRE ATT&CK Framework

License: GNU General Public License v3.0

PowerShell 100.00%

darkfalcon's Introduction

DarkFalcon

Splunk-based dashboards and visuals for working with the MITRE ATT&CK Framework

This is a lookup file driven system of dashboards helping work with the ATT&CK framework within a company and leveraging it for making business decisions. There is also an xml for adding the custome navigation to your Splunk nav.

Setup

Below are the steps you can follow to get DarkFalcon up and running in your Splunk instance.

1. Add Lookup Files

In Splunk, Click Settings then Lookups. Click Lookup Table Files then New in the upper-left. For each file in the Lookups Folder in the repo, add with the same name as the file.

Ensure permissions on the files are set to app, instead of owner or private, so others on your team can see them.

2. Create Dashboards

In Splunk, Click Dashboards then click Create new Dashboard button in the upper-right. Set the following in the pop-up: Title: ID: Permissions: Shared in App

When the new dashboard comes up, click edit source in the upper-right. Copy the XML from the file in the repo and paste it replacing the xml in the dashboard and click save.

Do this for each file in the Dashboard folder. These are already coded to use the lookup files that you added in the first section.

3. Update Navigation

This one is a little trickier and you have a couple of options for implementing it.

Option 1 - Update Nav XML from SSH

For this, SSH into you Splunk server and browse to the navigation folder of the app you added the dashboards to, usually search or SplunkEnterpriseSecuritySuite.

Copy the collection part of the nav xml from the Navigation folder of this repo and add it to the default.xml of the nav on your Splunk server. Save the file and refresh the site and you should see the links.

Option 2 - Create the Nav from the GUI

This is easiest through Enterprise Security Suite since they give you an easy to use page. In ESS, click Configue, then General then Navigation.

In the page, you will see the darkfalcon dashboards you created in step 2 and you can drag them to the right to stack them in the navigation bar. Use thhe xml from this repo under Navigation as an outline of how we we did our layout.

4. Setup Reports

Part of the reporting is a scheduled report that archives the scores so that they can be used for tracking over time. The other report is used for automated scoring and will be talked about in the blog.

In Splunk, click Settings thenSearches and Reports. Click New and add the settings outlined in each report listed in the Reports folder of this repo.

darkfalcon's People

Contributors

security-storm avatar

Watchers

 avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.