├── .gitignore ├── Dockerfile ├── LICENSE ├── README.md ├── Splunk4DFIR ├── bin │ ├── format_cloudtrail.sh │ ├── format_gcp.sh │ ├── format_memprocfs.sh │ ├── format_suricata.sh │ ├── format_zeek.sh │ ├── ingest_evtx.sh │ └── set_savedsearches.sh ├── default │ ├── app.conf │ ├── data │ │ └── ui │ │ │ ├── nav │ │ │ └── default.xml │ │ │ └── views │ │ │ ├── autorunsc.xml │ │ │ ├── aws_cloudtrail_overview.xml │ │ │ ├── execution_artifacts.xml │ │ │ ├── gcp_audit_overview.xml │ │ │ ├── hayabusa.xml │ │ │ ├── kw_hunt_artifacts.xml │ │ │ ├── kw_hunt_memprocfs.xml │ │ │ ├── kw_hunt_supertimeline.xml │ │ │ ├── kw_hunt_syslog.xml │ │ │ ├── kw_hunt_win.xml │ │ │ ├── logon_events.xml │ │ │ ├── loldrivers.xml │ │ │ ├── memprocfs_evil.xml │ │ │ ├── memprocfs_proc.xml │ │ │ ├── notables_endpoint.xml │ │ │ ├── prefetch.xml │ │ │ ├── shimcache.xml │ │ │ ├── sigma_rule_catalogue.xml │ │ │ ├── sigma_rule_hits.xml │ │ │ ├── ssh_logons.xml │ │ │ ├── supertimeline.xml │ │ │ ├── suricata_alerts.xml │ │ │ ├── suzaku_aws.xml │ │ │ ├── timeline.xml │ │ │ ├── webaccesslogs_hunt.xml │ │ │ └── zeek.xml │ ├── indexes.conf │ ├── inputs.conf │ ├── limits.conf │ ├── macros.conf │ ├── props.conf │ ├── savedsearches.conf │ └── transforms.conf ├── lookups │ ├── .gitkeep │ └── suspicious_web_uri.csv └── metadata │ └── default.meta ├── artifacts ├── cloudtrail │ └── .gitkeep ├── csv │ └── .gitkeep ├── elastic_agent │ └── .gitkeep ├── evtx │ └── .gitkeep ├── gcp │ └── .gitkeep ├── json │ └── .gitkeep ├── memprocfs │ └── .gitkeep ├── pcap │ └── .gitkeep ├── plaso │ └── .gitkeep ├── raw │ └── .gitkeep ├── supertimelines │ └── .gitkeep ├── suricata │ └── .gitkeep ├── syslog │ └── .gitkeep ├── timelines │ └── .gitkeep └── zeek │ └── .gitkeep ├── doc └── images │ └── splunk4dfir_demo.png ├── eztools ├── Dockerfile └── run_eztools.sh ├── resources └── sankey-diagram-custom-visualization_130.tgz ├── sigma ├── Dockerfile ├── compiled │ ├── cloudtrail_savedsearches.conf │ ├── gcp_savedsearches.conf │ ├── linuxbuiltin_savedsearches.conf │ └── windows_savedsearches.conf ├── pipelines │ ├── .gitkeep │ ├── cloudtrail.yml │ ├── evtx2splunk.yml │ ├── gcp.yml │ ├── linux_builtin.yml │ └── webserver_generic.yml ├── rules-testing │ └── testing_placeholders.yml └── rules │ └── .gitkeep ├── suricata └── Dockerfile └── zeek └── Dockerfile /.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/.gitignore -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Dockerfile -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/LICENSE -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/README.md -------------------------------------------------------------------------------- /Splunk4DFIR/bin/format_cloudtrail.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/bin/format_cloudtrail.sh -------------------------------------------------------------------------------- /Splunk4DFIR/bin/format_gcp.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/bin/format_gcp.sh -------------------------------------------------------------------------------- /Splunk4DFIR/bin/format_memprocfs.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/bin/format_memprocfs.sh -------------------------------------------------------------------------------- /Splunk4DFIR/bin/format_suricata.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/bin/format_suricata.sh -------------------------------------------------------------------------------- /Splunk4DFIR/bin/format_zeek.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/bin/format_zeek.sh -------------------------------------------------------------------------------- /Splunk4DFIR/bin/ingest_evtx.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/bin/ingest_evtx.sh -------------------------------------------------------------------------------- /Splunk4DFIR/bin/set_savedsearches.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/bin/set_savedsearches.sh -------------------------------------------------------------------------------- /Splunk4DFIR/default/app.conf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/app.conf -------------------------------------------------------------------------------- /Splunk4DFIR/default/data/ui/nav/default.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/data/ui/nav/default.xml -------------------------------------------------------------------------------- /Splunk4DFIR/default/data/ui/views/autorunsc.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/data/ui/views/autorunsc.xml -------------------------------------------------------------------------------- /Splunk4DFIR/default/data/ui/views/aws_cloudtrail_overview.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/data/ui/views/aws_cloudtrail_overview.xml -------------------------------------------------------------------------------- /Splunk4DFIR/default/data/ui/views/execution_artifacts.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/data/ui/views/execution_artifacts.xml -------------------------------------------------------------------------------- /Splunk4DFIR/default/data/ui/views/gcp_audit_overview.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/data/ui/views/gcp_audit_overview.xml -------------------------------------------------------------------------------- /Splunk4DFIR/default/data/ui/views/hayabusa.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/data/ui/views/hayabusa.xml -------------------------------------------------------------------------------- /Splunk4DFIR/default/data/ui/views/kw_hunt_artifacts.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/data/ui/views/kw_hunt_artifacts.xml -------------------------------------------------------------------------------- /Splunk4DFIR/default/data/ui/views/kw_hunt_memprocfs.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/data/ui/views/kw_hunt_memprocfs.xml -------------------------------------------------------------------------------- /Splunk4DFIR/default/data/ui/views/kw_hunt_supertimeline.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/data/ui/views/kw_hunt_supertimeline.xml -------------------------------------------------------------------------------- /Splunk4DFIR/default/data/ui/views/kw_hunt_syslog.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/data/ui/views/kw_hunt_syslog.xml -------------------------------------------------------------------------------- /Splunk4DFIR/default/data/ui/views/kw_hunt_win.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/data/ui/views/kw_hunt_win.xml -------------------------------------------------------------------------------- /Splunk4DFIR/default/data/ui/views/logon_events.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/data/ui/views/logon_events.xml -------------------------------------------------------------------------------- /Splunk4DFIR/default/data/ui/views/loldrivers.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/data/ui/views/loldrivers.xml -------------------------------------------------------------------------------- /Splunk4DFIR/default/data/ui/views/memprocfs_evil.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/data/ui/views/memprocfs_evil.xml -------------------------------------------------------------------------------- /Splunk4DFIR/default/data/ui/views/memprocfs_proc.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/data/ui/views/memprocfs_proc.xml -------------------------------------------------------------------------------- /Splunk4DFIR/default/data/ui/views/notables_endpoint.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/data/ui/views/notables_endpoint.xml -------------------------------------------------------------------------------- /Splunk4DFIR/default/data/ui/views/prefetch.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/data/ui/views/prefetch.xml -------------------------------------------------------------------------------- /Splunk4DFIR/default/data/ui/views/shimcache.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/data/ui/views/shimcache.xml -------------------------------------------------------------------------------- /Splunk4DFIR/default/data/ui/views/sigma_rule_catalogue.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/data/ui/views/sigma_rule_catalogue.xml -------------------------------------------------------------------------------- /Splunk4DFIR/default/data/ui/views/sigma_rule_hits.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/data/ui/views/sigma_rule_hits.xml -------------------------------------------------------------------------------- /Splunk4DFIR/default/data/ui/views/ssh_logons.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/data/ui/views/ssh_logons.xml -------------------------------------------------------------------------------- /Splunk4DFIR/default/data/ui/views/supertimeline.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/data/ui/views/supertimeline.xml -------------------------------------------------------------------------------- /Splunk4DFIR/default/data/ui/views/suricata_alerts.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/data/ui/views/suricata_alerts.xml -------------------------------------------------------------------------------- /Splunk4DFIR/default/data/ui/views/suzaku_aws.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/data/ui/views/suzaku_aws.xml -------------------------------------------------------------------------------- /Splunk4DFIR/default/data/ui/views/timeline.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/data/ui/views/timeline.xml -------------------------------------------------------------------------------- /Splunk4DFIR/default/data/ui/views/webaccesslogs_hunt.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/data/ui/views/webaccesslogs_hunt.xml -------------------------------------------------------------------------------- /Splunk4DFIR/default/data/ui/views/zeek.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/data/ui/views/zeek.xml -------------------------------------------------------------------------------- /Splunk4DFIR/default/indexes.conf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/indexes.conf -------------------------------------------------------------------------------- /Splunk4DFIR/default/inputs.conf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/inputs.conf -------------------------------------------------------------------------------- /Splunk4DFIR/default/limits.conf: -------------------------------------------------------------------------------- 1 | [lookup] 2 | max_memtable_bytes = 52428800 3 | -------------------------------------------------------------------------------- /Splunk4DFIR/default/macros.conf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/macros.conf -------------------------------------------------------------------------------- /Splunk4DFIR/default/props.conf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/props.conf -------------------------------------------------------------------------------- /Splunk4DFIR/default/savedsearches.conf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/savedsearches.conf -------------------------------------------------------------------------------- /Splunk4DFIR/default/transforms.conf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/default/transforms.conf -------------------------------------------------------------------------------- /Splunk4DFIR/lookups/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Splunk4DFIR/lookups/suspicious_web_uri.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/lookups/suspicious_web_uri.csv -------------------------------------------------------------------------------- /Splunk4DFIR/metadata/default.meta: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/Splunk4DFIR/metadata/default.meta -------------------------------------------------------------------------------- /artifacts/cloudtrail/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /artifacts/csv/.gitkeep: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /artifacts/elastic_agent/.gitkeep: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /artifacts/evtx/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /artifacts/gcp/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /artifacts/json/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /artifacts/memprocfs/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /artifacts/pcap/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /artifacts/plaso/.gitkeep: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /artifacts/raw/.gitkeep: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /artifacts/supertimelines/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /artifacts/suricata/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /artifacts/syslog/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /artifacts/timelines/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /artifacts/zeek/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /doc/images/splunk4dfir_demo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/doc/images/splunk4dfir_demo.png -------------------------------------------------------------------------------- /eztools/Dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/eztools/Dockerfile -------------------------------------------------------------------------------- /eztools/run_eztools.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/eztools/run_eztools.sh -------------------------------------------------------------------------------- /resources/sankey-diagram-custom-visualization_130.tgz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/resources/sankey-diagram-custom-visualization_130.tgz -------------------------------------------------------------------------------- /sigma/Dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/sigma/Dockerfile -------------------------------------------------------------------------------- /sigma/compiled/cloudtrail_savedsearches.conf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/sigma/compiled/cloudtrail_savedsearches.conf -------------------------------------------------------------------------------- /sigma/compiled/gcp_savedsearches.conf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/sigma/compiled/gcp_savedsearches.conf -------------------------------------------------------------------------------- /sigma/compiled/linuxbuiltin_savedsearches.conf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/sigma/compiled/linuxbuiltin_savedsearches.conf -------------------------------------------------------------------------------- /sigma/compiled/windows_savedsearches.conf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/sigma/compiled/windows_savedsearches.conf -------------------------------------------------------------------------------- /sigma/pipelines/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /sigma/pipelines/cloudtrail.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/sigma/pipelines/cloudtrail.yml -------------------------------------------------------------------------------- /sigma/pipelines/evtx2splunk.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/sigma/pipelines/evtx2splunk.yml -------------------------------------------------------------------------------- /sigma/pipelines/gcp.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/sigma/pipelines/gcp.yml -------------------------------------------------------------------------------- /sigma/pipelines/linux_builtin.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/sigma/pipelines/linux_builtin.yml -------------------------------------------------------------------------------- /sigma/pipelines/webserver_generic.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/sigma/pipelines/webserver_generic.yml -------------------------------------------------------------------------------- /sigma/rules-testing/testing_placeholders.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/sigma/rules-testing/testing_placeholders.yml -------------------------------------------------------------------------------- /sigma/rules/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /suricata/Dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/suricata/Dockerfile -------------------------------------------------------------------------------- /zeek/Dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mf1d3l/Splunk4DFIR/HEAD/zeek/Dockerfile --------------------------------------------------------------------------------