-
Notifications
You must be signed in to change notification settings - Fork 22
Installation Sigma Hunting App
This wiki page describes the installation of the Sigma Hunting App for Splunk. In order to be able to dynamically update the Sigma rules, a few packages are necessary. The Sigma Hunting App use the Sigma tool and Sigma2SplunkAlert. That's why, the Sigma Hunting App needs the necessary packages for Sigma and Sigma2SplunkAlert. The Installation of the Packages are described in the next section. Subsequently, the installation of the Splunk App is described.
The following packages are needed for the Sigma Hunting App:
- Python >= 3.5 or newer
- Jinja2
- PyYAML
- sigmac
Python version 3.5 or newer needs to be installed. There exists a lot of tutorials, how to do it based on your linux operating system. Additionally, it is important to have a symlink for python3 to your newest python3 version, because the updating script is using python3 to execute Sigma2SplunkAlert. Please test it with:
python3 -V
Jinja2 is needed for Sigma2SplunkAlert. I would recommend to install Jinja2 over pip3.
PyYAML is needed for Sigma and Sigma2SplunkALert. I would recommend to install PyYAML over pip3.
The converter for Sigma with the name sigmac is needed. You can install it over pip3 with the following command:
pip3 install sigmatools
Please test it, if you can execute the following command with the user, who executes Splunk:
sigmac --help
The Installation of the Splunk App contains several steps:
- Installation of additional Splunk Visualization Apps
- Installation of the Sigma Hunting App
- Configuration of the Sigma Hunting App
- Change of the Sigma Configuration
- Change of the Threat Hunting Index (optional)
The Sigma Hunting App uses additional visualizations. Please install and download the following Splunk App from Splunkbase:
The Sigma Hunting App is provided as a .spl file, which can easily installed over the Manage Apps / Install app from file. After installation, a reboot of Splunk is necessary.
After the Splunk reboot was performed, you can configure the Sigma Hunting App by navigate to Manage Apps and then click on Set Up. There exist two values, which can be changed:
- Repository: The url for your git repository, which you want to use to retrieve your detection rules. The provided url needs to be the same as after a git clone command, e.g. https://... for a public repository and git@github... for a private repository. Don't forget to configure ssh keys for a private repository.
- Folder: Keep this value empty, if you want to use all Sigma detection rules in a repository. If you want to specify a specific subfolder, you can specify the path to the subfolder including the name of the repository, e.g for the repository Sigma-Rule-Repository, a specific folder is Sigma-Rule-Repository/detection-rules/windows.
The Sigma converter uses a specific Sigma configuration to convert a Sigma rule into a Splunk search. More infos about Sigma can be found here. The Sigma converter is located in .../etc/apps/sigma-hunting-app/Sigma2SplunkAlert/sigma_config/splunk-all.yml. Adapt this file to your needs, if necessary.
The result of the detection rules are written to the threat-hunting index by default. This index can be changed, if necessary. In order to change it, the macros.conf in the default folder of the sigma_hunting_app needs to be changed. The entry threat-hunting-index needs to be changed to your desired index. Additionally, the index name needs to be change in a configuration file under .../etc/apps/sigma-hunting-app/Sigma2SplunkAlert/config/config_report.yml. The name of the new index needs to be changed behind the key name in the config_report.yml file.