-
Notifications
You must be signed in to change notification settings - Fork 22
Installation Sigma Hunting App
This wiki page describes the installation of the Sigma Hunting App for Splunk. In order to be able to dynamically update the Sigma rules, a few packages are necessary. The Sigma Hunting App use the Sigma tool and Sigma2SplunkAlert. That's why, the Sigma Hunting App needs the necessary packages for Sigma and Sigma2SplunkAlert. The Installation of the Packages are described in the next section. Subsequently, the installation of the Splunk App is described.
The following packages are needed for the Sigma Hunting App:
- Python >= 3.5 or newer
- Jinja2
- PyYAML
- sigmac
Python version 3.5 or newer needs to be installed. There exists a lot of tutorials, how to do it based on your linux operating system. Additionally, it is important to have a symlink for python3 to your newest python3 version, because the updating script is using python3 to execute Sigma2SplunkAlert. Please test it with:
python3 -V
Jinja2 is needed for Sigma2SplunkAlert. I would recommend to install Jinja2 over pip3.
PyYAML is needed for Sigma and Sigma2SplunkALert. I would recommend to install PyYAML over pip3.
The converter for Sigma with the name sigmac is needed. You can install it over pip3 with the following command:
pip3 install sigmatools
Please test it, if you can execute the following command with the user, who executes Splunk:
sigmac --help
The Installation of the Splunk App contains several steps:
- Installation of the Sigma Hunting Whitelist App
- Installation of the Sigma Hunting App
- Change of the Sigma Configuration
- Change of the Hunting Index (optional)