This covers the actual Splunk configuration needed to build a functional home SOC dashboard from scratch. The assumption is Splunk Enterprise (free trial or licensed) ingesting Windows Security events, Sysmon, and optionally Zeek.<\/p>\n
Install the required add-ons before building any searches. Without these, field extractions do not work and all searches run against raw event text:<\/p>\n
# Download from Splunkbase:\n# - Splunk Add-on for Microsoft Windows (TA-windows)\n# - Splunk Add-on for Sysmon (TA-sysmon)\n\n# Install via CLI:\n$SPLUNK_HOME\/bin\/splunk install app TA-windows.tgz -auth admin:password\n$SPLUNK_HOME\/bin\/splunk install app TA-sysmon.tgz -auth admin:password\n$SPLUNK_HOME\/bin\/splunk restart<\/pre>\nConfigure a Universal Forwarder on each Windows target to send events to Splunk. The inputs.conf on each forwarder:<\/p>\n
[WinEventLog:\/\/Security]\ndisabled = false\nindex = wineventlog\n\n[WinEventLog:\/\/Microsoft-Windows-Sysmon\/Operational]\ndisabled = false\nrenderXml = true\nindex = sysmon<\/pre>\nVerifying field extractions<\/h3>\n
Before building dashboards, confirm fields are parsing correctly:<\/p>\n
index=wineventlog EventCode=4624\n| table _time, host, EventCode, Account_Name, Logon_Type, src_ip\n| head 10<\/pre>\nIf Account_Name is empty, the TA-windows add-on is either not installed or not applied to the correct index. Fix with:<\/p>\n
# props.conf in TA-windows\/default\/ should contain:\n[WinEventLog:Security]\nTRANSFORMS-force_sourcetype = force_wineventlog_security_sourcetype<\/pre>\nDashboard panel 1 \u2014 Failed logon attempts<\/h3>\n
index=wineventlog EventCode=4625 earliest=-24h\n| eval Logon_Type_Name=case(\n Logon_Type==\"2\",\"Interactive\",\n Logon_Type==\"3\",\"Network\",\n Logon_Type==\"10\",\"RemoteInteractive\",\n true(),\"Other\")\n| stats count AS Failures, \n dc(src_ip) AS UniqueSourceIPs,\n values(src_ip) AS SourceIPs\n by Account_Name, Logon_Type_Name, ComputerName\n| where Failures > 5\n| sort -Failures<\/pre>\nThreshold of 5 catches brute force without generating noise from single mistyped passwords.<\/p>\n
Dashboard panel 2 \u2014 New local admin accounts<\/h3>\n
index=wineventlog (EventCode=4720 OR EventCode=4728 OR EventCode=4732)\n| eval Action=case(\n EventCode==4720, \"Account Created\",\n EventCode==4728, \"Added to Domain Admins\",\n EventCode==4732, \"Added to Local Admins\")\n| table _time, host, Action, Account_Name, Subject_Account_Name\n| sort -_time<\/pre>\nDashboard panel 3 \u2014 Suspicious process parent-child pairs<\/h3>\n
index=sysmon EventCode=1 earliest=-24h\n| eval ParentName=mvindex(split(ParentImage,\"\\\"),-1)\n| eval ChildName=mvindex(split(Image,\"\\\"),-1)\n| eval Pair=ParentName.\" > \".ChildName\n| stats count by Pair, ComputerName\n| where count < 5 AND \n (ChildName IN ("cmd.exe","powershell.exe","wscript.exe","mshta.exe","cscript.exe")\n OR ParentName IN ("winword.exe","excel.exe","outlook.exe","msaccess.exe"))\n| sort count<\/pre>\nOffice applications spawning cmd.exe or PowerShell is a macro execution indicator. The
count < 5<\/code> filter prioritises rare combinations \u2014 high count pairs are likely legitimate admin activity.<\/p>\nDashboard panel 4 \u2014 PowerShell with encoded commands<\/h3>\n
index=wineventlog EventCode=4688 earliest=-24h\n (Process_Command_Line=\"*-EncodedCommand*\"\n OR Process_Command_Line=\"*-enc *\"\n OR Process_Command_Line=\"*-en *\")\n| rex field=Process_Command_Line \"(?i)-e(?:nc|ncodedcommand)?\\s+(?P[A-Za-z0-9+\/=]{20,})\"\n| eval decoded=base64decode(b64)\n| table _time, host, Account_Name, Process_Command_Line, decoded\n| sort -_time<\/pre>\nDashboard panel 5 \u2014 New scheduled tasks from unusual locations<\/h3>\n
index=wineventlog EventCode=4698 earliest=-24h\n| rex field=_raw \"Task Name:\\s+(?P[^\\r\\n]+)\"\n| rex field=_raw \"Task Content:\\s+(?P.+)\" \n| rex field=task_xml \"Command>(?P[^<]+)<\/Command\"\n| where NOT match(command,\"(?i)^(C:\\\\Windows\\\\|C:\\\\Program Files)\")\n| table _time, host, task_name, command, Subject_Account_Name<\/pre>\nAlert on high-priority detections<\/h3>\n
# Convert any of the above searches to an alert:\n# Search > Save As > Alert\n# Trigger: Scheduled - every 15 minutes\n# Condition: Number of results > 0\n# Actions: Send email \/ Webhook to Slack\/Teams<\/pre>\n","protected":false},"excerpt":{"rendered":"Most Splunk tutorials show dashboards with clean data. Real log
\ndata is messy. The searches that actually work.<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[],"class_list":["post-196","post","type-post","status-publish","format-standard","hentry","category-threat-hunting"],"_links":{"self":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/196","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/comments?post=196"}],"version-history":[{"count":2,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/196\/revisions"}],"predecessor-version":[{"id":238,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/196\/revisions\/238"}],"wp:attachment":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/media?parent=196"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/categories?post=196"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/tags?post=196"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}