If you don't have an account, click the head at the top right and create one.
AWS GuardDuty (Restart required)
Cisco Endpoint Security Analytics (CESA) -- USE FIRST ONE
Code42 for Splunk (Legacy) (Restart required, Set up later)
TA for Code42 App For Splunk (Restart required)
Splunk Add-on for Cisco ASA
Splunk Add-on for Microsoft Cloud Services
Splunk Add-on for Microsoft Office 365
Splunk Add-on for Microsoft Windows
Splunk Add-on for Symantec Endpoint Protection
Splunk Add-on for Tenable Unavailable -- SKIP
Splunk Add-on for Unix and Linux (Set up later)
Splunk Common Information Model
Splunk Stream Add-on
VirusTotal Workflow Actions for Splunk
URL Toolbox
DecryptCommands
Microsoft Azure Active Directory Reporting Add-on for Splunk
Microsoft 365 App for Splunk
Splunk Add-on for Microsoft Office 365 Reporting Web Service
Splunk Add-On for Microsoft Sysmon
osquery App for Splunk
Splunk Add-on for Amazon Web Services (AWS)
Splunk ES Content Update
SA-cim_vladiator
On the Apps page, at the top right, click the "Install app from file" button.
Click the "Choose File" button. Navigate to the .tgz file you downloaded and double-click it.
Click the Upload button.
Repeat these actions for each app on the list above.
sudo wget -P /opt/ https://botsdataset.s3.amazonaws.com/botsv3/botsv3_data_set.tgz
sudo tar zxvf /opt/botsv3_data_set.tgz -C /opt/splunk/etc/apps/
sudo chown -R splunk /opt/splunk
sudo reboot
When the server restarts, open the Splunk Web page.
At the top left, click "Search & Reporting".
Perform this search:
It will slowly find more and more events, as the server processes the data.index="botsv3" earliest=0
Wait until you see the same number of events shown in the image below.
SPL 202.1: Most Common Sourcetype (15 pts)
Perform this search:When the search finishes, at the top right of the results, click the count header to sort by count, with the largest count on top.index="botsv3" earliest=0 sourcetype=* | stats count by sourcetypeThe flag is covered by a green box in the image below.
Posted 9-25-23
Date-changing cron job information removed 9-28-23