If you don't have an account, click the head at the top right and create one.
AWS GuardDuty (Restart required)
Cisco Endpoint Security Analytics (CESA) -- USE FIRST ONE
Code42 for Splunk (Legacy) (Restart required, Set up later)
TA for Code42 App For Splunk (Restart required)
Splunk Add-on for Cisco ASA
Splunk Add-on for Microsoft Cloud Services
Splunk Add-on for Microsoft Office 365
Splunk Add-on for Microsoft Windows
Splunk Add-on for Symantec Endpoint Protection
Splunk Add-on for Tenable Unavailable -- SKIP
Splunk Add-on for Unix and Linux (Set up later)
Splunk Common Information Model
Splunk Stream Add-on
VirusTotal Workflow Actions for Splunk
Microsoft Azure Active Directory Reporting Add-on for Splunk
Microsoft 365 App for Splunk
Splunk Add-on for Microsoft Office 365 Reporting Web Service
Splunk Add-On for Microsoft Sysmon
osquery App for Splunk
Splunk Add-on for Amazon Web Services (AWS)
Splunk ES Content Update
On the Apps page, at the top right, click the "Install app from file" button.
Click the "Choose File" button. Navigate to the .tgz file you downloaded and double-click it.
Click the Upload button.
Repeat these actions for each app on the list above.
When the server restarts, open the Splunk Web page.
sudo wget -P /opt/ https://botsdataset.s3.amazonaws.com/botsv3/botsv3_data_set.tgz sudo tar zxvf /opt/botsv3_data_set.tgz -C /opt/splunk/etc/apps/ sudo chown -R splunk /opt/splunk sudo reboot
At the top left, click "Search & Reporting".
Perform this search:
It will slowly find more and more events, as the server processes the data.index="botsv3" earliest=0
Wait until you see the same number of events shown in the image below.
SPL 202.1: Most Common Sourcetype (15 pts)Perform this search:When the search finishes, at the top right of the results, click the count header to sort by count, with the largest count on top.index="botsv3" earliest=0 sourcetype=* | stats count by sourcetype
The flag is covered by a green box in the image below.
Date-changing cron job information removed 9-28-23