Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Splunking_sysmon

odorusatoshi
December 10, 2018
460

 Splunking_sysmon

最初のsysmonログ分析

odorusatoshi

December 10, 2018
Tweet

Transcript

  1. © 2017 SPLUNK INC. © 2017 SPLUNK INC. ( )

    )( D E )( Sales Engineer   2018/07/01 Ver1.0 4UFQ&%3 4ZTNPO ϩά෼ੳ
  2. © 2017 SPLUNK INC. During the course of this presentation,

    we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2017 Splunk Inc. All rights reserved. Forward-Looking Statements
  3. © 2017 SPLUNK INC.  N I S T o

    72 2 3 5 8 69 1 2 2 4 60 6
  4. © 2017 SPLUNK INC. ▶ • N F  E

    W ▶ •     D: F    !*$%*&+(*')*# D • • R • , • • b e ) () ( ) ) )
  5. © 2017 SPLUNK INC. o o / : ay d

    M m / : s p W o f os W h li y p / : / y E y y j w oe Iyo C r MW t w v p  S / - nc . / - / :
  6. © 2017 SPLUNK INC.    S Nc PhfofY

    pz u Ra s lj_ nir H 7 7 : 9EC 7 9 S NdbPp Ts ek /1 -2 w u y z H 9 E H 9E: 8 J 6 7 : S N 79 .79 H E 5EJ 0 E 3 H 7 H 3 HCE H H79E 9 9EC 78 H 7 E H 6J E7: 7 79 6 79 H6E 6 EJ 6 E 6 6H H 7 H6H HCE :
  7. © 2017 SPLUNK INC. 1 O EG l 1- r

    mcnr C IT r IT e n G r s r r o s r P e y r G s / / D S U O EG O EG 7IGA 1- 7IGA 1- y c a ) t t W _ xm 9 M o xm p Y W ¥h m a SD N p W 7 KC C C x m y W n W t r t t a n s KEH S t n s w m 2. 36 3 4 015.U02. 02. 02. .9 U02 02. 36 3 4 015. D U02 9 02. 36 3 4 015. O K E G KIGD K NU0234 O K E LII K G KIGD K S uc - 69- 8 69- S e S t Y tuc 1-
  8. © 2017 SPLUNK INC. b 3.: rO r sb 3

    / 6 tms 3 / w i tkch r w i ney p o n kyho a tkc Wr ye ¥ u 6 M bO p p kt nS lfo ney rdy tkc 2 5 4 5 4 . 6
  9. © 2017 SPLUNK INC. Sysmon  ##$ ##$""!  

    . c . f F W PM i R lD d f e aF W PM F      
  10. © 2017 SPLUNK INC. sysmon%)( "% #& $& "% Chrome!$

    &%' eicar.com.txt "% #& $&   
  11. © 2017 SPLUNK INC. sysmon8+<3 38-, 2/09;*)4:0   network

    connection%51.6:+'!  sysmon):,0;7" –n ' & URL: https://medium.com/@smurf3r5/splunking-with-sysmon-c321fe87c567 Proxy $Dest#  Proxy "  ('
  12. © 2017 SPLUNK INC. sysmon  Splunk server - Windows

    DLP AntiVirus ActiveDirectory FW Internet     sysmon sysmon PC2 PC1 1. Windows PCMSsysmon  2. Windows PCsplunk   (Universal Forwarder)  3. splunkApp(Microsoft Sysmon Add-on)  IDS/Sandbox etc
  13. © 2017 SPLUNK INC. l Splunk#Deployment Server$50UF(Universal Forwarder) !'%splunk" 

    & http://docs.splunk.com/Documentation/Splunk/6.6.3/Updating/Planadeployment#Deployment_server_system_requirement s 1. splunk • Microsoft Sysmon Add-on(+8.297 • UF# 6929997( • Splunk-93!4)+7(  • (Splunk+8.2974,70)¥etc¥deployment-apps¥windows¥local¥inputs.conf [WinEventLog://Microsoft-Windows-Sysmon/Operational] checkpointInterval = 5 current_only = 0 disabled = 0 start_from = oldest • (Splunk+8.2974,70)¥etc¥deployment-apps¥windows¥local¥outputs.conf [tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = 172.xx.xx.xx:9997 [tcpout-server://172.xx.xx.xx:9997] /12*15_1/2
  14. © 2017 SPLUNK INC. 1.  "WindowsWJ] • sysmon9MC]\^P •

    sysmon8!<%;2?config(sysmonconfig-export.xml)@MC]\^P/)sysmon.exe60SE[M8& https://github.com/SwiftOnSecurity/sysmon-config • HW]PT\]O@# •  "9windowsWJ]8sysmon@B]KO^[ Sysmon.exe -accepteula -i sysmonconfig-export.xml -l -n 3. • BU]ORX^A84)ATZG^JY] & I^RK - Windows - sysmon-,?.6 • +4Universal Forwarder@HW]PT\]TO5B]KO^[ msiexec.exe /i splunkforwarder-6.4.9-493044ecc65a-x86-release DEPLOYMENT_SERVER=“(SplunkI^Q or IP):8089" AGREETOLICENSE=Yes /quiet windows7 32bit@ /3forwarder9Ver5$/4+?3=)win109 :forwarder@ 1?*> • Splunk'8\FB]/4\F- +4+?.6@  +4+7+ :D]PVB]O9windows# LNOANT(_2/2
  15. © 2017 SPLUNK INC. 1 sysmonconfig-export.xml github#"sysmon*&($ ! +%&- $

     URL: https://github.com/SwiftOnSecurity/sysmon-config ,')/exclude0 ,')/include0$  -.-$
  16. © 2017 SPLUNK INC. sysmon   index=_internal source=*license_usage.log type=Usage

    s="WinEventLog:Microsoft-Windows-Sysmon/Operational" | eval mb=round(b/(1024*1024),2) | timechart span=1d sum(mb) by h
  17. © 2017 SPLUNK INC. Deployment ServerWohqbo`E  0hq` 034 *

    Deployment ServerrDSs pUF/IndexerGEApp2 routputs.confKinputs.confs pUFEXqdZ. % pUFE'E$- UF→DSu8089" Indexer→DS:8089" 60& (default)34 EhqloU DSXqcF5000UF;ADt ,C>I6DD10,000 O )<MDF2 ,71 H> Z_q\Z)<M>I ESZ\i]^YjgqaE J,7 Universal Forwarder(UF) psysmonRfo`OIndexerG/  UF→indexer:9997" rRfo`# D 1s IndexerGE0`keQ^TXR [DN=?nqSmD indexerO(?MVqZJ,78 hRo`u Deployment ServerE ODLP+CB@!@:MF5@F9LH=P7 1vpp30 34EhqloURo\qcm@5000clientE _Z`O https://answers.splunk.com/answers/494417/deployment-server-best-practices-for-scaling.html
  18. © 2017 SPLUNK INC. UF"/SSL  SSL  Splunk Native

    • -&'0 • outputs.conf • ,/.1) • compressed • ) "Indexer" inputs.conf! compressed=true %$ • -&'0 • outputs.conf (server.conf  ! true! %) • ,/.1) • useClientSSLCompression • *-(0+#   " !
  19. © 2017 SPLUNK INC.  1 8 14 1 2

    8 0 2 4 6 8 10 12 14 16  Splunk Native SSL Universal Forwarder Heavy Forwarder 23 Universal Forwarder  SSL   1/14 
  20. © 2017 SPLUNK INC. ▶ App  &T = 0.04

    * C + 8 ' (3000#$app  T()=0.04*3000+8)128 ▶   ▶ Deployment Server !%"$ http://docs.splunk.com/Documentation/Splunk/6.6.3/Updating/Calculatedeploymentserverperformance