> For the complete documentation index, see [llms.txt](https://digitalgarden.batamladen.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://digitalgarden.batamladen.com/notes/certificates/cdsa/module-5-understanding-log-sources-and-investigating-with-splunk/introduction-to-splunk-apps.md). # Introduction to Splunk Apps ## **What are Splunk Applications?** * Splunk apps are packages that extend the capabilities of Splunk Enterprise or Splunk Cloud. * They manage specific types of operational data and are tailored for different technologies and use cases. * Apps act as pre-built knowledge packages, offering features such as: * Custom data inputs * Custom visualizations * Dashboards * Alerts * Reports *** ## **Benefits of Splunk Apps** * Enable multiple workspaces within a single Splunk instance. * Cater to different user roles and use cases. * Available for download on **Splunkbase**. * Many are designed for **Security Information and Event Management (SIEM)**, helping detect and respond to security threats. * Facilitate data ingestion, analysis, and visualization for security investigations. ## **Considerations When Using Splunk Apps** * **Data Volume & Hardware Requirements**: Some apps require significant system resources. * **Licensing**: Premium apps may require additional licenses. * **Increased License Usage**: Additional data inputs can lead to higher license consumption. *** ## **Sysmon App for Splunk - Installation & Usage** **Developed by: Mike Haag** **Steps to Install & Configure** 1. **Sign Up on Splunkbase** * Create a free account on **Splunkbase**. 2. **Log into Splunkbase** * Use the credentials to access available apps. 3. **Download Sysmon App for Splunk** * Navigate to the app page and download it. 4. **Add the Application to Your Search Head** * Install the app within your Splunk instance. 5. **Adjust the App’s Macros** * Ensure that events load correctly by modifying the app macros. 6. **Access the Sysmon App in Splunk** * Locate it under the **Apps** column on the Splunk home page. 7. **Navigate to the File Activity Tab** * Open the **File Activity** section within the app. 8. **Set Time Picker to "All Time" & Submit** * Adjust the time filter and submit the search. 9. **Fix Missing Results in "Top Systems" Section** * Click **Edit** (upper right corner) and modify the search query. * Replace the missing **Computer** field with **ComputerName**. * Click **Apply** to generate results successfully. *** #### **Key Takeaways** * Splunk Apps enhance data management and analysis capabilities. * Splunkbase is the primary source for downloading and installing apps. * The Sysmon App for Splunk helps monitor **system activities** but requires proper configuration. * Understanding field names (e.g., **Computer** vs. **ComputerName**) is crucial for accurate data visualization. *** ## Tasks ### Task1 Access the Sysmon App for Splunk and go to the "Reports" tab. Fix the search associated with the "Net - net view" report and provide the complete executed command as your answer. Answer format: net view /Domain:\_.local I didnt understand the question and how to even get to the answe, i found it on reddit. ``` `sysmon` process=net.exe (CommandLine="net view /DOMAIN:uniwaldo.local") | stats count by Computer,CommandLine ``` **Answr: net view /DOMAIN:uniwaldo.local** *** ### Task2 Access the Sysmon App for Splunk, go to the "Network Activity" tab, and choose "Network Connections". Fix the search and provide the number of connections that SharpHound.exe has initiated as your answer. Edit the search to this: Use a wildcard for the image that created the event, open the search that gets outputed and count the number of occurances. ``` sysmon EventCode=3 Image="*SharpHound.exe" | eval Destination=coalesce(dest_host,dest_ip) | stats count, values(Destination) AS "Destinations", values(dest_port) AS "Ports", values(protocol) AS "Protocols" by Image | fields Image Destinations Ports Protocols count ``` **Answer: 6** --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://digitalgarden.batamladen.com/notes/certificates/cdsa/module-5-understanding-log-sources-and-investigating-with-splunk/introduction-to-splunk-apps.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.