Home

Awesome

Splunk advanced input configuration for Windows

Project goal

Splunk-input-windows-baseline provides a unique input.conf configuration file that enables Windows advanced log collection based on the MITRE ATT&CK framework using the Splunk Universal Forwarder agent.

Project features

Conversely to a lot of online resources, this configuration does not stick only to the Security event log and does not follow Microsoft very generic policies for Windows or for Sentinel. Indeed, it was designed by a threat detection analyst with a precise approach to collect only what is relevant in regards of detection, threat hunting, incident response and forensic purposes. Besides others things, it provides the following key features:

Configuration file

The configuration file can be applied on any Windows host (Vista or higher) where the Splunk Universal Forwarder is deployed.

Configuration file remarks

Configuration file path

The configuration file can be found in the splunk-windows-input folder.

Out of scope / exclusions

The following topics or events are currently not in the scope of this project:

Splunk related

Windows event IDs related

Sources

The following sources were used to elaborate the configuration file: