https://youtu.be/39iVugb9Y0c?si=Ob3HDfruGSvRYO5x&t=396 create a share in DC that everyone can access put all files in DC directory ### Only for Splunk ``` splunkUF.msi inputs.conf ``` ### Only for Security Onion ``` winlogbeat.yml - https://github.com/elastic/beats/blob/main/winlogbeat/winlogbeat.yml winlogbeat.msi ``` ### Only for sysmon ``` sysmon.exe sysmonconfig.xml ``` ## splunk UF ``` group policy management (Your Organizational Unit) > new gpo name:Install Splunk Universal Forwarder source starter gpo: none (right click) edit Computer policies > software setting > software installation (right click) new specify splunk msi from netlogon share preferences > windows settings > files (right click) new > file action: replace source file(s): \\dc\NETLOGON\splunkUF\inputs.conf destination file: \ProgramData\splunkUF\inputs.conf preferences > control panel setttings > services new > service startup: automatic service name: splunkUF.msi service action: start service Recovery first failure: restart the service second failure: restart the service subsequent failures: restart the service restart service every 5 minutes ``` # Splunk UF config ``` GPO setup new gpo startup scripts DeploySplunk.bat ``` # sysmon ``` group policy management all workstations > new gpo name:Install Sysmon edit policies > software setting > software installation specify msi from netlogon share preferences > windows settings > files new > file action: replace source file(s): \\dc\NETLOGON\sysmon\sysmonconfig.xml destination file: \ProgramData\sysmon\sysmonconfig.xml preferences > control panel setttings > services new > service startup: automatic service name: sysmon.exe service action: start service Recovery first failure: restart the service second failure: restart the service subsequent failures: restart the service restart service every 5 minutes ``` # Sysmon config ``` GPO setup new gpo startup scripts DeploySysmon.bat ``` ## Winlogbeat ``` group policy management (Your Organizational Unit) > new gpo name:Install Winlogbeat source starter gpo: none (right click) edit Computer policies > software setting > software installation (right click) new specify splunk msi from netlogon share preferences > windows settings > files (right click) new > file action: replace source file(s): \\dc\NETLOGON\winlogbeat\winlogbeat.yml destination file: \ProgramData\Elastic\winlogbeat\winlogbeat.yml preferences > control panel setttings > services new > service startup: automatic service name: Elastic winlogbeat-Oss 7.#.# service action: start service Recovery first failure: restart the service second failure: restart the service subsequent failures: restart the service restart service every 5 minutes ``` ``` the scripts both install splunk and sysmon, dropping a "flag.txt" file to confirm it's been run. if the flag file is there (it's a startup script) it won't run the installer again (it would be redundant) so if the flag file is there it won't run the installer if it is not ran, the installer will run and drop the flag file good for troubleshooting too IMO cuz you can delete the file and run it again if you have changes ```