128 lines
4.2 KiB
Markdown
128 lines
4.2 KiB
Markdown
https://youtu.be/39iVugb9Y0c?si=Ob3HDfruGSvRYO5x&t=396
|
|
|
|
create a share in DC that everyone can access
|
|
|
|
put all files in DC directory
|
|
|
|
### Only for Splunk
|
|
```
|
|
splunkUF.msi
|
|
inputs.conf
|
|
```
|
|
|
|
### Only for Security Onion
|
|
```
|
|
winlogbeat.yml - https://github.com/elastic/beats/blob/main/winlogbeat/winlogbeat.yml
|
|
winlogbeat.msi
|
|
```
|
|
|
|
|
|
### Only for sysmon
|
|
```
|
|
sysmon.exe
|
|
sysmonconfig.xml
|
|
```
|
|
|
|
## splunk UF
|
|
```
|
|
group policy management
|
|
(Your Organizational Unit) > new gpo
|
|
name:Install Splunk Universal Forwarder
|
|
source starter gpo: none
|
|
(right click) edit
|
|
Computer policies > software setting > software installation
|
|
(right click) new
|
|
specify splunk msi from netlogon share
|
|
preferences > windows settings > files
|
|
(right click) new > file
|
|
action: replace
|
|
source file(s): \\dc\NETLOGON\splunkUF\inputs.conf
|
|
destination file: \ProgramData\splunkUF\inputs.conf
|
|
preferences > control panel setttings > services
|
|
new > service
|
|
startup: automatic
|
|
service name: splunkUF.msi
|
|
service action: start service
|
|
Recovery
|
|
first failure: restart the service
|
|
second failure: restart the service
|
|
subsequent failures: restart the service
|
|
restart service every 5 minutes
|
|
```
|
|
|
|
# Splunk UF config
|
|
```
|
|
GPO setup
|
|
new gpo
|
|
startup scripts
|
|
DeploySplunk.bat
|
|
```
|
|
|
|
|
|
# sysmon
|
|
```
|
|
group policy management
|
|
all workstations > new gpo
|
|
name:Install Sysmon
|
|
edit
|
|
policies > software setting > software installation
|
|
specify msi from netlogon share
|
|
preferences > windows settings > files
|
|
new > file
|
|
action: replace
|
|
source file(s): \\dc\NETLOGON\sysmon\sysmonconfig.xml
|
|
destination file: \ProgramData\sysmon\sysmonconfig.xml
|
|
preferences > control panel setttings > services
|
|
new > service
|
|
startup: automatic
|
|
service name: sysmon.exe
|
|
service action: start service
|
|
Recovery
|
|
first failure: restart the service
|
|
second failure: restart the service
|
|
subsequent failures: restart the service
|
|
restart service every 5 minutes
|
|
```
|
|
|
|
# Sysmon config
|
|
```
|
|
GPO setup
|
|
new gpo
|
|
startup scripts
|
|
DeploySysmon.bat
|
|
```
|
|
|
|
## Winlogbeat
|
|
```
|
|
group policy management
|
|
(Your Organizational Unit) > new gpo
|
|
name:Install Winlogbeat
|
|
source starter gpo: none
|
|
(right click) edit
|
|
Computer policies > software setting > software installation
|
|
(right click) new
|
|
specify splunk msi from netlogon share
|
|
preferences > windows settings > files
|
|
(right click) new > file
|
|
action: replace
|
|
source file(s): \\dc\NETLOGON\winlogbeat\winlogbeat.yml
|
|
destination file: \ProgramData\Elastic\winlogbeat\winlogbeat.yml
|
|
preferences > control panel setttings > services
|
|
new > service
|
|
startup: automatic
|
|
service name: Elastic winlogbeat-Oss 7.#.#
|
|
service action: start service
|
|
Recovery
|
|
first failure: restart the service
|
|
second failure: restart the service
|
|
subsequent failures: restart the service
|
|
restart service every 5 minutes
|
|
```
|
|
|
|
|
|
```
|
|
the scripts both install splunk and sysmon, dropping a "flag.txt" file to confirm it's been run. if the flag file is there (it's a startup script) it won't run the installer again (it would be redundant)
|
|
so if the flag file is there it won't run the installer
|
|
if it is not ran, the installer will run and drop the flag file
|
|
good for troubleshooting too IMO cuz you can delete the file and run it again if you have changes
|
|
``` |