You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: total_replay/readme.md
+16-32Lines changed: 16 additions & 32 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,37 +9,6 @@ This lightweight tool helps you make the most of Splunk’s [Security Content](h
9
9
## Installation
10
10
11
11
### MAC/LINUX:
12
-
13
-
**How to install TOTAL-REPLAY when working with Splunk Attack Range or Splunk Attack Data**
14
-
15
-
#### TOTAL-REPLAY IN SPLUNK ATTACK-RANGE REPO:
16
-
---
17
-
18
-
1. Clone the Splunk Security Content github repo. We recommend to follow this steps [Security Content Getting Started](https://github.com/splunk/security_content).
19
-
20
-
2. We recommend following the instructions in the [Attack Range Getting Started](https://github.com/splunk/attack_range)
21
-
guide. Once Attack Range is installed and its virtual environment (managed via Poetry) is activated, TOTAL-REPLAY is almost ready to use — you just need to configure it.
22
-
23
-
3. In total_replay->configuration->config.yml, add the folder path of the Splunk Attack Data repo and the detection folder path in Splunk Security Content.
4. Enable the `attack_range_version_on` config setting in total_replay->configuration->config.yml:
32
-
**NOTE: You can enable either `attack_range_version_on` or `attack_data_version_on` settings**
33
-
```
34
-
attack_range_version_on: True
35
-
```
36
-
37
-
5. If you encounter problem with colorama python library just update it.
38
-
```
39
-
poetry update colorama
40
-
```
41
-
42
-
#### TOTAL-REPLAY IN SPLUNK ATTACK-DATA REPO:
43
12
---
44
13
45
14
1. Clone the Splunk Attack Data github repo. We recommend to follow this steps [Attack Data Getting Started](https://github.com/splunk/attack_data/).
@@ -90,6 +59,12 @@ attack_data_version_on: True
90
59
export SPLUNK_HEC_TOKEN= <SPLUNK_HEC_TOKEN>
91
60
```
92
61
62
+
10. Make sure HEC token is set to "Enabled" in Splunk server (Settings → Data Inputs → HTTP Event Collector).
63
+
64
+
11. Confirm the HEC listener port is enabled, typically 8088, using HTTPS.
65
+
66
+
12. Update your firewall settings to allow inbound connections on port 8088, otherwise your data sender will not be able to reach Splunk.
67
+
93
68
### Windows OS:
94
69
95
70
We recommend using the Windows Subsystem for Linux (WSL). You can find a tutorial [here](https://learn.microsoft.com/en-us/windows/wsl/install). After installing WSL, you can follow the steps described in the Linux section.
@@ -112,7 +87,16 @@ A. This tool accepts the following types of metadata as input:
112
87
- **Splunk detection GUIDs**
113
88
- **Analytic stories**
114
89
115
-
It then uses these inputs to identify and replay the attack data associated with them.
90
+
It then uses these inputs to identify and replay the attack data associated with them.
91
+
92
+
Example A - Replay Attack Data via Splunk detection name:
93
+
94
+
```
95
+
python3 total_replay.py -n '7zip CommandLine To SMB Share Path, CMLUA Or CMSTPLUA UAC Bypass'
96
+
```
97
+
98
+
99
+
116
100
117
101
B. For automation, you can also provide a simple .txt file.
0 commit comments