This Splunk tutorial is a continuation of my previous Sysmon article, Splunking with Sysmon Part 1: The Setup. In part 1, I went over the basics of getting Sysmon installed in your environment and forwarding to Splunk.
This second part will help you to take your initial configuration, either Modular Sysmon or SwiftonSecurity’s configuration, and tune it to your environment. This initial tuning can help reduce a significant amount of the events Sysmon generates.
I will be using the full Splunk Boss of the Soc Version 2 Dataset to demonstrate the potential of tuning your Sysmon Splunk logs. It was used for the Splunk Boss of the Soc events in 2018 and 2019. I am using this dataset because it was an untuned Sysmon configuration that generated over one million Sysmon events.
The searches I use are available on my Github, and I will reference a few of them throughout this blog.
The tuning I am going over in this blog is to reduce the amount of every day expected noise, not to fine tune so that only important events are logged. To start, we need to get a good handle on which EventCodes are generating the majority of alerts. My first search to start is:
My example from botsv2 is below: