Closed aviditas-security closed 1 year ago
Seems fine and technically possible. Would just want to have a test file to validate working as expected and if expect to match specific index?
Quick test following https://docs.splunk.com/Documentation/Splunk/9.0.4/Data/Extractfieldsfromfileswithstructureddata
https://splunk.teleport.blueteamvillage.com/en-US/manager/search/adddata
UI allows to configure sourcetype, host (does not allow to select a csv column. only constant, regex on path, segment on path) and index.
resulting data in
source="splunk-test-logs.csv" host="hostcsv" index="main" sourcetype="csv"
Closing. capability there but in the end, not used for this year. Defcon 31 ended.
Background:
For an Insider Threat kc, would like to have a log file uploaded to the Splunk instance. This will be crafted data that I will test with Splunk ahead of time to ensure that it auto-parses. I'll be setting the timestamps in the logs to match the KC activity timeframes so there is no need for it to happen concurrently unless that is best from a SecEng perspective. I would prefer that this happens after the KC as I would have better data to match to then.
Request for us to build
Add a .csv file to Splunk, pretty please.
CRITERIA FOR SUCCESS
Upload a provided .csv file to Splunk Use the auto-parse in the upload process Confirm that the logs are in Splunk
DRIs
aviditas-security a.skye (aviditas)#6832