Created
June 29, 2020 00:22
-
-
Save scudette/5f379cc6a282006f33d2b7e1f6b39de1 to your computer and use it in GitHub Desktop.
Example event artifact to upload to splunk.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.Splunk.Flows.Upload | |
| description: | | |
| Upload all collected results of a specific artifact type to a splunk index. | |
| type: SERVER_EVENT | |
| parameters: | |
| - name: ArtifactName | |
| default: Generic.Client.Info/Users | |
| description: Only upload these artifacts to splunk | |
| - name: splunkAddress | |
| default: http://1.2.3.4:8088/services/collector | |
| - name: Tkn | |
| default: Splunk ****-56664***5 | |
| sources: | |
| - query: | | |
| LET completions = SELECT * FROM watch_monitoring( | |
| artifact="System.Flow.Completion") | |
| WHERE Flow.artifacts_with_results =~ ArtifactName | |
| LET documents = SELECT * | |
| FROM source( | |
| client_id=ClientId, | |
| flow_id=Flow.session_id, | |
| artifact=ArtifactName) | |
| }) | |
| SELECT * FROM splunk_upload( | |
| query=documents, | |
| url=splunkAddress, | |
| index="velociraptor", | |
| skip_verify=True, | |
| wait_time=5, | |
| token=Tkn) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment