I can load a Sysmon log into Splunk as a lookup table, but how do I view it after that? What code do I use to view the log in search?
Hi @Blackdragon7,
at first: did you already ingested sysmon logs or not?
if yes, you have only to understand if these logs are in a lookup or (more likely) in an index.
Using ths information, you can search in your logs (index or lookup):
index=your_sysmon_index
or
| inputlookup your_sysmon_lookup.csv
If instead you didn't still indexed sysmon, you have to use an Add on (I hint Splunk Add-On for Sysmon at https://splunkbase.splunk.com/app/5709 ) and follow the instruction to ingest sysmon data.
Then to search logs, you can create your own searches and dashboards or use an App from Splunkbase (https://splunkbase.splunk.com/apps?keyword=sysmon).
If you have problems in search creation, you can follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial).
Ciao.
Giuseppe
Hi Giuseppe
I uploaded the sysmon.json file into Splunk as a new lookup file. I tried your codes and neither one worked.
Regards,
Idries
Hi gcusello,
Thanks for the information. Yes I had loaded them as lookup tables I just needed your code to view them from the search. I'll see if that works. It's sysmon.json log file. I need to view the logs to uncover some information to complete the advanced Splunk room on tryhackme.
Regards,
Idries
Again, you cannot use JSON log as lookup, unless you have an external system to convert these JSON events to CSV (which is not trivial and is generally ill advised because there is no industry standard to do this).
Again, what is it you are really trying to achieve? What fields in the JSON file interest you? What do the values look like? How do you plan to use these field names and values? In the end, if some fields are useful as lookup, you can always ingest the file into an index, then use outputlookup to save them into lookup format.
Hi @Blackdragon7,
as I said, check the choose of using a lookup: in my opinion it's better to have these logs in an index.
Because I suppose that you continously have them and you need history.
Let us know if you need more help.
Ciao.
Giuseppe
P.S.: Karma Points are appreciated by all the Contributors 😉
If by Sysmon you mean Windows Sysmon, I can't see how it can be useful as a lookup table. Maybe you can describe what you are trying to achieve instead?