Client Telemetry Setup [SOC Automation with AI Implementation]

 Goal:

Now that Splunk has been installed, it's time to set up the Windows Client to start sending the collected logs to the Splunk server.

Telemetry Set up:

The first step is to download and install "Splunk Universal Forwarder" from the Splunk website.

the setup is straight forward. After agreeing to the License Agreement, I type in a username and manually set the password.













On the Receiving Indexer screen I input the IP address of the Splunk Server as well as the port number that we set to 9997. Then I just continued and let it finish installing.














After the installation I have to navigate to "C:\Program Files\SplunkUniversalForwarder\etc\system\local" and add the "inputs.conf" file that will allow the Windows client telemetry to be forwarded to the Splunk server.



-








Next I ran "Services" as admin and searched for the "SplunkForwarder" service. Double clicking it, and going into "Log On" and change it to "Local System account", then Apply and OK. The Last step is to right click the service and restart it.















The Splunk server should now be receiving data from the Windows Client. This can be verified by logging into the Splunk server through the web browser and going to "Search and Reporting" under "Apps".









Summary and Reflection:

It was refreshing to do something simple this time. This was very different than when I had to set up agents for Wazuh. I do believe this is the easier part of the project and that the part that might be a little more challenging is when I have to string everything together.

Comments

Post a Comment

Popular posts from this blog

About Me

A Quick Introduction: Hello, my name is Erick and I'm an aspiring SOC Analyst who's trying to turn close to two decades of tech experience and passion into a career. I've been the tech guy among my friends and family for almost two decades and have experience troubleshooting and solving hardware, software, and network related computer problems. I've built PCs, hosted game servers, and troubleshoot computer problems both in person and over the phone. Over the years, I've not only learned to solve technical problems quickly, but also how to explain them to both technical and non technical users. What was originally a hobby of mine turned into a deep and growing interest in cybersecurity and IT operations. In pursuit of becoming a SOC Analyst, I have earned my CompTIA Security+ Certificate in September of 2025, strengthening my foundational knowledge in network defense, threat detection, and incident response. Technical Background: Troubleshooting and System Setup: I h...
Read more

VM Setup [SOC Automation with AI Implementation]

Image
Project Overview: Build an automated workflow using n8n. Splunk will ingest logs, create an alert and send it to n8n where ChatGPT can process the alert and output the information on to slack. Required Files: VM Environment Software: Oracle VirtualBox (https://www.virtualbox.org/) OS ISOs: Kali Linux ISO (https://www.kali.org/get-kali/#kali-virtual-machines) Ubuntu Server ISO (https://ubuntu.com/download/server) Windows 10 ISO (https://www.microsoft.com/en-us/software-download/windows10) VM Setup: Before I can begin automating anything, I must first set up the Virtual Machine environments that will be used to run the n8n Server, the Splunk Server, the Ubuntu Client, and the Windows Client. I generally prefer to allocate enough resources so as to give the VMs more headroom to allow them to deal with more stress. Windows Client: For the installation of the Windows Client, I set the Base Memory to 4GB, the core count to 2, and the Disk Size to 50GB. The installation if fairly straight for...
Read more

Implementing Slack and Putting it all together [SOC Automation with AI Implementation]

Image
  Goal:  To fully integrate ChatGPT using n8n and piece everything together. Workflow Setup: First it's important to disable the Splunk alert for now because we are done with the current test. Then on the n8n server, going back to canvas, we can pin the output so that we don't need to keep triggering the workflow. Before continuing, I created an API Platform account on openai.com. I clicked on "start building" to set it up, naming my organization "Caser" and the API key name "Caser-SOC-Project", and then generated an API key. Once I had this copied it was time to go back and start setting up the workflow. This is where I encountered my first major issue. I went on vacation and during that time I wasn't able to work on the project. This led to my session being timed out, and when I logged back in I was no longer able to pin the webhook trigger event. I spent some time looking to see if there was a way to simply revert it or to see if there was a...
Read more