Follow these instructions once you have received your trial license email for cmdReporter.
cmdReporter will work with any SIEM that accepts JSON. While we suggest that cmdReporter data is viewed in Splunk, as this will work out of the box, let us know if you are using a different tool and having trouble getting the data imported. We are happy to help you troubleshoot by reaching out to firstname.lastname@example.org.
cmdReporter Trial Details
Config Profile Details:
You should have received a configuration profile with some default settings and license information in your trial email. Let us know if they were stripped by your email servers, and we can send them a different way.
Level 2 will generate network traffic logs in addition to everything level 1 captures. We suggest starting with Level 2. If you would like to view all non-elevated privileged terminal activity change the <key>AuditEventLogVerboseMessages</key> to true in the config profile.
Full documentation on what events are included in each log level are here
The Documentation Wiki (this site):
Optional Splunk Tools
If you are using a different SIEM to import your cmdReporter data, you can skip this step.
If you already have a Splunk instance and would just like the TA, here is the direct link.
If you are using Splunk's "Infosec App for Splunk" included in our bootstrapping script there are some additional details to know:
The "endpoint", "continuous monitoring/network", “investigation/host investigation” and "continuous monitoring/authentications" dashboards in the Splunk Infosec application are the most interesting.
If you want to search the raw logs, this base search will get you all events and you can narrow down what you want to see from there:
cmdReporter has multiple sourcetypes per Splunk's best practices in the format:
If you’d prefer to test locally on the machine and would like to set up a local Splunk enterprise trial along with our cmdReporter-TA and Splunk's free "information security" plugin that will natively parse and display cmdReporter's data directly from the disk, the bootstrapping script will take care of all of that for you.
The installed files from this bootstrapping script are limited to /Applications/splunk for easy troubleshooting.
The steps would be:
1) Download and install config profile then cmdReporter installer pkg
2) Download and run bootstrapper script, create an admin username/password for your local Splunk server
3) Log into your new local Splunk instance and poke around (InfoSec app is most interesting)
We purposely set the local Splunk enterprise install to NOT start automatically on reboot. $(/Applications/splunk/bin/splunk start) will start the enterprise server again if you reboot your laptop.
Here is an example video of the bootstrapping script going from nothing to a full Splunk instance looking at cmdReporter data in about 2 minutes.