Hunting Memory in Volatility Unified Output via Splunk
by C B
To all concerned,
A coworker and I have authored an ingestion tool for Splunk called
Ta-Volatility, https://splunkbase.splunk.com/app/3919/, that takes json
formatted unified_outputs from volatility. As it stands right now, it can
handle over 160 plugins across windows, linux and mac, and we're adding
more every day. We are adding unified outputs to the standard plugins that
do not have them, github PR #501
<https://github.com/volatilityfoundation/volatility/pull/501>. The app
will support the latest version of volatility (volatilityfoundation or
mutedmouse's fork, https://github.com/mutedmouse/ta-volatility) The app's
setup page describes the required folder structure. The source by default
is "volatility" and the index is main by default, although you can set this
by adding index=<yourindex> in the inputs.conf file.
Below is a sample sankey visualization from an analyzed windows 10 system's
ingested pslist plugin output.
Enjoy and please let us know if there is anything you would like added
(aside from charts and dashboards - those are coming 😀 ).
V/r,
Chris
6Â years, 7Â months
- 1
- 0