Version: 0.1 (Initial Release) Status: ✅ Released App Name: DFIR

The DFIR Splunk App is now officially released as v0.2 and we're on the app store! https://splunkbase.splunk.com/app/8368. This initial version provides a streamlined, easy-to-install package containing all essential dashboards for Digital Forensics and Incident Response (DFIR) operations.

This app is designed to simplify deployment and ensure consistency across your Splunk environments by bundling everything into a single, installable unit.

1. Download the latest DFIR.spl file from https://github.com/dfirvault/Splunk-DFIR-Dashboards/releases/tag/v0.1.
2. In your Splunk Web interface, navigate to Apps > Manage Apps.
3. Click on Install app from file.
4. Click Choose File and select the downloaded DFIR.spl file.
5. Click Upload.
6. Restart Splunk if prompted.

This repository contains a curated set of tested and production-ready Splunk dashboard XML files designed specifically for Digital Forensics and Incident Response (DFIR) investigations.

Over the years, during numerous real-world DFIR cases, these dashboards were developed, refined, and tested extensively. Each XML file represents a complete Splunk dashboard that provides insights into log data commonly collected during investigations. Credit: https://github.com/Truvis/SplunkDashboards

• Case-Based Drop-down Selector: Analysts can select the case-specific index from a drop-down menu.
• Plug-and-Play Dashboards: Upload logs (evtx, csv, json, plaso, etc.) into a designated index, and the dashboards will automatically parse and analyze them.
• Automated Analysis: Built-in searches and panels provide immediate visualizations and actionable insights.
• Flexible Data Ingestion: Works with a wide range of log types and formats.
• Optimized for Local Splunk Enterprise deployments (no Splunk Cloud dependencies).

These dashboards are intended for DFIR analysts who need quick, repeatable, and insightful visibility into forensic data. Typical workflow:

1. Spin up a local instance of Splunk Enterprise.
2. Ingest logs collected from the case:
   • Windows Event Logs (.evtx)
   • Plaso storage files
   • CSVs from triage tools or EDRs
   • JSON/NDJSON logs
3. Assign them to a unique index (e.g., case_july2025_ransomware).
4. Open the corresponding dashboard in Splunk.
5. Use the index selector to switch between cases.
6. Begin analysis using built-in visualizations, correlations, and automated insights.

Each .xml file in this repo is a complete dashboard definition. You can:

• Copy/paste the XML into Splunk’s "Import Dashboard" interface.
• Or place it into $SPLUNK_HOME/etc/apps/YOUR_APP_NAME/default/data/ui/views/.

Step 1 - Install Splunk Download and install from: https://www.splunk.com

Step 2 - Install DFIR Splunk App

Step 3 - Create index and Ingest Data

Step 4 - Refresh Dashboard

This repository includes dashboards for:

• 🔍 Event Log Triage
• 📊 Process Timeline Visualization
• 🧾 Logon Activity Summaries
• 🖥️ Host Artifact Mapping
• 💾 Plaso Timeline Analysis
• 🛡️ Detection Hits by Rule/Tool
• … and more

Each dashboard is annotated in comments for ease of understanding and modification.

• Splunk Documentation: https://docs.splunk.com
• • Splunk app [https://splunkbase.splunk.com/app/8368]{https://splunkbase.splunk.com/app/8368}
• DFIR Playbooks: Coming soon to the Wiki section.

This project is continuously improved. If you have:

• Suggestions for enhancements,
• Found a bug or false-positive,
• Or want to contribute your own dashboard,

Jacob Wilson
📧 [email protected] https://www.linkedin.com/in/jacob--wilson/

This project is licensed under the MIT License - see the LICENSE file for details.