Hi,
I am trying to us the ThreatHunting app (https://splunkbase.splunk.com/app/4305/).
But I never see anything.
I've adjusted the macros for our window logs.
I've created the threathunting index as docs suggests, but nothing ever ends up in that index.
My searches did not reveal anything.
thx
afx
The threathunting is a summary index. This gets populated once one of the over 150 searches find anything noteworthy, all relevant fields of that event will be saved as an event in the threathunting index.
you can try to validate whether the macro's yield results in the search bar, e.g. sysmon
or windows-security
if there are no results you might want to check whether you've changed them properly
Hi there,
one question:
I am using Threathunting on a Search Head where Enterprise Security is also installed. But I am using distributed environment and indexers are remote ones.
My threathunting index is empty even after making all actions described in this thread. All my macros work ok and also props.conf is changed to the correct sources.
I also installed Threathunting app to my indexer (even a second index there), but still both indexes are empty.
Any help would be appreciated.
Many thanks,
Chris
Ok, finally found it!
The props.conf file references long sourcetypes but once one has the Splunk WIndows and Sysmon apps installed they all get mapped to XmlWinEventlog and one needs to set up source:: stanzas for the names in props.conf, just adding source:: in front of the names in the stanzas does it:
[source::XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
[source::WinEventLog:Microsoft-Windows-Sysmon/Operational]
[source::WinEventLog:Security]
That and fixing a few places in the UI & savedsearches where the windows macro was not used but a hardcoded reference to the windows index.
Now my threathunting index gets populated 😉
I've opened two issues on GitHub for this.
cheers
afx
Hmm,
now this is strange.
I know I have set the macro. But when I got into the objects of the app and click on sysmon, splunk calls the following URL
https://splunk:8000/en-GB/manager/website_monitoring/data/macros/sysmon?action=edit&f_count=100&f_se...
And I get a "404 Not Found" error...
This is weird.
But when I try to execute the macros in the context of the app, they show me the right events.
Puzzeld...
afx
@afx, can you try after clearing up cache and cookies
I've been trying this over many days on a Citrix system where FF is cleaned up completely overnight.
@olafhartong , thanks for your explanation , i'd like to know "how saved searches feeds threat hunting summary index and What mechanism captures their results and adds them to the summary index?
@afx , have you configured "threahunting" index on indexers if yes,
can you please put those stanzas here ?
Hi @saikiran334, yes, as I wrote above I have defined the index, here is the stanza:
[threathunting]
coldPath = $SPLUNK_DB/threathunting/colddb
homePath = $SPLUNK_DB/threathunting/db
thawedPath = $SPLUNK_DB/threathunting/thaweddb
frozenTimePeriodInSecs = 40176000
repFactor = auto
cheers
afx