All Apps and Add-ons

How does the threathunting index get populated?

afx
Contributor

Hi,
I am trying to us the ThreatHunting app (https://splunkbase.splunk.com/app/4305/).
But I never see anything.
I've adjusted the macros for our window logs.
I've created the threathunting index as docs suggests, but nothing ever ends up in that index.

My searches did not reveal anything.

thx
afx

0 Karma

olafhartong
Engager

The threathunting is a summary index. This gets populated once one of the over 150 searches find anything noteworthy, all relevant fields of that event will be saved as an event in the threathunting index.

you can try to validate whether the macro's yield results in the search bar, e.g. sysmon or windows-security
if there are no results you might want to check whether you've changed them properly

0 Karma

b_chris21
Communicator

Hi there,

one question:

I am using Threathunting on a Search Head where Enterprise Security is also installed. But I am using distributed environment and indexers are remote ones.

My threathunting index is empty even after making all actions described in this thread. All my macros work ok and also props.conf is changed to the correct sources.

I also installed Threathunting app to my indexer (even a second index there), but still both indexes are empty.

Any help would be appreciated.

Many thanks,

Chris

Tags (2)
0 Karma

afx
Contributor

Ok, finally found it!

The props.conf file references long sourcetypes but once one has the Splunk WIndows and Sysmon apps installed they all get mapped to XmlWinEventlog and one needs to set up source:: stanzas for the names in props.conf, just adding source:: in front of the names in the stanzas does it:

[source::XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
[source::WinEventLog:Microsoft-Windows-Sysmon/Operational]
[source::WinEventLog:Security]

That and fixing a few places in the UI & savedsearches where the windows macro was not used but a hardcoded reference to the windows index.

Now my threathunting index gets populated 😉

I've opened two issues on GitHub for this.

cheers
afx

afx
Contributor

Hmm,
now this is strange.
I know I have set the macro. But when I got into the objects of the app and click on sysmon, splunk calls the following URL

https://splunk:8000/en-GB/manager/website_monitoring/data/macros/sysmon?action=edit&f_count=100&f_se...

And I get a "404 Not Found" error...

This is weird.

But when I try to execute the macros in the context of the app, they show me the right events.

Puzzeld...
afx

0 Karma

saikiran334
Explorer

@afx, can you try after clearing up cache and cookies

0 Karma

afx
Contributor

I've been trying this over many days on a Citrix system where FF is cleaned up completely overnight.

0 Karma

saikiran334
Explorer

@olafhartong , thanks for your explanation , i'd like to know "how saved searches feeds threat hunting summary index and What mechanism captures their results and adds them to the summary index?

0 Karma

saikiran334
Explorer

@afx , have you configured "threahunting" index on indexers if yes,
can you please put those stanzas here ?

0 Karma

afx
Contributor

Hi @saikiran334, yes, as I wrote above I have defined the index, here is the stanza:

[threathunting]
coldPath = $SPLUNK_DB/threathunting/colddb
homePath = $SPLUNK_DB/threathunting/db
thawedPath = $SPLUNK_DB/threathunting/thaweddb
frozenTimePeriodInSecs = 40176000
repFactor = auto

cheers
afx

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...