Sorry, but I'm having a hard time understanding exactly what you did to fix this. I ran the BTOOL (as you stated), and saw the following results:
/opt/splunk/etc/apps/ThreatHunting/default/props.conf LOOKUP-eventcode = eventcode EventCode OUTPUTNEW event_description
/opt/splunk/etc/apps/TA-microsoft-sysmon/default/props.conf LOOKUP-eventcode = eventcode EventCode OUTPUTNEW EventDescription EventDescription AS signature
/opt/splunk/etc/apps/TA-microsoft-windefender/default/props.conf LOOKUP-eventcode = eventcode EventCode OUTPUTNEW EventDescription EventDescription AS signature
Now you say: "In my case, the TA was there but not really in use so I commented the line from the MS TA"
Which TA?
Which MS TA?
Which line?
Let me know. Thanks!
... View more