I am trying to us the ThreatHunting app (https://splunkbase.splunk.com/app/4305/).
But I never see anything.
I've adjusted the macros for our window logs.
I've created the threathunting index as docs suggests, but nothing ever ends up in that index.
My searches did not reveal anything.
Hi @saikiran334, yes, as I wrote above I have defined the index, here is the stanza:
[threathunting] coldPath = $SPLUNK_DB/threathunting/colddb homePath = $SPLUNK_DB/threathunting/db thawedPath = $SPLUNK_DB/threathunting/thaweddb frozenTimePeriodInSecs = 40176000 repFactor = auto
The threathunting is a summary index. This gets populated once one of the over 150 searches find anything noteworthy, all relevant fields of that event will be saved as an event in the threathunting index.
you can try to validate whether the macro's yield results in the search bar, e.g.
if there are no results you might want to check whether you've changed them properly
@olafhartong , thanks for your explanation , i'd like to know "how saved searches feeds threat hunting summary index and What mechanism captures their results and adds them to the summary index?
now this is strange.
I know I have set the macro. But when I got into the objects of the app and click on sysmon, splunk calls the following URL
And I get a "404 Not Found" error...
This is weird.
But when I try to execute the macros in the context of the app, they show me the right events.
Ok, finally found it!
The props.conf file references long sourcetypes but once one has the Splunk WIndows and Sysmon apps installed they all get mapped to XmlWinEventlog and one needs to set up source:: stanzas for the names in props.conf, just adding source:: in front of the names in the stanzas does it:
[source::XmlWinEventLog:Microsoft-Windows-Sysmon/Operational] [source::WinEventLog:Microsoft-Windows-Sysmon/Operational] [source::WinEventLog:Security]
That and fixing a few places in the UI & savedsearches where the windows macro was not used but a hardcoded reference to the windows index.
Now my threathunting index gets populated 😉
I've opened two issues on GitHub for this.