All Apps and Add-ons

How does the threathunting index get populated?

Contributor

Hi,
I am trying to us the ThreatHunting app (https://splunkbase.splunk.com/app/4305/).
But I never see anything.
I've adjusted the macros for our window logs.
I've created the threathunting index as docs suggests, but nothing ever ends up in that index.

My searches did not reveal anything.

thx
afx

0 Karma

Engager

The threathunting is a summary index. This gets populated once one of the over 150 searches find anything noteworthy, all relevant fields of that event will be saved as an event in the threathunting index.

you can try to validate whether the macro's yield results in the search bar, e.g. sysmon or windows-security
if there are no results you might want to check whether you've changed them properly

0 Karma

Contributor

Ok, finally found it!

The props.conf file references long sourcetypes but once one has the Splunk WIndows and Sysmon apps installed they all get mapped to XmlWinEventlog and one needs to set up source:: stanzas for the names in props.conf, just adding source:: in front of the names in the stanzas does it:

[source::XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
[source::WinEventLog:Microsoft-Windows-Sysmon/Operational]
[source::WinEventLog:Security]

That and fixing a few places in the UI & savedsearches where the windows macro was not used but a hardcoded reference to the windows index.

Now my threathunting index gets populated 😉

I've opened two issues on GitHub for this.

cheers
afx

Contributor

Hmm,
now this is strange.
I know I have set the macro. But when I got into the objects of the app and click on sysmon, splunk calls the following URL

https://splunk:8000/en-GB/manager/website_monitoring/data/macros/sysmon?action=edit&f_count=100&f_se...

And I get a "404 Not Found" error...

This is weird.

But when I try to execute the macros in the context of the app, they show me the right events.

Puzzeld...
afx

0 Karma

Explorer

@afx, can you try after clearing up cache and cookies

0 Karma

Contributor

I've been trying this over many days on a Citrix system where FF is cleaned up completely overnight.

0 Karma

Explorer

@olafhartong , thanks for your explanation , i'd like to know "how saved searches feeds threat hunting summary index and What mechanism captures their results and adds them to the summary index?

0 Karma

Explorer

@afx , have you configured "threahunting" index on indexers if yes,
can you please put those stanzas here ?

0 Karma

Contributor

Hi @saikiran334, yes, as I wrote above I have defined the index, here is the stanza:

[threathunting]
coldPath = $SPLUNK_DB/threathunting/colddb
homePath = $SPLUNK_DB/threathunting/db
thawedPath = $SPLUNK_DB/threathunting/thaweddb
frozenTimePeriodInSecs = 40176000
repFactor = auto

cheers
afx

0 Karma