All Apps and Add-ons
Highlighted

How does the threathunting index get populated?

Contributor

Hi,
I am trying to us the ThreatHunting app (https://splunkbase.splunk.com/app/4305/).
But I never see anything.
I've adjusted the macros for our window logs.
I've created the threathunting index as docs suggests, but nothing ever ends up in that index.

My searches did not reveal anything.

thx
afx

0 Karma
Highlighted

Re: How does the threathunting index get populated?

Explorer

@afx , have you configured "threahunting" index on indexers if yes,
can you please put those stanzas here ?

0 Karma
Highlighted

Re: How does the threathunting index get populated?

Contributor

Hi @saikiran334, yes, as I wrote above I have defined the index, here is the stanza:

[threathunting]
coldPath = $SPLUNK_DB/threathunting/colddb
homePath = $SPLUNK_DB/threathunting/db
thawedPath = $SPLUNK_DB/threathunting/thaweddb
frozenTimePeriodInSecs = 40176000
repFactor = auto

cheers
afx

0 Karma
Highlighted

Re: How does the threathunting index get populated?

Engager

The threathunting is a summary index. This gets populated once one of the over 150 searches find anything noteworthy, all relevant fields of that event will be saved as an event in the threathunting index.

you can try to validate whether the macro's yield results in the search bar, e.g. sysmon or windows-security
if there are no results you might want to check whether you've changed them properly

0 Karma
Highlighted

Re: How does the threathunting index get populated?

Explorer

@olafhartong , thanks for your explanation , i'd like to know "how saved searches feeds threat hunting summary index and What mechanism captures their results and adds them to the summary index?

0 Karma
Highlighted

Re: How does the threathunting index get populated?

Contributor

Hmm,
now this is strange.
I know I have set the macro. But when I got into the objects of the app and click on sysmon, splunk calls the following URL

https://splunk:8000/en-GB/manager/website_monitoring/data/macros/sysmon?action=edit&f_count=100&f_se...

And I get a "404 Not Found" error...

This is weird.

But when I try to execute the macros in the context of the app, they show me the right events.

Puzzeld...
afx

0 Karma
Highlighted

Re: How does the threathunting index get populated?

Explorer

@afx, can you try after clearing up cache and cookies

0 Karma
Highlighted

Re: How does the threathunting index get populated?

Contributor

I've been trying this over many days on a Citrix system where FF is cleaned up completely overnight.

0 Karma
Highlighted

Re: How does the threathunting index get populated?

Contributor

Ok, finally found it!

The props.conf file references long sourcetypes but once one has the Splunk WIndows and Sysmon apps installed they all get mapped to XmlWinEventlog and one needs to set up source:: stanzas for the names in props.conf, just adding source:: in front of the names in the stanzas does it:

[source::XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
[source::WinEventLog:Microsoft-Windows-Sysmon/Operational]
[source::WinEventLog:Security]

That and fixing a few places in the UI & savedsearches where the windows macro was not used but a hardcoded reference to the windows index.

Now my threathunting index gets populated 😉

I've opened two issues on GitHub for this.

cheers
afx

0 Karma