All Apps and Add-ons
Highlighted

Re: Unable to find LOOKUP-eventcode

Explorer

I had the same and this is what I've done to fix it.
First run this
/opt/splunk/bin/splunk btool props list --debug |grep eventcode

Several will be shown... especially if you have the TA microsoft sysmon that is loaded on your SH and is slightly different LOOKUP-eventcode = eventcode EventCode OUTPUTNEW EventDescription EventDescription AS signature

Check permissions and adapt as necessary to get it running...

In my case, the TA was there but not really in use so I commented the line from the MS TA... and the threathunter app works fine now.

Hope this helps.

Highlighted

Re: Unable to find LOOKUP-eventcode

Explorer

Turns out this was the fix for me. I used the btool command you listed above, and that pointed me to a permissions issue with /opt/splunk/etc/apps/TA-microsoft-sysmon/. Changed the perms for that folder to 755, and that fixed it all.

Thanks!

Edit: It was a perms issue with the lookup file itself, not the props.conf

0 Karma
Highlighted

Re: Unable to find LOOKUP-eventcode

Engager

Sorry, but I'm having a hard time understanding exactly what you did to fix this. I ran the BTOOL (as you stated), and saw the following results:

/opt/splunk/etc/apps/ThreatHunting/default/props.conf LOOKUP-eventcode = eventcode EventCode OUTPUTNEW event_description
/opt/splunk/etc/apps/TA-microsoft-sysmon/default/props.conf LOOKUP-eventcode = eventcode EventCode OUTPUTNEW EventDescription EventDescription AS signature
/opt/splunk/etc/apps/TA-microsoft-windefender/default/props.conf LOOKUP-eventcode = eventcode EventCode OUTPUTNEW EventDescription EventDescription AS signature

Now you say: "In my case, the TA was there but not really in use so I commented the line from the MS TA"

Which TA?

Which MS TA?

Which line?

Let me know. Thanks!

0 Karma
Highlighted

Re: Unable to find LOOKUP-eventcode

Explorer

Sorry for the delay.
Basically this is what splunk says about it :
If you have more than two objects of the same category with the same name, only one of those objects is applied.
Duplicate naming can happen when objects have their permissions changed. For example, you can have lookups in two separate apps that have the same name. They do not conflict with each other when they are shared at the app level. However, if one of those lookups has their permissions changed so that they are shared globally, it is possible for one of those lookups to be applied instead of the other.

So in threat hunting, you can modify it so that it is the same as on the other app.

0 Karma