I have installed threat hunting app and configured "threathunting" index as well , when i navigated to "About this app" tab , i found one of the whitelist file missing out of 13, when i checked below link for lookups , i did not find "missing" lookup file
below link i used for lookups:
https://github.com/olafhartong/ThreatHunting/commits/master/files/ThreatHunting.tar.gz
i am wondering the above link got last update about 8 months ago , since then no update ,
where i can get missing empty lookup ?
splunk version: 7.2.6
App version: 1.4.1
Looking at the source for that App, I can't see that the lookup is defined or therefore used anywhere.
As such you may be able to ignore it.
Looking at the source for that App, I can't see that the lookup is defined or therefore used anywhere.
As such you may be able to ignore it.
thanks @nickhillscpl , we lately migrated our splunk platform from one QA server to other ,
1) when i copied same query and search in old instance , result showing as "all lookups installed " ,
2) but same thing on new instance showing one lookup missing (with same "rest" query though)
I wonder if it was something left from an older version.
I have just looked all through the repository for "rare_process" and its not there - not defined as a lookup, or a macro.
On your old instance, can you find the relevent lookup?
Just a thought. Looking at the source - it looks for any macro with a name ending with "*_whitelist"
Do you have any other apps installed which may have a macro with similar name?
Ha - in particular - This App: https://splunkbase.splunk.com/app/3449/
[filter_rare_process_whitelist] is included in that App - It looks like the macro name is cross-contamination from the Security Content App
Yes, we have one similar look up under "ES-content update app"
Ah - thats what it is then. You can ignore that warning, its just not defensivly coded to avoid pulling in macro names from other apps.
so here , i don't need to create one more new lookup and attach under "therathunting app" ? am i correct ?
or we can modify the query a bit to ignore this specific lookup name ?
not easily. The query used to build that dashboard is this:
| rest /servicesNS/-/ThreatHunting/configs/conf-macros | search title="*_whitelist"
Since the ES-Content app presumably has its copy of the macro shared globaly, that macro is 'visible' from the threathunting app, so it gets pulled in by mistake.
Just ignore it. 🙂
cool , thanks @nickhillscpl for your quick reply towards this question, i really appreciate.
Ha - in particular - This App: https://splunkbase.splunk.com/app/3449/
[filter_rare_process_whitelist] is included in that App - It looks like the macro name is cross-contamination from the Security Content App
nope, i did not
i checked in lookups and lookup definitions both