The treat activity dashboard won't populate in the Splunk Enterprise Security app, although other dashboards (not all) are populated like the protocol center, useragent, url length.
I created a list with some malicious ip's and urls's (bro logs)
Threat list CSVs are populated in the splunk folder.
When I do
| inputlookup threatlist_lookup_by_cidr it returns no results.
It seems to be that the data indexed good and splunk can create the datamodels. because i can do a searches against the data models.
The threat_Activity datamodel keeps standing on building. I assume that's correct?
Someone knows a solution on how to get the treat activity dashboard populated?
If the Threat datamodel hasn't completed acceleration, the Threat Activity dashboard is unlikely to show any/complete results because the tstats commands used to populate the panes only searches against summarised data by default.
alright, but the data model keep saying building... There is an asset list, data indexed, i tagged the data according to CIM. So i don't understand why some are 100% and some keep saying building.
Seems to me something is going wrong with calculating and extracting the fields for the event objects for the treat activty data model (derived fields from Asset and Identity correlation), but i can't figure out what.
The Threat_Activity datamodel object used by that dashboard is constrained by: index=threat_activity
Could you please search index=threat_activity for all time to see if anything is in that index.
hmm.. the problem is with the TA from bro. Because i indexed some other IDS data and now the data model will build and the dashboard is showing matched ioc's 🙂 only have to figure out where exactly it went wrong with the bro data.
If the issue is related to the bro TA, its CIM tagged eventtypes use searches based upon bro sourcetypes and those sourcetypes are assigned dynamically at index-time based upon the name of the file being ingested. So if the bro events aren't ending up the datamodels you're expecting, there's two things to check: the index-time props/transforms for bro are on the indexers/heavy forwarders cooking your bro events and that the expected filenames (conn.log, bro.conn.log, md5.bro.conn.log, etc.) match the actual names of the files being ingested causing the events to be correctly sourcetyped.
Hope this helps, but it's quite difficult to diagnose without intimate knowledge of your environment. If you can't sort it out, I would certainly open a support case.
i think it is related to the bro TA app because i indexed soms mcafee ids data (eventgen) and the threat activity dashboard matches some data with known IOC's. i know the Bro TA support bro 2.2 and 2.3 and we use internal 2.4 so i had to create some aliassas so there must be a wrong configuration somewhere.. i still gonna try to found out where the problem is.
Thanks a lot for your help and input! if i found out what the empty dashboard caused i will post it 🙂