The threathunting is a summary index. This gets populated once one of the over 150 searches find anything noteworthy, all relevant fields of that event will be saved as an event in the threathunting index.
you can try to validate whether the macro's yield results in the search bar, e.g. sysmon or windows-security
if there are no results you might want to check whether you've changed them properly
... View more