dstaulcu

The renderxml spec in sysmon stanza of inputs.conf should have value of true. One of your screenshots in issue has sysmon event that is tab delimiter and not eye-murder xml....

Sorry; Have been mobile all morning with fragmented responses until now. In general, you should not make changes within .\SplunkUniversalForwarder\default. Instead, your changes should be in .\SplunkUniversalForwarder\etc\apps\\default if you are...

The long process of requirements validation reminds me of 106. I’m thinking your new sysmon events are in the main index. Either update sysmon index macro in threathunting app to...

as your last screenshot shows, splunk add-on for sysmon is missing on the search head . Searches that put results in the threat_hunting_summary index depend on enrichments from the sysmon...

_"No use to stall the sysmon add-on."_ - Can you clarify what you mean by this? Are you saying that you have already installed it or that you refuse to...

The version of the threathunting app on splunkbase is far behind the version available on GitHub. Can you replace your install and then share whether problem still exists? Otherwise the...

Please post an updated screenshot of the app dashboard panel. Make sure to include all of the macro panel values. Also please include a screenshot of any event in the...

Do you have the splunk add on for Microsoft windows installed? If not , try that and let me know.

- It appears you are missing the index with name threathunting_summary. - Are there more entries in the macros section of the about this app dashboard? I would expect to...

Please run the following search and send screenshot of results: earliest=-24h index=windows | stats count, dc(EventCode), latest(_raw) by index, sourcetype, source