dstaulcu

- You appear to be missing the Splunk Add-on for Microsoft Windows. I've submitted a pull request to add that as a requirement for the ThreatHunting app. Please add that...

Glad to hear the dashboard is working now! As for the other statements, you included them in an inputs.conf deployed to a windows endpoint right?

those particular savedsearches are derived from eventcode 8 (create remote thread) and not eventcode 1 (process create). It does seem conspicuous that no whitelist strategy is applied. I imagine the...

Take a look at the .\default\savedsearches.conf file to start to gain an understanding for yourself. A quick review on my instances shows 151 scheduled searches with 142 of those referencing...

The scheduled search, naturally, would be in savedsearches.conf. For the current version of the app it appears the search that populates the index is in the [last stanza](https://github.com/olafhartong/ThreatHunting/blob/95c7eb972e7839ab69607dc7b10936c1e5523798/default/savedsearches.conf#L2840). The search...

In your second screenshot it shows that the splunk add-on for sysmon is not installed on your splunk search head. Please install that app on your search head as searches/dashboards...

This btool output is from an install of splunk server. Is your splunk server windows-based having sysmon installed and configured? If so, cool. -Resultant config for sysmon inputs looks good...

Your events are still not formatted as xml. With events not formatted as xml it is no surprise dashboards are all rendering zeros. I mentioned earlier that you should not...

no, still related to the structure of your events

the event displayed in your screenshot still has non-xml structure. the source field in the event does not have the xml prefix which should be preserved from your input by...