ThreatHunting icon indicating copy to clipboard operation
ThreatHunting copied to clipboard

Published 20 hours ago verified publisher icon olafhartong

host_fqdn field not correctly extracted due to TA-windows new versions

Open timo92700 opened this issue 2 years ago • 6 comments

Hello everyone, It appears that the "host_fqdn" field evaluation in the props.conf for stanza : "WinEventLog:Microsoft-Windows-Sysmon/Operational" ( And also the XML one ) is based on "Computer" field, but TA-windows seems to have renamed this field to "ComputerName" for a few version now ( i'm running TA windows v8.2.0 ). This issue causes 90% of the dashboards not working at all. You have to edit the props.conf as below to make it work again correctly ( in both WinEventLog:Micro**** and XMLWinEventLog:Micro**** stanzas if needed) : image

Could you please fix the issues in the application ? Thanks and regards,

timo92700 avatar Sep 19 '22 15:09 timo92700

host_fqdn seems to be extracting reliably for me for sysmon events on my splunk server dedicated to the ThreatHunting app and its dependencies.

I have Splunk_TA_windows v8.50 and Splunk_TA_microsoft_sysmon v3.0.0. What are you running?

In your inputs.conf stanza for sysmon:

  • do you have the renderXml set to 1 or True?
  • do you have source spec set to "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"

Looking at btool of props lines having terms wineventlog or host_fqdn it seems like host_fqdn is derived from Computer field. I don't see a source of conflict when inputs are configured as expected in inputs.conf.

image

Now there does seem to be an issue for other sources at least for me. I know I should change my rendering of PowerShell logs to XML because important context is missing otherwise. Not sure what renderings are expected for others.

image

dstaulcu avatar Sep 22 '22 00:09 dstaulcu

I've submitted pr #103 as a proposed change to handle issues no matter what wineventlog rendering type the sources of interest have.

image

dstaulcu avatar Sep 22 '22 01:09 dstaulcu

Hello, thank you for your answer. We are using WinEventLog and not XMLWinEventLog sourcetype ( rederXML is at false in the inputs.conf ) for sysmon collect. It may explain why Computer field does not exist : it seems to not exist in the non-xml sourcetype ( as on the latest screenshot ) If someone else can confirm :) Thanks and regards

timo92700 avatar Sep 22 '22 07:09 timo92700

No problem. I think you will find that a few other field extractions are missing if you continue down the non xml route for sysmon. Id bite the bullet and adapt to the input spec standard for sysmon prescribed in its TA.

dstaulcu avatar Sep 22 '22 11:09 dstaulcu

Ok thanks ! Maybe warn the users in the README / Documentation of ThreatHunting app that the xml sourcetype for sysmon collect is preferable for it to work correctly.

timo92700 avatar Sep 22 '22 12:09 timo92700

That is a good idea. I stumbled on this sort of issue at first as well and I have many years of experience with sysmon and splunk. I'd suggest forking this repository and submitting a pull request having your requested changes. I am not the owner of the repository.

dstaulcu avatar Sep 23 '22 00:09 dstaulcu