ThreatHunting icon indicating copy to clipboard operation
ThreatHunting copied to clipboard

Published 20 hours ago verified publisher icon olafhartong

Hello, my threat hunting dashboard keeps showing 0 data, but the Activity by time per day dashboard underneath is circulating.

Open creazyqin opened this issue 2 years ago • 14 comments

problem1 splunk.version: 9.0.2 threathunting is downloaded from the splunk app problem2 I really do not know how to solve

creazyqin avatar Nov 15 '22 06:11 creazyqin

The version of the threathunting app on splunkbase is far behind the version available on GitHub. Can you replace your install and then share whether problem still exists? Otherwise the screenshot of your configuration panel crops out values of macro definitions. Macro definitions or missing indexes are the most likely problem sources.

dstaulcu avatar Nov 15 '22 12:11 dstaulcu

The version of the threathunting app on splunkbase is far behind the version available on GitHub. Can you replace your install and then share whether problem still exists? Otherwise the screenshot of your configuration panel crops out values of macro definitions. Macro definitions or missing indexes are the most likely problem sources.

Hello Still having the same problem

creazyqin avatar Nov 15 '22 13:11 creazyqin

Please post an updated screenshot of the app dashboard panel. Make sure to include all of the macro panel values. Also please include a screenshot of any event in the index having your sysmon data.

I did not realize that the ThreatHunting app is now up to date on Splunkbase until about an hour ago. After that I removed the ThreatHunting app from my server and then installed it again (from Splunkbase) and things are working fine for me.

dstaulcu avatar Nov 16 '22 01:11 dstaulcu

Do you have the splunk add on for Microsoft windows installed? If not , try that and let me know.

dstaulcu avatar Nov 16 '22 12:11 dstaulcu

请发布应用程序仪表板面板的更新屏幕截图。确保包含所有宏面板值。另外,请在索引中包含包含您的系统数据的任何事件的屏幕截图。

直到大约一个小时前,我才意识到ThreatHunting应用程序现在是Splunkbase上最新的。之后,我从服务器中删除了ThreatHunting应用程序,然后再次安装它(从Splunkbase),对我来说一切正常。

ok image image image

creazyqin avatar Nov 18 '22 08:11 creazyqin

  • It appears you are missing the index with name threathunting_summary.
  • Are there more entries in the macros section of the about this app dashboard? I would expect to see many more macros particularly for sysmon, system, application, security, and firewall logs. -It's possible they are just cropped out of your screenshot. Without macros properly defined the savedsearches associated with the app will not find events to possibly report on.
  • Have you installed the Splunk add on for Microsoft windows?

dstaulcu avatar Nov 18 '22 12:11 dstaulcu

  • It appears you are missing the index with name threathunting_summary.
  • Are there more entries in the macros section of the about this app dashboard? I would expect to see many more macros particularly for sysmon, system, application, security, and firewall logs. -It's possible they are just cropped out of your screenshot. Without macros properly defined the savedsearches associated with the app will not find events to possibly report on.
  • Have you installed the Splunk add on for Microsoft windows?

I have created the threathunting_summary index image image I have installed forwarder for windows

creazyqin avatar Nov 19 '22 05:11 creazyqin

image

Splunk Add-on for Sysmon is also installed

creazyqin avatar Nov 19 '22 05:11 creazyqin

Please run the following search and send screenshot of results:

earliest=-24h index=windows | stats count, dc(EventCode), latest(_raw) by index, sourcetype, source

dstaulcu avatar Nov 19 '22 16:11 dstaulcu

image

creazyqin avatar Nov 20 '22 13:11 creazyqin

  • You appear to be missing the Splunk Add-on for Microsoft Windows. I've submitted a pull request to add that as a requirement for the ThreatHunting app. Please add that app to your search head and let me know if the situation improves. Also, you should consider enabling inputs for System, Application, PowerShell , etc. in order to determine whether the problem you are experiencing is unique to varying field extraction and format dependencies of sysmon or common across all input types. See below for example inputs:
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = 1
source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
index = windows

[WinEventLog://System]
disabled = false
renderXml = 0
index = windows

[WinEventLog://Application]
disabled = false
renderXml = 0
index = windows

[WinEventLog://Security]
disabled = false
renderXml = 0
index = windows

[WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled = false
renderXml = 0
index = windows

[WinEventLog://Microsoft-Windows-Windows Firewall With Advanced Security/Firewall]
disabled = false
renderXml = 0
index = windows

dstaulcu avatar Nov 20 '22 14:11 dstaulcu

Thanks The dashboard is up and running! image But none of the following statements will work

`[WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = false renderXml = 1 source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational index = windows

[WinEventLog://System] disabled = false renderXml = 0 index = windows

[WinEventLog://Application] disabled = false renderXml = 0 index = windows

[WinEventLog://Security] disabled = false renderXml = 0 index = windows

[WinEventLog://Microsoft-Windows-PowerShell/Operational] disabled = false renderXml = 0 index = windows

[WinEventLog://Microsoft-Windows-Windows Firewall With Advanced Security/Firewall] disabled = false renderXml = 0 index = windows`

creazyqin avatar Nov 21 '22 18:11 creazyqin

Glad to hear the dashboard is working now!

As for the other statements, you included them in an inputs.conf deployed to a windows endpoint right?

dstaulcu avatar Nov 22 '22 01:11 dstaulcu

Thank you. It has been solved.

creazyqin avatar Nov 25 '22 06:11 creazyqin