ThreatHunting icon indicating copy to clipboard operation
ThreatHunting copied to clipboard

Published 20 hours ago verified publisher icon olafhartong

File created whitelist editor interface not working

Open sebastiendamaye opened this issue 4 years ago • 4 comments

The "File created whitelist editor" view (file_create_whitelist.xml) doesn't work. Clicking on the "Submit" button doesn't add the entry, and the csv file threathunting_file_create_whitelist.csv should be manually edited.

sebastiendamaye avatar Dec 21 '20 10:12 sebastiendamaye

Patch to apply to default/data/ui/views/file_create_whitelist.xml to fix the issue:

@@ -48,6 +48,7 @@
         <title>Today's Entries</title>
         <search>
           <query>| makeresults 
+| eval input_host_fqdn = COALESCE(if(trim("$host_fqdn$")="", "*", trim("$host_fqdn$")), "*") 
 | eval input_mitre_technique_id = COALESCE(if(trim("$mitre_technique_id$")="", "*", trim("$mitre_technique_id$")), "*") 
 | eval input_process_path = COALESCE(if(trim("$process_path$")="", "*", trim("$process_path$")), "*") 
 | eval input_file_name = COALESCE(if(trim("$file_name$")="", "*", trim("$file_name$")), "*")

sebastiendamaye avatar Dec 27 '20 06:12 sebastiendamaye

@sebastiendamaye your patch does not work for me. Adding | eval input_host_fqdn = COALESCE(if(trim("$host_fqdn$")="", "*", trim("$host_fqdn$")), "*") did not fix issue for newest version of threathunting app. Pressing submit button deletes first line of my lookup CSV file

Suirand1 avatar Mar 18 '21 14:03 Suirand1

@Suirand1 I applied the patch on the latest release (1.4.92) and it's working fine. Just make sure you restart Splunk once you have applied the patch.

screenshot

sebastiendamaye avatar Mar 19 '21 09:03 sebastiendamaye

@olafhartong I take this opportunity to confirm that the latest release (1.4.92) is still suffering from this bug :)

sebastiendamaye avatar Mar 19 '21 09:03 sebastiendamaye