ThreatHunting
ThreatHunting copied to clipboard
olafhartong
A Splunk app mapped to MITRE ATT&CK to guide your threat hunts
threathunting_file_summary index is empty. Everything else works fine. It may be that a search is populating it, but I cannot find the search.
   My sysmon and splunk both have the log of ID 3, however my threathunting dashboard is empty. My work is as follows: upload csv files  Make...
Thank you for creating this super interesting app. There's a hardcoded index=windows statement in the search of the Computer Investigator dashboard Logging Data distribution panel. | tstats count WHERE index=windows...
use macros in views where searches have index name hard-coded
I want to add more TTP's, is there any documentation available on how one can add more to this tool? It seems the saveconference file is the file to edit.
- suggest updating lookup definition to make searches case insensitive - suggest updating views to make searches refer to lookup by definition name instead of CSV file name.
Hello Team, Just want to know that for hunting by using this app requires Sysmon logs or it can be directly work on windows logs...? Thanks in Advance...
Is there any reason for the "[[T1055] Process Injection]" and "[[T1055] Process Injection - CobaltStrike]" saved searches to not have the "| `process_create_whitelist`" in it and abide by the whitelist?
It looks like the props.conf is trying to transform OriginalFileName into file_name for all events. The issue I am seeing is with File Create events (event 11). Those events don't...
 splunk.version: 9.0.2 threathunting is downloaded from the splunk app  I really do not know how to solve
Metadata
Owner
Metadata
A Splunk app mapped to MITRE ATT&CK to guide your threat hunts