Config missing for Olaf Hartong Threat Hunting App

clong / DetectionLab

Automate the creation of a lab environment complete with security tooling and logging best practices

MIT License

4.57k stars 978 forks source link

Config missing for Olaf Hartong Threat Hunting App #297

Closed P4T12ICK closed 5 years ago

P4T12ICK commented 5 years ago

The following configuration is missing in Olaf Hartong Threat Hunting App under /opt/splunk/etc/apps/ThreatHunting/default/macros.conf:

[indextime] definition = _index_earliest=-15m@m AND _index_latest=now iseval = 0

This macro is used in every Hunting search, that's why the searches were not working.

4ndr3w6 commented 5 years ago

Does detection lab also need the Lookup File Editor App @olafhartong? I believe this app is missing currently from Detection Lab and is a prerequisite.

clong commented 5 years ago

Both should be fixed in #299