AWS Terraform Splunk Threat Hunting App not functioning

[sunnyneo]

• Operating System Version:
• Deploying via (VirtualBox/VMWare/AWS/Azure/ESXi): AWS
• Vagrant Version (if applicable):

Please verify that you are building from an updated Master branch before filing an issue.

• Did a git pull before deploying

  Description of the issue:

  The threat hunting app in splunk either comes with limited events or no event as shown below, not sure if there is any issue with the event logs being captured/forwarded to AWS splunk threat hunting app. I have no issue with my vagrant built.

Terraform AWS Splunk Threat Hunting

Vagrant Splunk Threat Hunting

[clong]

@sunnyneo did you generate any threat events?

[sunnyneo]

@clong

I have executed the following command

From Terraform AWS Splunk, no alerts or whatsoever

From Vagrant Splunk, the same command was executed earlier and alerts came up

[clong]

Thanks for that! Will check it out

[sunnyneo]

@clong

Updates: Just wanna share, I somehow managed to get it working. I am not sure which steps helped but I did

Created file /opt/splunk/etc/apps/ThreatHunting/lookups/threathunting_asset_priority.csv

File Content

Download and Extracted https://github.com/olafhartong/ThreatHunting/raw/master/files/ThreatHunting.tar.gz

And it seems to work now.

However when I tried some other features like DNS Stacking, it seems to be broken whereas the results never turn up even after waiting for 10 minutes

Some errors found in different search.log

[clong]

Hi @sunnyneo - I pushed out new AMIs a week or two ago. Any chance you'd be able to check if the threat hunting stuff is still broken?

[sunnyneo]

Hi @clong, thanks for the update.

I have just tried spinning up DetectionLab on US-WEST-1, it seems to work with preliminary testing. I can see some detection triggered on detectionlab.

[liviurosioara]

Hi, I have the same problem as in the original post, this time with ESXi. Any suggestions?