host_fqdn field not correctly extracted due to TA-windows new versions

olafhartong / ThreatHunting

A Splunk app mapped to MITRE ATT&CK to guide your threat hunts

MIT License

1.13k stars 178 forks source link

host_fqdn field not correctly extracted due to TA-windows new versions #102

Open timo92700 opened 2 years ago

timo92700 commented 2 years ago

Hello everyone, It appears that the "host_fqdn" field evaluation in the props.conf for stanza : "WinEventLog:Microsoft-Windows-Sysmon/Operational" ( And also the XML one ) is based on "Computer" field, but TA-windows seems to have renamed this field to "ComputerName" for a few version now ( i'm running TA windows v8.2.0 ). This issue causes 90% of the dashboards not working at all. You have to edit the props.conf as below to make it work again correctly ( in both WinEventLog:Micro and XMLWinEventLog:Micro stanzas if needed) :

Could you please fix the issues in the application ? Thanks and regards,

dstaulcu commented 2 years ago

host_fqdn seems to be extracting reliably for me for sysmon events on my splunk server dedicated to the ThreatHunting app and its dependencies.

I have Splunk_TA_windows v8.50 and Splunk_TA_microsoft_sysmon v3.0.0. What are you running?

In your inputs.conf stanza for sysmon:

do you have the renderXml set to 1 or True?
do you have source spec set to "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"

Looking at btool of props lines having terms wineventlog or host_fqdn it seems like host_fqdn is derived from Computer field. I don't see a source of conflict when inputs are configured as expected in inputs.conf.

Now there does seem to be an issue for other sources at least for me. I know I should change my rendering of PowerShell logs to XML because important context is missing otherwise. Not sure what renderings are expected for others.

dstaulcu commented 2 years ago

I've submitted pr #103 as a proposed change to handle issues no matter what wineventlog rendering type the sources of interest have.

timo92700 commented 2 years ago

Hello, thank you for your answer. We are using WinEventLog and not XMLWinEventLog sourcetype ( rederXML is at false in the inputs.conf ) for sysmon collect. It may explain why Computer field does not exist : it seems to not exist in the non-xml sourcetype ( as on the latest screenshot ) If someone else can confirm :) Thanks and regards

dstaulcu commented 2 years ago

No problem. I think you will find that a few other field extractions are missing if you continue down the non xml route for sysmon. Id bite the bullet and adapt to the input spec standard for sysmon prescribed in its TA.

timo92700 commented 2 years ago

Ok thanks ! Maybe warn the users in the README / Documentation of ThreatHunting app that the xml sourcetype for sysmon collect is preferable for it to work correctly.

dstaulcu commented 2 years ago

That is a good idea. I stumbled on this sort of issue at first as well and I have many years of experience with sysmon and splunk. I'd suggest forking this repository and submitting a pull request having your requested changes. I am not the owner of the repository.