Hello, my threat hunting dashboard keeps showing 0 data, but the Activity by time per day dashboard underneath is circulating.

olafhartong / ThreatHunting

A Splunk app mapped to MITRE ATT&CK to guide your threat hunts

MIT License

1.12k stars 175 forks source link

Hello, my threat hunting dashboard keeps showing 0 data, but the Activity by time per day dashboard underneath is circulating. #106

Open creazyqin opened 1 year ago

creazyqin commented 1 year ago

problem1 splunk.version: 9.0.2 threathunting is downloaded from the splunk app problem2 I really do not know how to solve

dstaulcu commented 1 year ago

The version of the threathunting app on splunkbase is far behind the version available on GitHub. Can you replace your install and then share whether problem still exists? Otherwise the screenshot of your configuration panel crops out values of macro definitions. Macro definitions or missing indexes are the most likely problem sources.

creazyqin commented 1 year ago

The version of the threathunting app on splunkbase is far behind the version available on GitHub. Can you replace your install and then share whether problem still exists? Otherwise the screenshot of your configuration panel crops out values of macro definitions. Macro definitions or missing indexes are the most likely problem sources.

Hello Still having the same problem

dstaulcu commented 1 year ago

Please post an updated screenshot of the app dashboard panel. Make sure to include all of the macro panel values. Also please include a screenshot of any event in the index having your sysmon data.

I did not realize that the ThreatHunting app is now up to date on Splunkbase until about an hour ago. After that I removed the ThreatHunting app from my server and then installed it again (from Splunkbase) and things are working fine for me.

dstaulcu commented 1 year ago

Do you have the splunk add on for Microsoft windows installed? If not , try that and let me know.

creazyqin commented 1 year ago

请发布应用程序仪表板面板的更新屏幕截图。确保包含所有宏面板值。另外，请在索引中包含包含您的系统数据的任何事件的屏幕截图。

直到大约一个小时前，我才意识到ThreatHunting应用程序现在是Splunkbase上最新的。之后，我从服务器中删除了ThreatHunting应用程序，然后再次安装它（从Splunkbase），对我来说一切正常。

dstaulcu commented 1 year ago

It appears you are missing the index with name threathunting_summary.
Are there more entries in the macros section of the about this app dashboard? I would expect to see many more macros particularly for sysmon, system, application, security, and firewall logs. -It's possible they are just cropped out of your screenshot. Without macros properly defined the savedsearches associated with the app will not find events to possibly report on.
Have you installed the Splunk add on for Microsoft windows?

creazyqin commented 1 year ago

It appears you are missing the index with name threathunting_summary.

Are there more entries in the macros section of the about this app dashboard? I would expect to see many more macros particularly for sysmon, system, application, security, and firewall logs. -It's possible they are just cropped out of your screenshot. Without macros properly defined the savedsearches associated with the app will not find events to possibly report on.

Have you installed the Splunk add on for Microsoft windows?

I have created the threathunting_summary index I have installed forwarder for windows

creazyqin commented 1 year ago

Splunk Add-on for Sysmon is also installed

dstaulcu commented 1 year ago

Please run the following search and send screenshot of results:

earliest=-24h index=windows | stats count, dc(EventCode), latest(_raw) by index, sourcetype, source

creazyqin commented 1 year ago

dstaulcu commented 1 year ago

You appear to be missing the Splunk Add-on for Microsoft Windows. I've submitted a pull request to add that as a requirement for the ThreatHunting app. Please add that app to your search head and let me know if the situation improves. Also, you should consider enabling inputs for System, Application, PowerShell , etc. in order to determine whether the problem you are experiencing is unique to varying field extraction and format dependencies of sysmon or common across all input types. See below for example inputs:

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = 1
source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
index = windows

[WinEventLog://System]
disabled = false
renderXml = 0
index = windows

[WinEventLog://Application]
disabled = false
renderXml = 0
index = windows

[WinEventLog://Security]
disabled = false
renderXml = 0
index = windows

[WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled = false
renderXml = 0
index = windows

[WinEventLog://Microsoft-Windows-Windows Firewall With Advanced Security/Firewall]
disabled = false
renderXml = 0
index = windows

creazyqin commented 1 year ago

Thanks The dashboard is up and running! But none of the following statements will work

`[WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = false renderXml = 1 source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational index = windows

[WinEventLog://System] disabled = false renderXml = 0 index = windows

[WinEventLog://Application] disabled = false renderXml = 0 index = windows

[WinEventLog://Security] disabled = false renderXml = 0 index = windows

[WinEventLog://Microsoft-Windows-PowerShell/Operational] disabled = false renderXml = 0 index = windows

[WinEventLog://Microsoft-Windows-Windows Firewall With Advanced Security/Firewall] disabled = false renderXml = 0 index = windows`

dstaulcu commented 1 year ago

Glad to hear the dashboard is working now!

As for the other statements, you included them in an inputs.conf deployed to a windows endpoint right?

creazyqin commented 1 year ago

Thank you. It has been solved.