search

olafhartong / ThreatHunting

A Splunk app mapped to MITRE ATT&CK to guide your threat hunts
MIT License
1.14k stars 178 forks source link

threathunting_file_summary is empty #114

Open robojockjb opened 1 year ago

robojockjb commented 1 year ago

threathunting_file_summary index is empty. Everything else works fine. It may be that a search is populating it, but I cannot find the search.

dstaulcu commented 1 year ago

The scheduled search, naturally, would be in savedsearches.conf. For the current version of the app it appears the search that populates the index is in the last stanza. The search is disabled by the default. You can enable the search in savedsearches.conf by flipping the enableSched spec value from 0 to 1. Otherwise, you can do so in the UI. Either way, once the scheduled search is enabled you should expect events in the index, if the index exists, in approx. 15 minutes.

zhjygit commented 1 year ago

image As above ,I changed the enableSched from 0 to 1, however, there is no data on dashboard of "about the app": image

Although I reboot PC of restart splunk, there is no data in threathunting index as follows: image The data of threathunting is from index=windows, is it right?

image Also, I changed register of ID 1103 from Appinit_dlls=0 to Appinit_dlls=1, As expected, there is a EventCode=13 in search, however, remaining no data in threathunting overview: image

dstaulcu commented 1 year ago

In your second screenshot it shows that the splunk add-on for sysmon is not installed on your splunk search head. Please install that app on your search head as searches/dashboards all throughout Threathunting app key off enriched fields from both the Sysmon and Windows apps.

In your fifth screenshot it is apparent that sysmon events are not rendering as xml. Perhaps there are still local changes that need to be removed from your endpoint. Please run the following command and share output to help asses whether there are conflicting configuration specifications on your forwarder:

.\\bin\splunk cmd btool inputs list --debug

zhjygit commented 1 year ago

no use to install sysmon add on app: image

I use local splunk without forward,the the command is as follows: C:\Program Files\Splunk\bin>splunk cmd btool inputs list --debug C:\Program Files\Splunk\bin>splunk cmd btool inputs list --debug C:\Program Files\Splunk\etc\system\default\inputs.conf [SSL] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\system\default\inputs.conf allowSslRenegotiation = true C:\Program Files\Splunk\etc\system\default\inputs.conf certLogMaxCacheEntries = 10000 C:\Program Files\Splunk\etc\system\default\inputs.conf certLogRepeatFrequency = 1d C:\Program Files\Splunk\etc\system\default\inputs.conf cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 C:\Program Files\Splunk\etc\system\default\inputs.conf ecdhCurves = prime256v1, secp384r1, secp521r1 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\system\default\inputs.conf logCertificateData = true C:\Program Files\Splunk\etc\system\default\inputs.conf sslQuietShutdown = false C:\Program Files\Splunk\etc\system\default\inputs.conf sslVersions = tls1.2 C:\Program Files\Splunk\etc\apps\search\local\inputs.conf [WinEventLog://Application] C:\Program Files\Splunk\etc\apps\search\local\inputs.conf checkpointInterval = 5 C:\Program Files\Splunk\etc\apps\search\local\inputs.conf current_only = 0 C:\Program Files\Splunk\etc\apps\search\local\inputs.conf disabled = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 host = $decideOnStartup C:\Program Files\Splunk\etc\apps\search\local\inputs.conf index = windows C:\Program Files\Splunk\etc\system\default\inputs.conf interval = 60 C:\Program Files\Splunk\etc\apps\search\local\inputs.conf start_from = oldest C:\Program Files\Splunk\etc\apps\search\local\inputs.conf [WinEventLog://ForwardedEvents] C:\Program Files\Splunk\etc\apps\search\local\inputs.conf checkpointInterval = 5 C:\Program Files\Splunk\etc\apps\search\local\inputs.conf current_only = 0 C:\Program Files\Splunk\etc\apps\search\local\inputs.conf disabled = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 host = $decideOnStartup C:\Program Files\Splunk\etc\apps\search\local\inputs.conf index = windows C:\Program Files\Splunk\etc\system\default\inputs.conf interval = 60 C:\Program Files\Splunk\etc\apps\search\local\inputs.conf start_from = oldest C:\Program Files\Splunk\etc\apps\search\local\inputs.conf [WinEventLog://Microsoft-Windows-Sysmon/Operational] C:\Program Files\Splunk\etc\apps\search\local\inputs.conf checkpointInterval = 5 C:\Program Files\Splunk\etc\apps\search\local\inputs.conf current_only = 0 C:\Program Files\Splunk\etc\apps\search\local\inputs.conf disabled = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 host = $decideOnStartup C:\Program Files\Splunk\etc\apps\search\local\inputs.conf index = windows C:\Program Files\Splunk\etc\system\default\inputs.conf interval = 60 C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft_sysmon\default\inputs.conf renderXml = 1 C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft_sysmon\default\inputs.conf source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational C:\Program Files\Splunk\etc\apps\search\local\inputs.conf start_from = oldest C:\Program Files\Splunk\etc\apps\search\local\inputs.conf [WinEventLog://Security] C:\Program Files\Splunk\etc\apps\search\local\inputs.conf checkpointInterval = 5 C:\Program Files\Splunk\etc\apps\search\local\inputs.conf current_only = 0 C:\Program Files\Splunk\etc\apps\search\local\inputs.conf disabled = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 host = $decideOnStartup C:\Program Files\Splunk\etc\apps\search\local\inputs.conf index = windows C:\Program Files\Splunk\etc\system\default\inputs.conf interval = 60 C:\Program Files\Splunk\etc\apps\search\local\inputs.conf start_from = oldest C:\Program Files\Splunk\etc\apps\search\local\inputs.conf [WinEventLog://Setup] C:\Program Files\Splunk\etc\apps\search\local\inputs.conf checkpointInterval = 5 C:\Program Files\Splunk\etc\apps\search\local\inputs.conf current_only = 0 C:\Program Files\Splunk\etc\apps\search\local\inputs.conf disabled = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 host = $decideOnStartup C:\Program Files\Splunk\etc\apps\search\local\inputs.conf index = windows C:\Program Files\Splunk\etc\system\default\inputs.conf interval = 60 C:\Program Files\Splunk\etc\apps\search\local\inputs.conf start_from = oldest C:\Program Files\Splunk\etc\apps\search\local\inputs.conf [WinEventLog://System] C:\Program Files\Splunk\etc\apps\search\local\inputs.conf checkpointInterval = 5 C:\Program Files\Splunk\etc\apps\search\local\inputs.conf current_only = 0 C:\Program Files\Splunk\etc\apps\search\local\inputs.conf disabled = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 host = $decideOnStartup C:\Program Files\Splunk\etc\apps\search\local\inputs.conf index = windows C:\Program Files\Splunk\etc\system\default\inputs.conf interval = 60 C:\Program Files\Splunk\etc\apps\search\local\inputs.conf start_from = oldest C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft_sysmon\default\inputs.conf [WinEventLog://WEC-Sysmon] C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft_sysmon\default\inputs.conf disabled = true C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft_sysmon\default\inputs.conf host = WinEventLogForwardHost index = default C:\Program Files\Splunk\etc\system\default\inputs.conf interval = 60 C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft_sysmon\default\inputs.conf renderXml = 1 C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft_sysmon\default\inputs.conf source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft_sysmon\default\inputs.conf sourcetype = XmlWinEventLog:WEC-Sysmon C:\Program Files\Splunk\etc\system\default\inputs.conf [batch://C:\Program Files\Splunk\var\run\splunk\search_telemetry*search_telemetry.json] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\system\default\inputs.conf crcSalt = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = _introspection C:\Program Files\Splunk\etc\system\default\inputs.conf log_on_completion = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf move_policy = sinkhole C:\Program Files\Splunk\etc\system\default\inputs.conf sourcetype = search_telemetry C:\Program Files\Splunk\etc\system\default\inputs.conf [batch://C:\Program Files\Splunk\var\spool\splunk] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\system\default\inputs.conf crcSalt = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\system\default\inputs.conf move_policy = sinkhole C:\Program Files\Splunk\etc\system\default\inputs.conf [batch://C:\Program Files\Splunk\var\spool\splunk...stash_hec] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\system\default\inputs.conf crcSalt = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\system\default\inputs.conf move_policy = sinkhole C:\Program Files\Splunk\etc\system\default\inputs.conf sourcetype = stash_hec C:\Program Files\Splunk\etc\system\default\inputs.conf [batch://C:\Program Files\Splunk\var\spool\splunk...stash_new] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\system\default\inputs.conf crcSalt = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\system\default\inputs.conf move_policy = sinkhole C:\Program Files\Splunk\etc\system\default\inputs.conf queue = stashparsing C:\Program Files\Splunk\etc\system\default\inputs.conf sourcetype = stash_new C:\Program Files\Splunk\etc\system\default\inputs.conf time_before_close = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf [batch://C:\Program Files\Splunk\var\spool\splunk\tracker.log] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = _internal C:\Program Files\Splunk\etc\system\default\inputs.conf move_policy = sinkhole C:\Program Files\Splunk\etc\system\default\inputs.conf sourcetype = splunkd_latency_tracker C:\Program Files\Splunk\etc\system\default\inputs.conf [blacklist:C:\Program Files\Splunk\etc\auth] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\system\default\inputs.conf [blacklist:C:\Program Files\Splunk\etc\passwd] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\system\default\inputs.conf [fschange:C:\Program Files\Splunk\etc] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\system\default\inputs.conf delayInMills = 100 C:\Program Files\Splunk\etc\system\default\inputs.conf disabled = false C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf filesPerDelay = 10 C:\Program Files\Splunk\etc\system\default\inputs.conf followLinks = false C:\Program Files\Splunk\etc\system\default\inputs.conf fullEvent = false C:\Program Files\Splunk\etc\system\default\inputs.conf hashMaxSize = -1 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\system\default\inputs.conf pollPeriod = 600 C:\Program Files\Splunk\etc\system\default\inputs.conf recurse = true C:\Program Files\Splunk\etc\system\default\inputs.conf sendEventMaxSize = -1 C:\Program Files\Splunk\etc\system\default\inputs.conf signedaudit = true C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf [http] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf ackIdleCleanup = true C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf allowSslCompression = true C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf allowSslRenegotiation = true C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf dedicatedIoThreads = 2 C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf disabled = 1 C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf enableSSL = 1 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf maxSockets = 0 C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf maxThreads = 0 C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf port = 8088 C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf rollingRestartReturnServerBusy = true C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf sslVersions = ,-ssl2 C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf useDeploymentServer = 0 C:\Program Files\Splunk\etc\apps\splunk_assist\default\inputs.conf [instance_id_modular_input://default] C:\Program Files\Splunk\etc\apps\splunk_assist\default\inputs.conf disabled = 0 host = $decideOnStartup index = default C:\Program Files\Splunk\etc\apps\splunk_assist\default\inputs.conf interval = 15 C:\Program Files\Splunk\etc\apps\splunk_assist\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\python_upgrade_readinessapp\default\inputs.conf [monitor://C:\Program Files\Splunk/var/log/splunk/eura] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf index = _internal C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf sourcetype = python_upgrade_readiness_app C:\Program Files\Splunk\etc\apps\python_upgrade_readinessapp\default\inputs.conf [monitor://C:\Program Files\Splunk/var/log/splunk/jura] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf index = _internal C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf sourcetype = python_upgrade_readiness_app C:\Program Files\Splunk\etc\apps\python_upgrade_readinessapp\default\inputs.conf [monitor://C:\Program Files\Splunk/var/log/splunk/pura] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf index = _internal C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf sourcetype = python_upgrade_readiness_app C:\Program Files\Splunk\etc\system\default\inputs.conf [monitor://C:\Program Files\Splunk\etc\splunk.version] C:\Program Files\Splunk\etc\system\default\inputs.conf _TCP_ROUTING = C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = _internal C:\Program Files\Splunk\etc\system\default\inputs.conf sourcetype = splunk_version C:\Program Files\Splunk\etc\apps\introspection_generator_addon\default\inputs.conf [monitor://C:\Program Files\Splunk\var\log\introspection] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\apps\introspection_generator_addon\default\inputs.conf index = _introspection C:\Program Files\Splunk\etc\system\default\inputs.conf [monitor://C:\Program Files\Splunk\var\log\splunk] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = _internal C:\Program Files\Splunk\etc\system\default\inputs.conf [monitor://C:\Program Files\Splunk\var\log\splunk\configuration_change.log] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = _configtracker C:\Program Files\Splunk\etc\system\default\inputs.conf [monitor://C:\Program Files\Splunk\var\log\splunk\license_usage_summary.log] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = _telemetry C:\Program Files\Splunk\etc\system\default\inputs.conf [monitor://C:\Program Files\Splunk\var\log\splunk\splunk_instrumentation_cloud.log] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = _telemetry C:\Program Files\Splunk\etc\system\default\inputs.conf sourcetype = splunk_cloud_telemetry C:\Program Files\Splunk\etc\system\default\inputs.conf [monitor://C:\Program Files\Splunk\var\log\watchdog\watchdog.log] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = _internal C:\Program Files\Splunk\etc\system\default\inputs.conf [script] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\system\default\inputs.conf interval = 60.0 C:\Program Files\Splunk\etc\system\default\inputs.conf start_by_shell = false C:\Program Files\Splunk\etc\system\default\inputs.conf [script://C:\Program Files\Splunk\bin\scripts\splunk-wmi.path] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\system\default\inputs.conf disabled = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\system\default\inputs.conf interval = 10000000 C:\Program Files\Splunk\etc\system\default\inputs.conf persistentQueueSize = 200MB C:\Program Files\Splunk\etc\system\default\inputs.conf queue = winparsing C:\Program Files\Splunk\etc\system\default\inputs.conf source = wmi C:\Program Files\Splunk\etc\system\default\inputs.conf sourcetype = wmi C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf [script://C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/eura_email_notification_switch_scripted_input.py] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf disabled = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf interval = 0 /4 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf passAuth = splunk-system-user C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf run_only_one = false C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf sourcetype = script C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf [script://C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/eura_remote_latest_report.py] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf disabled = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf interval = 0 7,19 /1 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf passAuth = splunk-system-user C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf run_only_one = false C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf sourcetype = script C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf [script://C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/eura_remote_scan_scripted_input.py] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf disabled = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf interval = 0 /4 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf passAuth = splunk-system-user C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf run_only_one = false C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf sourcetype = script C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf [script://C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/eura_scan_apps.py] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf disabled = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf interval = 0 1 /1 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf passAuth = splunk-system-user C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf run_only_one = false C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf sourcetype = script C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf [script://C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/eura_send_email.py] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf disabled = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf interval = 0 6 1 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf passAuth = splunk-system-user C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf run_only_one = false C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf sourcetype = script C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf [script://C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/jura_remote_latest_report.py] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf disabled = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf interval = 0 7,19 /1 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf passAuth = splunk-system-user C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf run_only_one = false C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf sourcetype = script C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf [script://C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/jura_remote_scan_scripted_input.py] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf disabled = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf interval = 0 /4 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf passAuth = splunk-system-user C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf run_only_one = false C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf sourcetype = script C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf [script://C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/jura_scan_apps.py] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf disabled = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf interval = 0 4 /1 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf passAuth = splunk-system-user C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf run_only_one = false C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf sourcetype = script C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf [script://C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/jura_send_email.py] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf disabled = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf interval = 0 6 1 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf passAuth = splunk-system-user C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf run_only_one = false C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf sourcetype = script C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf [script://C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/pura_detect_python_version.py] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf disabled = 1 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf interval = 3600 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf passAuth = splunk-system-user C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf run_only_one = false C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf sourcetype = script C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf [script://C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/pura_email_notification_switch_scripted_input.py] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf disabled = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf interval = 0 /4 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf passAuth = splunk-system-user C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf run_only_one = false C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf sourcetype = script C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf [script://C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/pura_get_all_apps.py] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf disabled = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf interval = 7 /8 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf passAuth = splunk-system-user C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf run_only_one = false C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf sourcetype = script C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf [script://C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/pura_remote_latest_report.py] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf disabled = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf interval = 0 4,16 /1 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf passAuth = splunk-system-user C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf run_only_one = false C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf sourcetype = script C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf [script://C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/pura_remote_scan_scripted_input.py] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf disabled = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf interval = 0 /4 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf passAuth = splunk-system-user C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf run_only_one = false C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf sourcetype = script C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf [script://C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/pura_scan_apps.py] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf disabled = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf interval = 0 1 /1 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf passAuth = splunk-system-user C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf run_only_one = false C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf sourcetype = script C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf [script://C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/pura_send_email.py] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf disabled = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf interval = 0 6 1 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf passAuth = splunk-system-user C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf run_only_one = false C:\Program Files\Splunk\etc\apps\python_upgrade_readiness_app\default\inputs.conf sourcetype = script C:\Program Files\Splunk\etc\apps\splunk-dashboard-studio\default\inputs.conf [script://C:\Program Files\Splunk\etc/apps/splunk-dashboard-studio/bin/save_image_and_icon_on_install.py] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\apps\splunk-dashboard-studio\default\inputs.conf interval = -1 C:\Program Files\Splunk\etc\apps\splunk-dashboard-studio\default\inputs.conf passAuth = splunk-system-user C:\Program Files\Splunk\etc\apps\splunk-dashboard-studio\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\splunk-dashboard-studio\default\inputs.conf run_only_one = false C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf [script://C:\Program Files\Splunk\etc/apps/splunk_instrumentation/bin/instrumentation.py] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf disabled = false C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf index = _telemetry C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf interval = 0 C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf passAuth = splunk-system-user C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf source = instrumentation_scripted_input C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf sourcetype = splunk_telemetry_log C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf [script://C:\Program Files\Splunk\etc/apps/splunk_instrumentation/bin/on_splunk_start.py] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf disabled = false C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf interval = -1 C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf passAuth = splunk-system-user C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf [script://C:\Program Files\Splunk\etc/apps/splunk_instrumentation/bin/schedule_delete.py] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf disabled = false C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf interval = 0 0 C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf passAuth = splunk-system-user C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\introspection_generator_addon\default\inputs.conf [script://C:\Program Files\Splunk\etc\apps\introspection_generator_addon\bin\collector.path] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\apps\introspection_generator_addon\default\inputs.conf interval = 0 C:\Program Files\Splunk\etc\apps\introspection_generator_addon\default\inputs.conf sourcetype = splunk_resource_usage__internal C:\Program Files\Splunk\etc\apps\search\default\inputs.conf [script://C:\Program Files\Splunk\etc\apps\search\bin\quarantine_files.py] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\apps\search\default\inputs.conf disabled = false C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\apps\search\default\inputs.conf interval = C:\Program Files\Splunk\etc\apps\search\default\inputs.conf passAuth = splunk-system-user C:\Program Files\Splunk\etc\apps\search\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\search\default\inputs.conf run_only_one = false C:\Program Files\Splunk\etc\apps\splunk_monitoring_console\default\inputs.conf [script://C:\Program Files\Splunk\etc\apps\splunk_monitoring_console\bin\dmc_config.py] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\apps\splunk_monitoring_console\default\inputs.conf interval = -1 C:\Program Files\Splunk\etc\apps\splunk_monitoring_console\default\inputs.conf passAuth = splunk-system-user C:\Program Files\Splunk\etc\apps\splunk_monitoring_console\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\splunk_monitoring_console\default\inputs.conf [script://C:\Program Files\Splunk\etc\apps\splunk_monitoring_console\bin\mc_auto_config.py] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\apps\splunk_monitoring_console\default\inputs.conf interval = 3600 C:\Program Files\Splunk\etc\apps\splunk_monitoring_console\default\inputs.conf passAuth = splunk-system-user C:\Program Files\Splunk\etc\apps\splunk_monitoring_console\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf [secure_gateway_modular_input://default] C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf disabled = 1 host = $decideOnStartup index = default C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf interval = 30 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\splunk_assist\default\inputs.conf [selfupdate_modular_input://default] C:\Program Files\Splunk\etc\apps\splunk_assist\default\inputs.conf disabled = 0 host = $decideOnStartup index = default C:\Program Files\Splunk\etc\apps\splunk_assist\default\inputs.conf interval = 300 C:\Program Files\Splunk\etc\apps\splunk_assist\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\system\default\inputs.conf [splunktcp] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\system\default\inputs.conf acceptFrom = C:\Program Files\Splunk\etc\system\default\inputs.conf connection_host = ip C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default C:\Program Files\Splunk\etc\system\default\inputs.conf logRetireOldS2S = true C:\Program Files\Splunk\etc\system\default\inputs.conf logRetireOldS2SMaxCache = 10000 C:\Program Files\Splunk\etc\system\default\inputs.conf logRetireOldS2SRepeatFrequency = 1d C:\Program Files\Splunk\etc\system\default\inputs.conf route = has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:rulesetQueue;absent_key:_linebreaker:parsingQueue C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf [ssg_alerts_ttl_modular_input://default] C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf disabled = 0 host = $decideOnStartup index = default C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf interval = 3600 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf ttl_days = 1 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf [ssg_config_modular_input://default] C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf disabled = 1 host = $decideOnStartup index = default C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf [ssg_deep_link_dashboard_modular_input://default] C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf disabled = 1 host = $decideOnStartup index = default C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf interval = 5 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf [ssg_delete_tokens_modular_input://default] C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf disabled = 1 host = $decideOnStartup index = default C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf interval = 7200 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf [ssg_device_role_modular_input://default] C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf disabled = 1 host = $decideOnStartup index = default C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf interval = 300 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf [ssg_enable_modular_input://default] C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf disabled = 0 host = $decideOnStartup index = default C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf interval = 60 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf [ssg_metrics_modular_input://default] C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf disabled = 1 host = $decideOnStartup index = default C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf interval = 43200 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf [ssg_registered_devices_modular_input://default] C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf disabled = 1 host = $decideOnStartup index = default C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf interval = 86400 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf [ssg_registered_users_list_modular_input://default] C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf disabled = 1 host = $decideOnStartup index = default C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf interval = 86400 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf [ssg_report_heuristics_modular_input://default] C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf disabled = 1 host = $decideOnStartup index = default C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf interval = 604800 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf [ssg_subscription_clean_up_modular_input://default] C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf cleanup_threshold_seconds = 120 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf disabled = 1 host = $decideOnStartup index = default C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf interval = 120 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf [ssg_subscription_modular_input://default] C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf disabled = 1 host = $decideOnStartup index = default C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf interval = 30 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf maximum_iteration_time_warn_threshold_seconds = 300 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf minimum_iteration_time_seconds = 5 C:\Program Files\Splunk\etc\apps\splunk_secure_gateway\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\apps\splunk_assist\default\inputs.conf [supervisor_modular_input://default] C:\Program Files\Splunk\etc\apps\splunk_assist\default\inputs.conf disabled = 0 host = $decideOnStartup index = default C:\Program Files\Splunk\etc\apps\splunk_assist\default\inputs.conf interval = 15 C:\Program Files\Splunk\etc\apps\splunk_assist\default\inputs.conf python.version = python3 C:\Program Files\Splunk\etc\system\default\inputs.conf [tcp] C:\Program Files\Splunk\etc\system\default\inputs.conf _rcvbuf = 1572864 C:\Program Files\Splunk\etc\system\default\inputs.conf acceptFrom = C:\Program Files\Splunk\etc\system\default\inputs.conf connection_host = dns C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dc_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\Splunk\etc\system\default\inputs.conf evt_resolve_ad_obj = 0 C:\Program Files\Splunk\etc\system\default\inputs.conf host = $decideOnStartup C:\Program Files\Splunk\etc\system\default\inputs.conf index = default

dstaulcu commented 1 year ago

This btool output is from an install of splunk server. Is your splunk server windows-based having sysmon installed and configured? If so, cool. -Resultant config for sysmon inputs looks good enough but here's how I would express those settings instead. Please also share output of the following command line statement: sysmon.exe -c

remove this entry - C:\Program Files\Splunk\etc\apps\search\local\inputs.conf [WinEventLog://Microsoft-Windows-Sysmon/Operational] remove this entry - C:\Program Files\Splunk\etc\apps\search\local\inputs.conf index = windows add this entry - C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft_sysmon\local\inputs.conf [WinEventLog://Microsoft-Windows-Sysmon/Operational] add this entry - C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft_sysmon\local\inputs.conf index = windows

Edited

zhjygit commented 1 year ago

I reinstall the splunk. image As above, there is no threathunting_file_summary.

I add index for threathunting app with windows、threathunting and threathunting_file_summary. Restart the splunk, nothing changed, remains no threathunting_file_summary, no activity on overview of threathunting app.

I changed the inputs.conf from path C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft_sysmon\default image And then copy the inputs.conf to ..\local\

restart the splunk again. Via the index, I can see the logs from index=windows, but threathunting and threathunting is 0, and "about the app" remains no threathunting_file_summary option. image

I changed the register via ID 1103 about Appinit_dlls something. Via search , I can see the log: However, there is no data and activity: image

dstaulcu commented 1 year ago

Your events are still not formatted as xml. With events not formatted as xml it is no surprise dashboards are all rendering zeros.

I mentioned earlier that you should not make modifications to configuration files in the default folder provided in vendor apps. Instead, your custom entries for sysmon inputs should be in local.

The inputs.conf in default for sysmon should look exactly like this:

WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = false renderXml = 1 source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

The screenshot you provided showing defaullt\inputs.conf had two sections in it for sysmon.. The second section had an incorrrect renderXml value as well as an incorrect source value. That whole second section should be removed.

The inputs.conf in local folder for sysmon should look like this:

[WinEventLog://Microsoft-Windows-Sysmon/Operational] index = windows

zhjygit commented 1 year ago

Still not work sir.

1.C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft_sysmon\default\inputs.conf

SPDX-FileCopyrightText: 2021 Splunk, Inc. sales@splunk.com

SPDX-License-Identifier: LicenseRef-Splunk-8-2021

[WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = false renderXml = 1 source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

[WinEventLog://WEC-Sysmon] disabled = true renderXml = 1 source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype = XmlWinEventLog:WEC-Sysmon host = WinEventLogForwardHost

2.C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft_sysmon\local\inputs.conf

SPDX-FileCopyrightText: 2021 Splunk, Inc. sales@splunk.com

SPDX-License-Identifier: LicenseRef-Splunk-8-2021

[WinEventLog://Microsoft-Windows-Sysmon/Operational] index=windows

3.indexes image I added three indexes:windows、threathunting and threathunting_file_summary

4.macros image

5.enableSched C:\Program Files\Splunk\etc\apps\ThreatHunting\default\savedsearches.conf image As above, I changed value of enableSched from 0 to 1. image

  1. ID 1103 in savedsearches image Changed appInit_dlls value image I searched this log, however, no data in overview, and no activity. image

7.reason:threathunting_file_summay is empty image In fact, in index=windows, there is logs, however, no data of index=threathunting and no data of index=threathunting_file_summary.

zhjygit commented 1 year ago

Is it related to the warning? image image

dstaulcu commented 1 year ago

no, still related to the structure of your events

dstaulcu commented 1 year ago

the event displayed in your screenshot still has non-xml structure. the source field in the event does not have the xml prefix which should be preserved from your input by now. the sourcetype field in the event does not have xmlwinevent log which should there as a result of correct source field and transforms from splunk app for windows.

please share output of cmdline: .\splunk\cmd btool inputs list -- debug please share output of cmdline: sysmon.exe -c please share output of splunk search: sysmon | head 1
note: sysmon should be surrounded by backticks in search.

zhjygit commented 1 year ago

I feel confused,I give up for now. Thanks for your reply.

By the way, the link https://www.linkedin.com/pulse/attckized-splunk-kirtar-oza-cissp-cisa-ms-/ is out of service, Could you update it and give another link(for example,just in the github repo).

In fact , what confused me hardly is that I have activity and data but can not show on the dashboard, what is the design of background, via savedsearches、threathunting_file_summary?

zhjygit commented 1 year ago

no, still related to the structure of your events

You are wrong. I resign the owners of alert above, and then, I have activity and datas on dashboard, but remains 0(So shit..) image image image

Maybe, the most reliable reason is that, the savedsearches cannot identify the log above. If so, that will be a waste of time.

dstaulcu commented 1 year ago

Good idea on taking break to build perspective.