threathunting dashbord is full of 0

[zhjygit]

My sysmon and splunk both have the log of ID 3, however my threathunting dashboard is empty. My work is as follows: upload csv files Make a index of main from target PC: Install necessary add-on as follows: Punchcard Visualization Force Directed Visualization Sankey Diagram Visualization Lookup File Editor

threathunting dashbord is full of 0, why?

[zhjygit]

I follow the youtube :https://www.youtube.com/watch?v=GVM8RRyQx7s In search dashboard of threathunting is: sysmon (event_id=12 OR event_id=13 OR event_id=14) (registry_key_path="\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls" OR registry_key_path="\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls") In fact, I have changed the register value of target PC accroding to the savedsearches.conf. Meanwhile, I update the savedsearches.conf file and restart the splunk.

And then, as above search dashbaord, I got a event on threathunting search log. But, finally, my dashbord of thunthunting remains full of 0 as follows:

[dstaulcu]

Take a look at closed issues in GitHub. This sort of symptom has been addressed in issue discussions several times. Often it comes down to source/source type values for sysmon or not rendering events as xml. I can see from your screenshot that your sysmon events are not getting rendered as xml so you have at least one of those problems.

Get Outlook for iOShttps://aka.ms/o0ukef

---

From: zhjygit @.> Sent: Saturday, August 12, 2023 5:14:32 AM To: olafhartong/ThreatHunting @.> Cc: Subscribed @.***> Subject: Re: [olafhartong/ThreatHunting] threathunting dashbord is full of 0 (Issue #120)

I follow the youtube :https://www.youtube.com/watch?v=GVM8RRyQx7s In search dashboard of threathunting is: sysmon (event_id=12 OR event_id=13 OR event_id=14) (registry_key_path="\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls" OR registry_key_path="\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls") [image]https://user-images.githubusercontent.com/44870751/260216177-8466051f-ea6c-4940-b524-7046fa45ed0d.png In fact, I have changed the register value of target PC accroding to the savedsearches.conf. [image]https://user-images.githubusercontent.com/44870751/260216254-06802655-0aab-4717-a8f5-bafc39100def.png Meanwhile, I update the savedsearches.conf file and restart the splunk. [image]https://user-images.githubusercontent.com/44870751/260216378-1946730c-ff8a-4ed8-bff8-360127f92289.png

And then, as above search dashbaord, I got a event on threathunting search log. But, finally, my dashbord of thunthunting remains full of 0 as follows: [image]https://user-images.githubusercontent.com/44870751/260216551-dcadd174-c778-4ada-816d-95d1f72ef975.png [image]https://user-images.githubusercontent.com/44870751/260216601-67584e43-3f25-4ca3-96cd-04a822dbbd30.png

— Reply to this email directly, view it on GitHubhttps://github.com/olafhartong/ThreatHunting/issues/120#issuecomment-1675805982, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABUC7WQZV6X2LOJ7KMI4QI3XU5CPRANCNFSM6AAAAAA3LCJFZA. You are receiving this because you are subscribed to this thread.Message ID: @.***>

[zhjygit]

rendering xml for sysmon?Change it in inputs.conf on PC of installled sysmon? My inputs.conf path is C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default

Is there other place to change for xml something? My macro is as follows:

[dstaulcu]

The renderxml spec in sysmon stanza of inputs.conf should have value of true. One of your screenshots in issue has sysmon event that is tab delimiter and not eye-murder xml.

Get Outlook for iOShttps://aka.ms/o0ukef

---

From: zhjygit @.> Sent: Saturday, August 12, 2023 9:57:53 AM To: olafhartong/ThreatHunting @.> Cc: dstaulcu @.>; Comment @.> Subject: Re: [olafhartong/ThreatHunting] threathunting dashbord is full of 0 (Issue #120)

rendering xml for sysmon?Change it in inputs.conf on PC of installled sysmon? [image]https://user-images.githubusercontent.com/44870751/260234031-af97ab4f-2754-4f76-8141-8dfe9908e4c5.png Is there other place to change for xml something?

In fact, I don't see issues about this problem, could you show them? thank you .

— Reply to this email directly, view it on GitHubhttps://github.com/olafhartong/ThreatHunting/issues/120#issuecomment-1675928119, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABUC7WV3PEB5U5UPXLZCO73XU6DWDANCNFSM6AAAAAA3LCJFZA. You are receiving this because you commented.Message ID: @.***>

[zhjygit]

C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\inputs.conf

[WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = false renderXml = True index = windows source = WinEventLog:Microsoft-Windows-Sysmon/Operational

I add a inputs.conf as follows: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf： [WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = false renderXml = false sourcetype = WinEventLog:Microsoft-Windows-Sysmon/Operational index = threathunting

This two path in xxx\local and xxx\default, is it right? is it necessary of xxx\local\inputs.conf?

In splunk set options, how can I set the souretype? Is it necessary? In splunk---managed---advanced-search----macro, there is no options of sourecetype, just soure.

In https://github.com/olafhartong/ThreatHunting/issues/106, so many guides about above, however, I cannot get data on threathunting dashboard with 0 and no activity.

After I search as follows:index="threathunting" OR index=windows| stats count, dc(EventCode), latest(_raw) by index, sourcetype, source

[dstaulcu]

Sorry; Have been mobile all morning with fragmented responses until now.

In general, you should not make changes within .\SplunkUniversalForwarder\default. Instead, your changes should be in .\SplunkUniversalForwarder\etc\apps\\default if you are building an app. If you are customizing an app you or someone else built, then your additions/overrides to conf file entries should be in configuration files under .\SplunkUniversalForwarder\etc\apps\\local. All that said, you should not need to build any apps for ThreatHunting to work.

The ThreatHunting app depends on the presence of apps listed here. https://github.com/olafhartong/ThreatHunting/blob/master/lookups/requirements.csv

The Splunk Add-on for Sysmon app should be installed both on the endpoint you want to send logs from and also on your splunk servers. Other apps only need to be on your splunk server. If the sysmon app was installed on your endpoint, ,\SplunkUniversalForwarder\etc\apps\Splunk_TA_microsoft_sysmon\default\inputs.conf should be driving most of your sysmon settings.

Splunk_TA_microsoft_sysmon app aside, your latest inputs.conf has 3 problems:

• Problem 1 is that the value for your index spec results in events forwarding directly to the threathunting index. You should not do that. By default, the Threathunting app assumes that the events are going to an index named windows. Note: The windows index does not exist by default with splunk. You may need to define the index on your splunk server(s) having indexing and search head roles.
• Problem 2 is that you have a spec for sourcetype. Remove that spec
• Problem 3 is that you do not have a source spec value of “XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"

I recommend the following:

1. Make sure all sysmon related entries are removed from C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\inputs.conf and C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf.
2. Download Splunk Add-on for Sysmon | Splunkbasehttps://splunkbase.splunk.com/app/5709
3. Decompress the downloaded splunk-add-on-for-sysmon_310.tgz file
4. Decompress the .\splunk-add-on-for-sysmon_310\ splunk-add-on-for-sysmon_310.tar file
5. Copy the .\splunk-add-on-for-sysmon_310\splunk-add-on-for-sysmon_310\Splunk_TA_microsoft_sysmon folder to c:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\etc\apps
6. Verify the "windows" index exists on splunk servers having indexer and search head roles.
7. Make sure you have the Splunk Add-on for Microsoft Windows app installed on your splunk servers
8. Restart the splunk client

After restart and should now start to see migraine-inducing xml-formatted events from sysmon showing up in your windows index.

Once you have done all that, please share a screenshot having results of the following search:

Index=”” earliest=1 source=”sysmon*” | stats count, latest(_raw), latest(_time) as latestEvent by index, source, sourcetype | eval latestEvent=strftime(latestEvent,”%c”)

There are still plenty of other dependencies to have missed but you have to get this part (inputs) right first.

By the way, here is the other closed issue which reminds me of where we are headed with yours https://github.com/olafhartong/ThreatHunting/issues/106

[zhjygit]

Maybe,what you say above is extremely different with issue #106. As you say, I delete the inputs.conf in path of xxx\local; I delete the added spec on C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\input.conf

And then, I install splunk add-on sysmon on target PC of win 10, like this: As you said, I do nothing in the file of C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_microsoft_sysmon\default\inputs.conf

And then, I add a index for application Threathunting named windows:

And then, I do searh in Thearthunting search:Index=”” earliest=1 source=”sysmon” | stats count, latest(_raw), latest(_time) as latestEvent by index, source, sourcetype | eval latestEvent=strftime(latestEvent,”%c”) Maybe, It should be:Index=”” earliest=1 source=”sysmon” | stats count, latest(_raw), latest(_time) as latestEvent by index, source, sourcetype

Other screenshot is as follows:

Should I change the file of inputs.conf in the splunk server, as you know, my splunk server and target PC is two PC.

[dstaulcu]

The long process of requirements validation reminds me of 106.

I’m thinking your new sysmon events are in the main index. Either update sysmon index macro in threathunting app to resolve to main or update inputs for sysmon to include index=windows.

I can’t see what’s wrong with the strftime statement so just take that whole command out of the search. Also, field names are case sensitive in searches so make sure the "i" in the index field name is expressed lower case.

[zhjygit]

In the demo video:https://www.youtube.com/watch?v=6tS8nz7sZMQ

However,In my splunk, there is no threathunting_file_summary on the dashboard of "about the app". Is that the reason of no data on threathunting overview?

[dstaulcu]

as your last screenshot shows, splunk add-on for sysmon is missing on the search head . Searches that put results in the threat_hunting_summary index depend on enrichments from the sysmon app as well as the windows app on the splunk server.

[zhjygit]

In the demo video:https://www.youtube.com/watch?v=6tS8nz7sZMQ

No use to stall the sysmon add-on. I guess the mostly reason is about the index threathunting_file_summary, I can search log via "index=windows", however the threathunting index data and activity data is all 0, threathunting index data is from windows, how to resolve and finish it? savedsearches? props.conf?macro.conf? I have tried all this refering to related issues, however no use.

[dstaulcu]

"No use to stall the sysmon add-on." - Can you clarify what you mean by this? Are you saying that you have already installed it or that you refuse to install it?