Closed brianyaucy closed 5 years ago
Fixed by adding the following in $SPLUNK_HOME/etc/apps/ThreatHunting/local/props.conf:
[WinEventLog:Microsoft-Windows-Sysmon/Operational]
EVAL-host_fqdn = ComputerName
It appears the props has EVAL-host_fqdn = Computer
for both xml and non-xml sourcetypes, which appears to be the issue, as the field should be ComputerName
as you stated above.
Thanks for this, as I mostly work with the XML version I didn't encounter this. It's fixed in the next push
For inputs.conf of Sysmon Log setting to renderXML=0, events in threathunting index do not have the field host_fqdn