brianyaucy
commented
5 years ago Fixed by adding the following in $SPLUNK_HOME/etc/apps/ThreatHunting/local/props.conf:
[WinEventLog:Microsoft-Windows-Sysmon/Operational]
EVAL-host_fqdn = ComputerNameClosed brianyaucy closed 5 years ago
brianyaucy
commented
5 years ago Fixed by adding the following in $SPLUNK_HOME/etc/apps/ThreatHunting/local/props.conf:
[WinEventLog:Microsoft-Windows-Sysmon/Operational]
EVAL-host_fqdn = ComputerName
cbboggs
commented
5 years ago It appears the props has EVAL-host_fqdn = Computer for both xml and non-xml sourcetypes, which appears to be the issue, as the field should be ComputerName as you stated above.
olafhartong
commented
5 years ago Thanks for this, as I mostly work with the XML version I didn't encounter this. It's fixed in the next push
For inputs.conf of Sysmon Log setting to renderXML=0, events in threathunting index do not have the field host_fqdn