Stuck

[sulaimanbale]

Hi, Using the latest splunk, i am stuck here.

What to do now ?

[sulaimanbale]

Can someone help me to get this working ?

[sulaimanbale]

No forwarders

Sysmon already set up

[sulaimanbale]

No forwarders to select for data input.

[Kirtar22]

@sulaimanbale - After Clicking "Data Inputs" ;

• Select the "Microsoft-Sysmon-Operational" from "available logs" under "Local event log collection"
• Select "windows" index from the dropdown ( you need to create the index named "windows" before you perform this step, as stated in one of my comments)
• complete the wizard.

The rest of the sub-steps( of Step:4) are not required for newer version of ThreatHunting App as these are taken care by @olafhartong .

I hope this helps.

[sulaimanbale]

Hi i am unable to see Select the "Microsoft-Sysmon-Operational" from "available logs" under "Local event log collection"

[sulaimanbale]

No forwaders

[billmurrin]

Hi @sulaimanbale, I will try to help you. Have you installed the Universal forwarder on your system and are you sending your sysmon logs to your Splunk instance?

For example. in your universal forwarder, copy your inputs.conf from INSTALL LOCATION\SplunkUniversalForwarder\etc\system\default into the INSTALL LOCATION\SplunkUniversalForwarder\etc\system\local and edit it, adding the following lines to it (make sure you adjust the index to whatever it needs to be for your installation)

### Sysmon Logs ###
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
index=sysmon
disabled = false
renderXml = true

After that, you can restart your Universal Forwarder and it should be forwarding the logs.

The next thing is to insure you are receiving data on that port (might be 9997 by default). In Splunk, go to Settings -> Forwarding and Receiving -> Receiving ensure that your receiving port is enabled. Note, after doing this, you may have to restart Splunk.

I would also consider downloading the Splunk Sysmon Technical Add-on so that the data is parsed using the Common Information Model (CIM) when it is ingested.

[sulaimanbale11]

Hi, yes sysmon is up and working and after that I'm stuck at this steop for data input. Hope you can help me.

[billmurrin]

Is the Splunk universal forwarder installed on your system?

[sulaimanbale]

Yes it is installed.

[sulaimanbale]

Is there any way i can contact you personally ?

[billmurrin]

Have you configured Sysmon logs to be forwarded in the inputs.conf like I listed above? And did you enable the receiving of data on port 9997 (default)? After it is enabled, you should restart Splunk.

[sulaimanbale]

Yes done !

[sulaimanbale]

Please let me know what to do next.

[billmurrin]

It looks like your sysmon data is getting ingested. Do you see anything getting ingested in the ThreatHunting (TH) Application? If not, go into your TH App macros (Settings->Advanced Search->Macros) and ensure you update the sysmon macro with the proper source/sourcetype. That will ensure that the saved searches execute properly.

[sulaimanbale]

Is it right ?

[billmurrin]

Are your sysmon logs in the windows index?

[sulaimanbale]

yes , i believe.

[billmurrin]

did you create your threathunting index?

[mlinton]

Hi @billmurrin, I am also having some difficulty getting the indexing working properly.

I'm using the latest Splunk Enterprise (8). I have got my SplunkUniversalForwarder properly forwarding events from the test desktop to the splunk server. I originally didn't have the index = sysmon in the inputs.conf of the forwarder.

I can see events being ingested in the sysmon index.

However inside the threathunting app trigger overview I see all zeros:

I can see in the source for the dashboards that the data is being collected from the threathunting index, which I don't have, which explains why the data isn't showing, but how do I get splunk to add the ingested data to that new index?

Thanks.

[sulaimanbale]

Hi, still stuck kindly help with a detailed guide if possible.

[billmurrin]

@mlinton - you have to create the threathunting index so that the data from the sysmon index is stored in that summary index which drives the app's dashboards. The threathunting summary index is populated via saved searches that are part of the app.

You can create the index in Splunk Web by navigating to Settings > Indexes and click New.

@sulaimanbale - I am sorry to hear that you are still have issues. I will see what other things I can come up with to help you out.

[zhjygit]

@billmurrin Hi sir, What I have done is as follows: splunk server:win 10, 9.1 version, 192.168.80.1 target pc: win 10, sysmon 15.0version, SplunkUniversalForwarder installed. sysmon64.exe -accepteula -i sysmonconfig.xml this xml is from https://github.com/olafhartong/sysmon-modular/blob/master/sysmonconfig.xml C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\inputs.conf is as follows: [WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = false renderXml = false index = windows source = WinEventLog:Microsoft-Windows-Sysmon/Operational Target PC has nothing else changed.

Splunk server is as follows: install threathunting app;install add-on except "Splunk Add-on for Sysmon" downloading and install .csv files. add windows and threathunting indexes to Threathunting apps; http://127.0.0.1:8000/zh-CN/manager/ThreatHunting/deployment/server/setup/data/inputs/remote_eventlogs:added all of 5 logs

And then, on dashboard of http://127.0.0.1:8000/zh-CN/manager/ThreatHunting/data/indexes#, I can see data of index=windows. However, no data in index of threathunging from index=window. In fact, I cannot understand that, there are some logs of index=threathunging, which are about log of splunk server PC instead of target PC (so shit...)

As above shown, index=threathunting, host is splunk server itself, not target PC.

At last, no data index=threathunting from windows, no data or activity on dashboard of http://127.0.0.1:8000/zh-CN/app/ThreatHunting/threat_hunting_overview.

The macro of sysmon is as follows: