I'm 90% done installing the app, last two things I need to do are: install sysmon onto workstations, and then create the "threathunting" index on Splunk Indexers.
However I'm confused why that index is necessary...
I see it's used in a lot of the dashboards, but I don't see where/how any data gets sent into that index.
Windows events go into index=windows, sysmon events go into index=windows, and...what goes into index=threathunting?... Am I supposed to point data to that index? Does the app automagically replicate data to that index?
I looked through all of the apps I've installed, none of them have any outputs.conf or anything that even mentions index=threathunting. No aliases or macros even mentioning threathunting.
I don't understand why I'd create an index and then not point any Forwarders to use it. I'm not saying it doesn't work - I haven't got that far yet - I just feel like I'm missing a step or some understanding of how it interacts with the rest of the app.
Edit: Hey nevermind I finally figured it out. A lot of the included searches use summary indexing that store the results to the threathunting index. As far as I can tell, that's the only purpose of this index. It's not for raw events, just summary indexing to use around the app. I'm already getting errors from my indexers saying that the searches are trying to save results to a non-existent index :D
I'm 90% done installing the app, last two things I need to do are: install sysmon onto workstations, and then create the "threathunting" index on Splunk Indexers. However I'm confused why that index is necessary... I see it's used in a lot of the dashboards, but I don't see where/how any data gets sent into that index.
Windows events go into index=windows, sysmon events go into index=windows, and...what goes into index=threathunting?... Am I supposed to point data to that index? Does the app automagically replicate data to that index?
I looked through all of the apps I've installed, none of them have any outputs.conf or anything that even mentions index=threathunting. No aliases or macros even mentioning threathunting.
I don't understand why I'd create an index and then not point any Forwarders to use it. I'm not saying it doesn't work - I haven't got that far yet - I just feel like I'm missing a step or some understanding of how it interacts with the rest of the app.
Edit: Hey nevermind I finally figured it out. A lot of the included searches use summary indexing that store the results to the threathunting index. As far as I can tell, that's the only purpose of this index. It's not for raw events, just summary indexing to use around the app. I'm already getting errors from my indexers saying that the searches are trying to save results to a non-existent index :D