Splunk _internal error in lookup command

[mortf]

I see several messages in the _internal index in Splunk like the following:

ERROR SavedSplunker - savedsearch_id="nobody;ThreatHunting;[T1003] Credential Dumping ImageLoad", message="Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.". No actions executed

This seems to be the case for the following reports:

[T1003] Credential Dumping ImageLoad [T1044] File System Permissions Weakness [T1073] DLL Side-Loading - PowerShell [T1073] DLL Side-Loading - WMI

All of the above use the lookup definiton 'image_load_whitelist' which corresponds to the file: "threathunting_image_load_whitelist.csv". As far as i can see there is a naming mismatch in one of the fields from the lookup definiton and the corresponding field in the csv file.

The lookup definition looks for "driver_signature_status" while in the csv file, the field is named "driver_signatureStatus".

It's an easy fix to rename either the lookup definition or the csv file, but hopefully it will be fixed for the next version of the app as well.

[olafhartong]

thanks for letting me know, I'll take care of this during the next maintenance run

[olafhartong]

I've pushed a fix to this repo, thanks for letting me know!