I see several messages in the _internal index in Splunk like the following:
ERROR SavedSplunker - savedsearch_id="nobody;ThreatHunting;[T1003] Credential Dumping ImageLoad", message="Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.". No actions executed
This seems to be the case for the following reports:
All of the above use the lookup definiton 'image_load_whitelist' which corresponds to the file: "threathunting_image_load_whitelist.csv".
As far as i can see there is a naming mismatch in one of the fields from the lookup definiton and the corresponding field in the csv file.
The lookup definition looks for "driver_signature_status" while in the csv file, the field is named "driver_signatureStatus".
It's an easy fix to rename either the lookup definition or the csv file, but hopefully it will be fixed for the next version of the app as well.
I see several messages in the _internal index in Splunk like the following:
This seems to be the case for the following reports:
[T1003] Credential Dumping ImageLoad [T1044] File System Permissions Weakness [T1073] DLL Side-Loading - PowerShell [T1073] DLL Side-Loading - WMI
All of the above use the lookup definiton 'image_load_whitelist' which corresponds to the file: "threathunting_image_load_whitelist.csv". As far as i can see there is a naming mismatch in one of the fields from the lookup definiton and the corresponding field in the csv file.
The lookup definition looks for "driver_signature_status" while in the csv file, the field is named "driver_signatureStatus".
It's an easy fix to rename either the lookup definition or the csv file, but hopefully it will be fixed for the next version of the app as well.