afxmac
commented
4 years ago I have stopped trying to get ThreatHunting to work after I discovered this. Apps that override standard Windows fields or CIM fields are just not worth the hassle.
Closed igorxo closed 3 years ago
afxmac
commented
4 years ago I have stopped trying to get ThreatHunting to work after I discovered this. Apps that override standard Windows fields or CIM fields are just not worth the hassle.
igorxo
commented
4 years ago Yes, that was just wrong architectural decision. If you need to do your own extractions then be sure that they are compliant with CIM and that they are not clashing with standard apps. I respect the effort over the app and there is a lot of good and useful searches in it, but the app is just not production-ready out of the box and it requires a lot of tuning.
olafhartong
commented
4 years ago I agree there should not be any conflicts. I'm planning to do some large maintenance to the app and will address this issue. The reason for the custom work is primarily because the data models were not comprehensive enough at the time of the initial design, I'll review this as I agree with using standards.
Please let me know which fields are clashing, I'll address those first.
igorxo
commented
4 years ago Windows TA is using fieldalias which comes before eval so your extractions are not applied properly. If you can change that to fieldalias, it would probably be ok.
afxmac
commented
4 years ago Ok, I tried to extract all definitions and see where they overlap. I am not a regex pro, so this might e slightly borked, but the number of potential overlaps that I came up with is small enough: event_id file_path process_id process_name src_ip src_port
hope that helps. afx
olafhartong
commented
4 years ago Thanks afx, I've removed all but file_path since that is not handled for security logs
zwar77
commented
4 years ago Hello,
Did you update the app with these updates? I am still seeing this issue in the most recent version of the app where it is looking for event_id's that are being aliased by the windows_ta, causing the app to not recognize the fields. The only option to make anything work is to go through each search on every page and change all of the fields to the sysmon ta extractions. Is there an update/fix coming for this? Thanks for your hard work and putting this app together.
olafhartong
commented
4 years ago No, thanks for the reminder I still have to do this. I have some updates locally in addition to that which I’ll commit soon and make an update to the splunkbase app as well
On Tue, 7 Jul 2020 at 08:50, zwar77 notifications@github.com wrote:
Hello,
Did you update the app with these updates? I am still seeing this issue in the most recent version of the app where it is looking for event_id's that are being aliased by the windows_ta, causing the app to not recognize the fields. The only option to make anything work is to go through each search on every page and change all of the fields to the sysmon ta extractions. Is there an update/fix coming for this? Thanks for your hard work and putting this app together.
— You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub https://github.com/olafhartong/ThreatHunting/issues/47#issuecomment-654638659, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB6FXC2O2CI3S4Z2AKF4AALR2LAUXANCNFSM4LMC6J2Q .
--
-- https://olafhartong.nl +31 6 20604042
In my environment ThreatHunting app is taking unsuitable fields that were extracted by Windows TA because of using known field names in extractions like event_id. I don't know why those extractions are even necessary and why the developer is not just using Sysmon TA field extractions which are working fine.