($exclude_technique$) AND ($exclude_host_fqdn$) Need to be removed to work

[kucster]

I've been playing with your great app and am stuck as to why to get any query to run I need to remove ($exclude_technique$) AND ($exclude_host_fqdn$). I'm rather new to Splunk but I've tried to review your code and can't quite find the culprit. On my ThreatHunting about page everything shows up as installed. Also when I remove these values everything starts working but I think I will need them as I do need to exclude some items. Thanks for your help Sean

[OutpostSecurity]

Those are tokens set from the dashboard. could you post the search that does not work and then the search that does? might help narrow down how it is working in your environment.

[kucster]

Thank you for your help. It is not so much the search but the issue is the dashboard. I've attached a pic, on the left is the dashboard unmodified and the right is the modified. The modified code is below, I've pretty much just removed the ($exclude_technique$) AND ($exclude_host_fqdn$) references. `

Threat Hunting trigger overview Copy

Time range -7d@d now Exclude Technique mitre_technique_id mitre_technique_id index=threathunting | stats count by mitre_technique_id | sort -count $time_picker.earliest$ $time_picker.latest$ AND mitre_technique_id!=" " None none Exclude host host_fqdn host_fqdn index=threathunting | stats count by host_fqdn | sort -count $time_picker.earliest$ $time_picker.latest$ AND None none host_fqdn!=" "

index=threathunting mitre_category="*Initial_Access*" | timechart span=24h count(mitre_category) | appendpipe [stats count | where count=0] $time_picker.earliest$ $time_picker.latest$ 1 value none all 125 ["0x000","0xd93f3c"] [0] progressbar 1 1 absolute after 1 index=threathunting mitre_category="*Execution*" | timechart span=24h count(mitre_category) | appendpipe [stats count | where count=0] $time_picker.earliest$ $time_picker.latest$ 1 value none all 125 ["0x000","0xff2e45"] [0] progressbar after 1 index=threathunting mitre_category="*Persistence*" | timechart span=24h count(mitre_category) | appendpipe [stats count | where count=0] $time_picker.earliest$ $time_picker.latest$ 1 value none all 125 ["0x000","0xff4785"] [0] progressbar after 1 index=threathunting mitre_category="*Privilege_Escalation*" | timechart span=24h count(mitre_category) | appendpipe [stats count | where count=0] $time_picker.earliest$ $time_picker.latest$ 1 value none all 125 ["0x000","0xff8041"] [0] progressbar after 1 index=threathunting mitre_category="*Defense_Evasion*" | timechart span=24h count(mitre_category) | appendpipe [stats count | where count=0] $time_picker.earliest$ $time_picker.latest$ 1 value none all 125 ["0x000","0xffaf00"] [0] progressbar 1 absolute after 1 index=threathunting mitre_category="*Credential_Access*" | timechart span=24h count(mitre_category) | appendpipe [stats count | where count=0] $time_picker.earliest$ $time_picker.latest$ 1 value none all 125 ["0x000","0xffd300"] [0] progressbar after 1 index=threathunting mitre_category="*Discovery*" | timechart span=24h count(mitre_category) | appendpipe [stats count | where count=0] $time_picker.earliest$ $time_picker.latest$ 1 value none all 125 ["0x000","0xabc530"] [0] progressbar after 1 index=threathunting mitre_category="*Lateral_Movement*" | timechart span=24h count(mitre_category) | appendpipe [stats count | where count=0] $time_picker.earliest$ $time_picker.latest$ 1 value none all 125 ["0x000","0x01c26d"] [0] progressbar -7d after 1 index=threathunting mitre_category="*Collection*" | timechart span=24h count(mitre_category) | appendpipe [stats count | where count=0] $time_picker.earliest$ $time_picker.latest$ 1 value none all 125 ["0x000","0x007b84"] [0] progressbar after 1 index=threathunting mitre_category="*Command_and_Control*" | timechart span=24h count(mitre_category) | appendpipe [stats count | where count=0] $time_picker.earliest$ $time_picker.latest$ 1 value none all 125 ["0x000","0x075190"] [0] progressbar 1 absolute after 1 index=threathunting mitre_category="*Exfiltration*" | timechart span=24h count(mitre_category) | appendpipe [stats count | where count=0] $time_picker.earliest$ $time_picker.latest$ 1 value none all 125 ["0x000","0x86308c"] [0] progressbar after 1 index="threathunting" | stats count by mitre_technique_id, mitre_technique, mitre_category | sort -count $time_picker.earliest$ $time_picker.latest$ 10highlowcellfalsefalse index="threathunting" | stats count by host_fqdn | sort -count $time_picker.earliest$ $time_picker.latest$ 10heatmapcellfalseprogressbarfalse index="threathunting" | stats count by user_name, host_fqdn | sort -count $time_picker.earliest$ $time_picker.latest$ 10heatmapcellfalseprogressbarfalse index=threathunting | stats count by _time, mitre_category | timechart span=15m sum(count) by mitre_category useother=false $time_picker.earliest$ $time_picker.latest$ auto log line zero none none 0 right progressbar [Initial_Access,Execution,Persistence,Privilege_Escalation,Defense_Evasion,Credential_Access,Discovery,Lateral_Movement,Collection,Command_and_Control,Exfiltration,Impact] [0xd8031a,0xff2e45,0xff4785,0xff8041,0xffaf00,0xffd300,0xabc530,0x01c26d,0x007b84,0x075190,0x86308c,0x482569]

`

[OutpostSecurity]

so I think the input fields are mis-named, The search is expecting exclud_technique and exclude_host_fqdn and I think they are called mitre_technique_id and host_fqdn. Edit the dashboard and then edit those inputs and ensure the Token fields are correct Attached is a screenshot of the exclude host field where the Token field is correctly set. Let me know if those are correct and it is still not working.

[kucster]

Thank you for your continued help, I've looked at the values and I think they are correct, see below

[OutpostSecurity]

Weird ok, not sure where to look, I cannot re-create the issue. If it works to just remove those token references then go for it.

[kucster]

Will do, thank you for trying