JBStudios
commented
3 years ago I see now the props.conf is meant to do the eval's so therefore I have an issue with configuration. Tear down should fix
Closed JBStudios closed 3 years ago
JBStudios
commented
3 years ago I see now the props.conf is meant to do the eval's so therefore I have an issue with configuration. Tear down should fix
JBStudios
commented
3 years ago Rebuild fixed the issue, searches weren't running and populating the threathunter index (reason unknown) closing the issue. (Advice for anyone else, turn it off and on again, wait for a few hours, turn it off and on again)
Hi all,
I will need to do a complete reset to figure out my issue, just preliminary posting here.
A lot of my field extractions from the TA for sysmon do not align with the searches for threathunting add on for example:
(
sysmonevent_id=1) OR ('windows-security' event_id=4688) host_fqdn= process_parent_name= process_name=*But I do not have any host_fqdn and process_parent_name does not exist but parent_process_name does.
Second thing I note is that my threathunting index does not seem to be populated with any data although it exists.
I am a bit of a noob, so I will tear it down and start again. In case I am doing something very wrong. but if you have any obvious comments then I'd love to hear them.