threathunting dashbord is full of 0 #120
Comments
|
I follow the youtube :https://www.youtube.com/watch?v=GVM8RRyQx7s And then, as above search dashbaord, I got a event on threathunting search log. |
|
Take a look at closed issues in GitHub. This sort of symptom has been addressed in issue discussions several times. Often it comes down to source/source type values for sysmon or not rendering events as xml. I can see from your screenshot that your sysmon events are not getting rendered as xml so you have at least one of those problems.
Get Outlook for iOS<https://aka.ms/o0ukef>
…________________________________
From: zhjygit ***@***.***>
Sent: Saturday, August 12, 2023 5:14:32 AM
To: olafhartong/ThreatHunting ***@***.***>
Cc: Subscribed ***@***.***>
Subject: Re: [olafhartong/ThreatHunting] threathunting dashbord is full of 0 (Issue #120)
I follow the youtube :https://www.youtube.com/watch?v=GVM8RRyQx7s
In search dashboard of threathunting is: sysmon (event_id=12 OR event_id=13 OR event_id=14) (registry_key_path="\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls" OR registry_key_path="\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls")
[image]<https://user-images.githubusercontent.com/44870751/260216177-8466051f-ea6c-4940-b524-7046fa45ed0d.png>
In fact, I have changed the register value of target PC accroding to the savedsearches.conf.
[image]<https://user-images.githubusercontent.com/44870751/260216254-06802655-0aab-4717-a8f5-bafc39100def.png>
Meanwhile, I update the savedsearches.conf file and restart the splunk.
[image]<https://user-images.githubusercontent.com/44870751/260216378-1946730c-ff8a-4ed8-bff8-360127f92289.png>
And then, as above search dashbaord, I got a event on threathunting search log.
But, finally, my dashbord of thunthunting remains full of 0 as follows:
[image]<https://user-images.githubusercontent.com/44870751/260216551-dcadd174-c778-4ada-816d-95d1f72ef975.png>
[image]<https://user-images.githubusercontent.com/44870751/260216601-67584e43-3f25-4ca3-96cd-04a822dbbd30.png>
—
Reply to this email directly, view it on GitHub<#120 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABUC7WQZV6X2LOJ7KMI4QI3XU5CPRANCNFSM6AAAAAA3LCJFZA>.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
|
rendering xml for sysmon?Change it in inputs.conf on PC of installled sysmon? Is there other place to change for xml something? |
|
The renderxml spec in sysmon stanza of inputs.conf should have value of true. One of your screenshots in issue has sysmon event that is tab delimiter and not eye-murder xml.
Get Outlook for iOS<https://aka.ms/o0ukef>
…________________________________
From: zhjygit ***@***.***>
Sent: Saturday, August 12, 2023 9:57:53 AM
To: olafhartong/ThreatHunting ***@***.***>
Cc: dstaulcu ***@***.***>; Comment ***@***.***>
Subject: Re: [olafhartong/ThreatHunting] threathunting dashbord is full of 0 (Issue #120)
rendering xml for sysmon?Change it in inputs.conf on PC of installled sysmon?
[image]<https://user-images.githubusercontent.com/44870751/260234031-af97ab4f-2754-4f76-8141-8dfe9908e4c5.png>
Is there other place to change for xml something?
In fact, I don't see issues about this problem, could you show them? thank you .
—
Reply to this email directly, view it on GitHub<#120 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABUC7WV3PEB5U5UPXLZCO73XU6DWDANCNFSM6AAAAAA3LCJFZA>.
You are receiving this because you commented.Message ID: ***@***.***>
|
|
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\inputs.conf [WinEventLog://Microsoft-Windows-Sysmon/Operational] I add a inputs.conf as follows: This two path in xxx\local and xxx\default, is it right? is it necessary of xxx\local\inputs.conf? In splunk set options, how can I set the souretype? Is it necessary? In #106, so many guides about above, however, I cannot get data on threathunting dashboard with 0 and no activity. After I search as follows:index="threathunting" OR index=windows| stats count, dc(EventCode), latest(_raw) by index, sourcetype, source
|
|
Sorry; Have been mobile all morning with fragmented responses until now.
In general, you should not make changes within .\SplunkUniversalForwarder\default. Instead, your changes should be in .\SplunkUniversalForwarder\etc\apps\<appname>\default if you are building an app. If you are customizing an app you or someone else built, then your additions/overrides to conf file entries should be in configuration files under .\SplunkUniversalForwarder\etc\apps\<appname>\local. All that said, you should not need to build any apps for ThreatHunting to work.
The ThreatHunting app depends on the presence of apps listed here. https://github.com/olafhartong/ThreatHunting/blob/master/lookups/requirements.csv
The Splunk Add-on for Sysmon app should be installed both on the endpoint you want to send logs from and also on your splunk servers. Other apps only need to be on your splunk server. If the sysmon app was installed on your endpoint, ,\SplunkUniversalForwarder\etc\apps\Splunk_TA_microsoft_sysmon\default\inputs.conf should be driving most of your sysmon settings.
Splunk_TA_microsoft_sysmon app aside, your latest inputs.conf has 3 problems:
* Problem 1 is that the value for your index spec results in events forwarding directly to the threathunting index. You should not do that. By default, the Threathunting app assumes that the events are going to an index named windows. Note: The windows index does not exist by default with splunk. You may need to define the index on your splunk server(s) having indexing and search head roles.
* Problem 2 is that you have a spec for sourcetype. Remove that spec
* Problem 3 is that you do not have a source spec value of “XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
I recommend the following:
1. Make sure all sysmon related entries are removed from C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\inputs.conf and C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf.
2. Download Splunk Add-on for Sysmon | Splunkbase<https://splunkbase.splunk.com/app/5709>
3. Decompress the downloaded splunk-add-on-for-sysmon_310.tgz file
4. Decompress the .\splunk-add-on-for-sysmon_310\ splunk-add-on-for-sysmon_310.tar file
5. Copy the .\splunk-add-on-for-sysmon_310\splunk-add-on-for-sysmon_310\Splunk_TA_microsoft_sysmon folder to c:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\etc\apps
6. Verify the "windows" index exists on splunk servers having indexer and search head roles.
7. Make sure you have the Splunk Add-on for Microsoft Windows app installed on your splunk servers
8. Restart the splunk client
After restart and should now start to see migraine-inducing xml-formatted events from sysmon showing up in your windows index.
Once you have done all that, please share a screenshot having results of the following search:
Index=”*” earliest=1 source=”*sysmon*” | stats count, latest(_raw), latest(_time) as latestEvent by index, source, sourcetype | eval latestEvent=strftime(latestEvent,”%c”)
There are still plenty of other dependencies to have missed but you have to get this part (inputs) right first.
By the way, here is the other closed issue which reminds me of where we are headed with yours
#106
|
|
Maybe,what you say above is extremely different with issue #106. And then, I install splunk add-on sysmon on target PC of win 10, like this: And then, I add a index for application Threathunting named windows: And then, I do searh in Thearthunting search:Index=”” earliest=1 source=”sysmon” | stats count, latest(_raw), latest(_time) as latestEvent by index, source, sourcetype | eval latestEvent=strftime(latestEvent,”%c”) Other screenshot is as follows: Should I change the file of inputs.conf in the splunk server, as you know, my splunk server and target PC is two PC. |
|
The long process of requirements validation reminds me of 106.
I’m thinking your new sysmon events are in the main index. Either update sysmon index macro in threathunting app to resolve to main or update inputs for sysmon to include index=windows.
I can’t see what’s wrong with the strftime statement so just take that whole command out of the search. Also, field names are case sensitive in searches so make sure the "i" in the index field name is expressed lower case.
|
|
In the demo video:https://www.youtube.com/watch?v=6tS8nz7sZMQ However,In my splunk, there is no threathunting_file_summary on the dashboard of "about the app". |
|
as your last screenshot shows, splunk add-on for sysmon is missing on the search head . Searches that put results in the threat_hunting_summary index depend on enrichments from the sysmon app as well as the windows app on the splunk server. |
No use to stall the sysmon add-on. |
|
"No use to stall the sysmon add-on." - Can you clarify what you mean by this? Are you saying that you have already installed it or that you refuse to install it? |
My sysmon and splunk both have the log of ID 3, however my threathunting dashboard is empty.
My work is as follows: upload csv files
Make a index of main from target PC:
Install necessary add-on as follows:
Punchcard Visualization
Force Directed Visualization
Sankey Diagram Visualization
Lookup File Editor
threathunting dashbord is full of 0, why?
The text was updated successfully, but these errors were encountered: