Hello, my threat hunting dashboard keeps showing 0 data, but the Activity by time per day dashboard underneath is circulating.

[creazyqin]

splunk.version: 9.0.2
threathunting is downloaded from the splunk app

I really do not know how to solve

[dstaulcu]

The version of the threathunting app on splunkbase is far behind the version available on GitHub. Can you replace your install and then share whether problem still exists? Otherwise the screenshot of your configuration panel crops out values of macro definitions. Macro definitions or missing indexes are the most likely problem sources.

[creazyqin]

The version of the threathunting app on splunkbase is far behind the version available on GitHub. Can you replace your install and then share whether problem still exists? Otherwise the screenshot of your configuration panel crops out values of macro definitions. Macro definitions or missing indexes are the most likely problem sources.

Hello Still having the same problem

[dstaulcu]

Please post an updated screenshot of the app dashboard panel. Make sure to include all of the macro panel values. Also please include a screenshot of any event in the index having your sysmon data.

I did not realize that the ThreatHunting app is now up to date on Splunkbase until about an hour ago. After that I removed the ThreatHunting app from my server and then installed it again (from Splunkbase) and things are working fine for me.

[dstaulcu]

Do you have the splunk add on for Microsoft windows installed? If not , try that and let me know.

[creazyqin]

请发布应用程序仪表板面板的更新屏幕截图。确保包含所有宏面板值。另外，请在索引中包含包含您的系统数据的任何事件的屏幕截图。

直到大约一个小时前，我才意识到ThreatHunting应用程序现在是Splunkbase上最新的。之后，我从服务器中删除了ThreatHunting应用程序，然后再次安装它（从Splunkbase），对我来说一切正常。

ok

[dstaulcu]

• It appears you are missing the index with name threathunting_summary.
• Are there more entries in the macros section of the about this app dashboard? I would expect to see many more macros particularly for sysmon, system, application, security, and firewall logs. -It's possible they are just cropped out of your screenshot. Without macros properly defined the savedsearches associated with the app will not find events to possibly report on.
• Have you installed the Splunk add on for Microsoft windows?

[creazyqin]

• It appears you are missing the index with name threathunting_summary.
• Are there more entries in the macros section of the about this app dashboard? I would expect to see many more macros particularly for sysmon, system, application, security, and firewall logs. -It's possible they are just cropped out of your screenshot. Without macros properly defined the savedsearches associated with the app will not find events to possibly report on.
• Have you installed the Splunk add on for Microsoft windows?

I have created the threathunting_summary index


I have installed forwarder for windows

[creazyqin]

Splunk Add-on for Sysmon is also installed

[dstaulcu]

Please run the following search and send screenshot of results:

earliest=-24h index=windows | stats count, dc(EventCode), latest(_raw) by index, sourcetype, source

[creazyqin]

[dstaulcu]

• You appear to be missing the Splunk Add-on for Microsoft Windows. I've submitted a pull request to add that as a requirement for the ThreatHunting app. Please add that app to your search head and let me know if the situation improves. Also, you should consider enabling inputs for System, Application, PowerShell , etc. in order to determine whether the problem you are experiencing is unique to varying field extraction and format dependencies of sysmon or common across all input types. See below for example inputs:

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = 1
source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
index = windows

[WinEventLog://System]
disabled = false
renderXml = 0
index = windows

[WinEventLog://Application]
disabled = false
renderXml = 0
index = windows

[WinEventLog://Security]
disabled = false
renderXml = 0
index = windows

[WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled = false
renderXml = 0
index = windows

[WinEventLog://Microsoft-Windows-Windows Firewall With Advanced Security/Firewall]
disabled = false
renderXml = 0
index = windows

[creazyqin]

Thanks The dashboard is up and running!

But none of the following statements will work

`[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = 1
source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
index = windows

[WinEventLog://System]
disabled = false
renderXml = 0
index = windows

[WinEventLog://Application]
disabled = false
renderXml = 0
index = windows

[WinEventLog://Security]
disabled = false
renderXml = 0
index = windows

[WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled = false
renderXml = 0
index = windows

[WinEventLog://Microsoft-Windows-Windows Firewall With Advanced Security/Firewall]
disabled = false
renderXml = 0
index = windows`

[dstaulcu]

Glad to hear the dashboard is working now!

As for the other statements, you included them in an inputs.conf deployed to a windows endpoint right?

[creazyqin]

Thank you. It has been solved.