icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading ThreatHunting
SHA256 checksum (threathunting_151.tgz) 42310c04c5f2c22e53af741c82d6f4285561190d24646a84e77ef40b111f5ac3 SHA256 checksum (threathunting_150.tgz) 0308ac4a906ff9b9d60399f3ed61d3c66c4f054ee921666959b62431867cb2db SHA256 checksum (threathunting_1492.tgz) d127dfb42f88163d2e28816c8d2d721d9c78052f7b016b48569389bd85ccca46 SHA256 checksum (threathunting_144.tgz) 281e34c10f1f00d232ccceb3532ee6492ceede9714a10984b138bafd7ae8b5ef SHA256 checksum (threathunting_141.tgz) 8c581445f888a32c4eda9870c6c95418323735e8004b195c97de443b345c7320 SHA256 checksum (threathunting_13.tgz) f8f3b9b10f910cb9ba4cd566df8e4fd3aab9df45fcfa50fa7354dd3b9cc743b7
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

ThreatHunting

Overview
Details
This is a Splunk application containing several hunting dashboards and over 120 reports that will facilitate initial hunting indicators to investigate.

You obviously need to be ingesting Sysmon data into Splunk, a good configuration can be found in the details

Required actions after deployment:
Make sure the threathunting index is present on your indexers
Edit the macro's to suit your environment
Install the required addons
Install the lookup csv's or create them yourself, empty csv's are here > https://github.com/olafhartong/ThreatHunting/raw/master/files/ThreatHunting.tar.gz

More documentation is available at > https://github.com/olafhartong/threathunting/wiki

This app is maintained on GitHub > https://github.com/olafhartong/threathunting

This is a Splunk application containing several dashboards and over 120 reports that will facilitate initial hunting indicators to investigate.

You obviously need to be ingesting Sysmon data into Splunk, a good configuration can be found here

Note:
This application is not a magic bullet, it will require tuning and real investigative work to be truly effective in your environment.
Try to become best friends with your system administrators. They will be able to explain a lot of the initially discovered indicators.

Big credit goes out to MITRE for creating the ATT&CK framework!

Pull requests / issue tickets and new additions will be greatly appreciated!

Mitre ATT&CK

I strive to map all searches to the ATT&CK framework.
A current ATT&CK navigator export of all linked configurations is found here and can be viewed here

App Prerequisites

Install the following apps to your SearchHead:

Required actions after deployment

  • Make sure the threathunting index is present on your indexers
  • Edit the macro's to suit your environment > https://YOURSPLUNK/en-US/manager/ThreatHunting/admin/macros
  • The app is shipped without whitelist lookup files, you'll need to create them yourself. This is so you won't accidentally overwrite them on an upgrade of the app. Install the lookup csv's or create them yourself, empty csv's are here

Usage

A more detailed explanation of all functions can be found here

Release Notes

Version 1.5.1
Nov. 12, 2022

Updates 1.5.1

  • Changed "Windows Management Instrumentation" to WMI in the name of the [T1047] searches to get below the 100 character max name length limit
  • Added Splunk v9+ compliant version tags to dashboards
  • Changed dependency in requirements.csv from "Splunk Add-On for Microsoft Sysmon" to "Splunk Add-on for Sysmon"

Updates 1.5.0

New Features
- NEW REQUIREMENT : Event Timeline app
- GrantedAccess descriptions for the most common occurences
- Rare process chains dashboard finished
- Search based drilldown dashboard Added
- The threathunting index is now customizable in a macro
- lateral movement indicator dashboard overhaul, plus new panels
- user drilldown dashboard improved
- Network connection drilldown has clearer visualization for beaconing behavior, replaced punchcard by timeline visualization
- Updated the following changes to the whitelist dashboards:
- added OriginalFileName mapping to file_name
- working new searches

Version 1.5.0
Nov. 22, 2021

Compatible with Sysmon 13.30

Added user fields to all panels
Added a File Prevalence dashboard (requires additional index to be created)
Added a Newly observed hashes dashboard
Added a Sysmon tuning dashboard
Several bug fixes
Updated the downloadable lookup files

Version 1.4.92
March 3, 2021

Maintenance release

New Features
- Splunk cloud compatible

Changes
- Rebuilt some dashboards to have a significant speed increase and more efficient searches
- Whitelisting has been improved

Tons of Bugfixes and code improvements

Special thanks to @contrablueteam / Outpost Security for addressing a lot of the issues

Version 1.4.4
July 28, 2020

New Features
- Rare process chains dashboard (still wip)
- Colors sprinkled though-out the app according to the ATT&CK Rainbow of Tactics

Changes
- Rebuilt some dashboards to have a significant speed increase and more efficient searches
- Changed the searches on the (Parent)ProcessGuid dashboards to have slightly less detail but a huge speed improvement

Bugfixes
- fixed a typo in the lookups
- Some time pickers didn't properly translate to drilldowns
- Overlap with windows TA field mappings removed
- Fixed a faulty field name in one of the lookups
- Added the missing the blank lookup files

Version 1.4.1
Aug. 7, 2019

New Features
- NEW REQUIREMENT : Link Analysis app >> LINK
- Initial mapping of Windows 4768/9 events in props.conf
- Pipe Drilldown dashboard
- File create whitelist macro
- File create Drilldown dashboard
- Added Stacking tools section
- Added Mitre ATT&CK stacking page
- Added DNS stacking page with beaconing detection
- Added DNS whitelist
- Added User drilldown page
- Added Macro drilldown dashboard
- Added 24 new searches
- Added Credits pane

Changes
- Renamed pipe_created_whitelist macro to pipe_whitelist
- Renamed pipe_created_whitelist csv to pipe_whitelist throughout the app
- Replaced the force directed visual by link analysis for network connection drilldown
- Added a few fields to props.conf, including Sysmon DNS events
- Extended T1218,T1216,T1081,T1075 searches
- Rebuilt the whitelisting, searches are a LOT quicker now and take less resources
- Added original_file_name to event_id 1 and 7
- Top triggered techniques drilldown changed to technique_id
- more details on GitHub

Version 1.3
May 19, 2019

Updates 1.3

New Features
- Added Technique and Host filtering options to the threat hunting overview page
- Added Timeline graph to the overview page
- Added Technique and Host filtering options to the mitre att&ck overview page
- Added New Files created page, based on Sysmon event_id 11
- Added File Create whitelist editor page
- Initial mapping of Windows 4688 events in props.conf
- Added 4688 events to 70 reports
- Added indextime macro

Changes
- Automated search distribution
- Index time searches instead of _time
- Cleaned up the code a bit

Bugfixes
- Fixed the Tactics and Technique(ID) filters on the mitre att&ck overview page
- Added the Initial Access tactic and properly sorted them on all pages
- Re-added the computer investigator page
- Changed sourcetype to source in macros


Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.