host_fqdn field not correctly extracted due to TA-windows new versions

[timo92700]

Hello everyone,
It appears that the "host_fqdn" field evaluation in the props.conf for stanza : "WinEventLog:Microsoft-Windows-Sysmon/Operational" ( And also the XML one ) is based on "Computer" field, but TA-windows seems to have renamed this field to "ComputerName" for a few version now ( i'm running TA windows v8.2.0 ).
This issue causes 90% of the dashboards not working at all.
You have to edit the props.conf as below to make it work again correctly ( in both WinEventLog:Micro**** and XMLWinEventLog:Micro**** stanzas if needed) :

Could you please fix the issues in the application ?
Thanks and regards,

[dstaulcu]

host_fqdn seems to be extracting reliably for me for sysmon events on my splunk server dedicated to the ThreatHunting app and its dependencies.

I have Splunk_TA_windows v8.50 and Splunk_TA_microsoft_sysmon v3.0.0. What are you running?

In your inputs.conf stanza for sysmon:

• do you have the renderXml set to 1 or True?
• do you have source spec set to "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"

Looking at btool of props lines having terms wineventlog or host_fqdn it seems like host_fqdn is derived from Computer field. I don't see a source of conflict when inputs are configured as expected in inputs.conf.

Now there does seem to be an issue for other sources at least for me. I know I should change my rendering of PowerShell logs to XML because important context is missing otherwise. Not sure what renderings are expected for others.

[dstaulcu]

I've submitted pr #103 as a proposed change to handle issues no matter what wineventlog rendering type the sources of interest have.

[timo92700]

Hello, thank you for your answer.
We are using WinEventLog and not XMLWinEventLog sourcetype ( rederXML is at false in the inputs.conf ) for sysmon collect.
It may explain why Computer field does not exist : it seems to not exist in the non-xml sourcetype ( as on the latest screenshot )
If someone else can confirm :)
Thanks and regards

[dstaulcu]

No problem. I think you will find that a few other field extractions are missing if you continue down the non xml route for sysmon. Id bite the bullet and adapt to the input spec standard for sysmon prescribed in its TA.

[timo92700]

Ok thanks !
Maybe warn the users in the README / Documentation of ThreatHunting app that the xml sourcetype for sysmon collect is preferable for it to work correctly.

[dstaulcu]

That is a good idea. I stumbled on this sort of issue at first as well and I have many years of experience with sysmon and splunk.
I'd suggest forking this repository and submitting a pull request having your requested changes. I am not the owner of the repository.