ThreatHunting is a Splunk application containing several dashboards and over 120 reports that will facilitate initial hunting indicators to investigate.
You obviously need to be ingesting Sysmon data into Splunk, a good configuration can be found here
Note: This application is not a magic bullet, it will require tuning and real investigative work to be truly effective in your environment. Try to become best friends with your system administrators. They will be able to explain a lot of the initially discovered indicators.
Install the following apps to your SearchHead:
- Add-on for Microsoft Sysmon
- Punchcard Visualization
- Force Directed Visualization
- Sankey Diagram Visualization
- Lookup File Editor
- Make sure the threathunting index is present on your indexers
- Edit the macro’s to suit your environment > https://YOURSPLUNK/en-US/manager/ThreatHunting/admin/macros (make sure the sourcetype is correct)
- The app is shipped without whitelist lookup files, you’ll need to create them yourself. This is so you won’t accidentally overwrite them on an upgrade of the app.
- Install the lookup csv’s or create them yourself, empty csv’s are here
A step by step guide kindly written by Kirtar Oza can be found here