From 7778de6190c462e0846991158561d8a2ea13b6ff Mon Sep 17 00:00:00 2001
From: Chris Long <clong@cl0ng.com>
Date: Tue, 23 Mar 2021 17:08:40 -0700
Subject: [PATCH] Fix ThreatHunting dashboard

https://github.com/clong/DetectionLab/issues/625
---
 Vagrant/resources/splunk_server/macros.conf | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/Vagrant/resources/splunk_server/macros.conf b/Vagrant/resources/splunk_server/macros.conf
index 60b99d6..4e0b0be 100644
--- a/Vagrant/resources/splunk_server/macros.conf
+++ b/Vagrant/resources/splunk_server/macros.conf
@@ -73,3 +73,17 @@ iseval = 0
 [indextime]
 definition = _index_earliest=-15m@m AND _index_latest=now
 iseval = 0
+
+[threathunting_assets_dns]
+definition = | inputlookup threathunting_asset_priority.csv \
+| rename host_fqdn as dns\
+| fields dns priority
+iseval = 0
+
+[process_granted_access_description]
+definition = eval process_granted_access_description=case(process_granted_access = "0x1fffff", "PROCESS_ALL_ACCESS",process_granted_access = "0x40", "PROCESS_DUP_HANDLE",process_granted_access = "0x40", "PROCESS_DUP_HANDLE(0x40) + PROCESS_VM_READ (0x0010)",process_granted_access = "0xc0", "PROCESS_DUP_HANDLE (0x40) + PROCESS_CREATE_PROCESS (0x80)",process_granted_access = "0x1010", "PROCESS_QUERY_LIMITED_INFORMATION (0x1000) + PROCESS_VM_READ (0x0010)", process_granted_access = "0x1410", "PROCESS_QUERY_LIMITED_INFORMATION (0x1000) + PROCESS_QUERY_INFORMATION (0x0400) + PROCESS_VM_READ (0x0010)",process_granted_access = "0x1001", "PROCESS_QUERY_LIMITED_INFORMATION (0x1000) + PROCESS_TERMINATE (0x0001)")
+iseval = 0
+
+[threathunting_index]
+definition = index=threathunting
+iseval = 0