topic Re: Splunk 5.x App for Microsoft Windows: What is this "app=win:unknown" being captured in 63% of Windows security logs in Splunk? in All Apps and Add-ons

Splunk 5.x App for Microsoft Windows: What is this "app=win:unknown" being captured in 63% of Windows security logs in Splunk?

mohammed7860 — Fri, 19 Aug 2016 20:05:46 GMT

Hi Splunkers

I am getting this value of field app=win:unknown being captured in 63% of Windows security logs in Splunk. What does it mean?

Other values for app fields are :

win:remote
win:local

Thanks,
Mohammed

Re: Splunk 5.x App for Microsoft Windows: What is this "app=win:unknown" being captured in 63% of Windows security logs in Splunk?

AskhatA — Sat, 25 Nov 2017 05:32:34 GMT

Is here any solution for decribed problem?
We had the same and + action=unknown, user=unknown.
Tried to solve problem by adding field aliases, but didn't found filed aliases for action and "win:unknown".

Re: Splunk 5.x App for Microsoft Windows: What is this "app=win:unknown" being captured in 63% of Windows security logs in Splunk?

mwarvi — Tue, 29 Sep 2020 16:57:43 GMT

This is how we got it working thanks to help from PS:

In the Splunk_TA_Windows\lookups\windows_apps.csv, you'll have to manually add any Windows event codes and what type of app you want it to show up as. Here's a small snippet from our's:

4674,,,,,win:security
4957,,,,,win:firewall
4768,,,,,win:kerberos
4958,,,,,win:useless
4793,,,,,win:security
4611,,,,,win:auth
4702,,,,,win:schedule
4932,,,,,win:adsync

Re: Splunk 5.x App for Microsoft Windows: What is this "app=win:unknown" being captured in 63% of Windows security logs in Splunk?

Richfez — Tue, 28 Nov 2017 23:58:44 GMT

Is there any way you could paste in one of those events here?

Re: Splunk 5.x App for Microsoft Windows: What is this "app=win:unknown" being captured in 63% of Windows security logs in Splunk?

tomasmoser — Wed, 17 Jan 2018 10:33:06 GMT

Hi mwarvi,

Can you please share your csv with me? I stumbled upon the same issue. Thank you so much.

tomas.moser@alef.com

Best regards,
Tomas

Re: Splunk 5.x App for Microsoft Windows: What is this "app=win:unknown" being captured in 63% of Windows security logs in Splunk?

mwarvi — Tue, 29 Sep 2020 17:44:34 GMT

Here's another snippet with the headers in it, The app is just plain test that we decided on here so you can call it whatever you want. The file should already be there as I believe the app iitself uses it.

It's a very manual process where you just have to go through each event code you want and make up an app for it.

EventCode,Source_Network_Address,Target_Server_Name,Logon_Type,sourcetype,app
552,,,,,win:remote
4648,,,,,win:remote
4663,,,,,win:fileaccess
5157,,,,,win:firewall
5145,,,,,win:fileaccess
4656,,,,,win:fileaccess
5158,,,,,win:firewall
4690,,,,,win:fileaccess
4776,,,,,win:auth
4672,,,,,win:auth
5152,,,,,win:firewall
5156,,,,,win:firewall
5447,,,,,win:firewall

Re: Splunk 5.x App for Microsoft Windows: What is this "app=win:unknown" being captured in 63% of Windows security logs in Splunk?

jbillings — Tue, 29 Sep 2020 22:39:53 GMT

I believe the windows_apps.csv changes would be overwritten when you update the Splunk_TA_Windows.

Re: Splunk 5.x App for Microsoft Windows: What is this "app=win:unknown" being captured in 63% of Windows security logs in Splunk?

Anonymous — Thu, 21 Mar 2019 13:40:38 GMT

Hi I am also having this same issue.
Would it be possible to get a complete listing for this csv file?

Re: Splunk 5.x App for Microsoft Windows: What is this "app=win:unknown" being captured in 63% of Windows secu

akyz — Thu, 12 May 2022 18:07:45 GMT

Manual intervention. Need lookup the Event ID's that are showing as win:uknown and correlate them with their respective category. Once you look up the Event ID/Category you add them manually to windows_apps.csv.