topic I am setting up Authentication datamodel that have Default, insecure and Privileged Authentication in Splunk Enterprise Security

I am setting up Authentication datamodel that have Default, insecure and Privileged Authentication

ngwodo — Mon, 11 Oct 2021 17:01:21 GMT

How will I set up a data model that has Authentication and sub-sessions Default, insecure and Privileged Authentication data model. It uses action of a sucess and failure. I am using the following splunk query:

(`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$) NOT "pam_unix(sshd:auth): authentication failure;"

Is there anything wrong with the above query or how can I make it to work?

Re: I am setting up Authentication datamodel that have Default, insecure and Privileged Authentication

richgalloway — Mon, 11 Oct 2021 17:06:24 GMT

The CIM app supplies the Authentication datamodel. Once you've installed the app, make sure your data uses the CIM fields. Add EVAL or FIELDALIAS props as necessary.

Re: I am setting up Authentication datamodel that have Default, insecure and Privileged Authentication

ngwodo — Mon, 11 Oct 2021 17:57:51 GMT

Thanks for the above reply but what would be the eval expressions and field alias? Are mine going to have it for each of those authentication data model i.e. Default, Insecure and Privileged? Where will put the success and failure tags for the data model?

Re: I am setting up Authentication datamodel that have Default, insecure and Privileged Authentication

richgalloway — Mon, 11 Oct 2021 18:32:54 GMT

The EVAL and FIELDALIAS settings would like something like this. Put them in the appropriate props.conf file.

[mysourcetype] EVAL-vendor_product = "Microsoft Windows" FIELDALIAS-src_ip = src_ip=src_ip_address

Once a CIM field is defined it is available for use in all parts of a datamodel.

To tag the data, create an eventtype that extracts what the datamodel is looking for then add the appropriate tag to that eventtype.