topic Re: Authentication CIM tags and mapping in Splunk Enterprise Security

Authentication CIM tags and mapping

gwes77 — Wed, 30 Sep 2020 03:14:39 GMT

Hello all,

I need help manually mapping a log source that has no supported add on. I entered in two event types with tags to ID which log is a failed login and which is a successful login. They are listed below.

Search: index=index sourcetype=logsource LoginSuccessful=0 Tags: authentication, failure
Search: index=index sourcetype=logsource LoginSuccessful=1 Tags: authentication, success

But in the Auth DM fields, it is showing every event as Authentication.is_Failed_Authentication and every event as Authentication.is_Successful_Authentication. Can someone send me the link to the right mapping doc in Splunk or describe what I am missing here. Do I need to enter a field alias as well?

Thank you

Re: Authentication CIM tags and mapping

javierg — Tue, 25 Jul 2023 03:37:00 GMT

Hi bro sorry for the late reply went to go make dinner for four years.

If I understand your issue correctly, you are having issues finding your authentication CIM via data model search.

In order to map your authentication logs to authentication CIM, you can add the following lines into your tags.conf file (located in TA):
[eventtype=[..]]
authentication = enabled

If you are unsure of your eventtype, you should also have eventtypes.conf where you can map the sourcetype to eventtype.

Hope this clarifies your doubts, I will go eat my dinner now.

Re: Authentication CIM tags and mapping

meetmshah — Mon, 31 Jul 2023 20:16:28 GMT

Hello @gwes77, Can you please confirm what's the value of the action field? Because both, success and failed authentication does have "(`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$)" in common but not action. Below screenshots for your reference -