All Apps and Add-ons

ES/third man user is being picked up as unknown?

cdupuis123
Path Finder

Description:

User unknown successfully authenticated to unknown from unknown via unknown, which is unusual and likely indicates a compromised account

0 Karma

splunk-support0
Explorer

Version 2.0.1 is now available. Please upgrade from Splunkbase: https://splunkbase.splunk.com/app/2830/

N.B. The correlation search is now in its own app - please see the documentation for more details.

0 Karma

tskinnerivsec
Contributor

This is typically a symptom of automated field extractions not being applied to sourcetypes correctly before they get mapped into the datamodels that Enterprise Security uses. This is part of the tuning process when you install/configure enterprise security. Make sure that all your authentication related events are sourcetyped correctly so that the field extractions and tagging occurs properly. To troubleshoot this, you will have to take a look at the raw event logs, see what sourcetype they are assigned to and find the Technology Addon that formats/parses that data. Make sure that the appropriate Technology Add on has field extractions configured in props.conf and transforms.conf, if needed, you can customize these under the /local directory of the Technology Addon. (or create your own Technology Addon if it is a custom datasource, there is a decent elearning module on splunk.com that explains what goes into creating a Technology Addon)

0 Karma

doksu
Contributor

Could you please provide more detail? Is that the description of a notable event in the Incident Review dashboard? If you view the event that triggered it, are the CIM fields correct? (ie. not "unknown, "unknown", etc.)

0 Karma

cdupuis123
Path Finder

yes, that description is from the notable event in the IR dash. The CIM tags don't have unknown.?.? Would love to make this work in my environment! Wicked cool idea.....

0 Karma

doksu
Contributor

The Incident Review "description" is generated by this code in SA-ThreatIntelligence/appserver/static/js/components/incident_review/eventsviewer/table/body/row/IREventFields.js

<%= data.autoLink(data.getFieldValue(data.m, mv_field)) %>

But, I'm unsure about where the 'data' object above is coming from..

I suspect that although ES has the ability to support third-party correlation searches, its default.meta import argument prevent third-party apps' correlation searches from being entirely "visible" to ES. Given this is the first third-party correlation search on Spunkbase (that I'm aware of) , it's uncharted territory and ES is a complex collection of inter-dependant components. I'll raise this with some folks to see if we can get an ES developer to advise.

0 Karma

doksu
Contributor

Hmm, seems that the tokens aren't populating. I'll have a look at it tomorrow and get back to you; I'm currently in the middle of maintenance upgrading 30 Splunk servers.. 🙂

0 Karma
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...