Description:
User unknown successfully authenticated to unknown from unknown via unknown, which is unusual and likely indicates a compromised account
Version 2.0.1 is now available. Please upgrade from Splunkbase: https://splunkbase.splunk.com/app/2830/
N.B. The correlation search is now in its own app - please see the documentation for more details.
This is typically a symptom of automated field extractions not being applied to sourcetypes correctly before they get mapped into the datamodels that Enterprise Security uses. This is part of the tuning process when you install/configure enterprise security. Make sure that all your authentication related events are sourcetyped correctly so that the field extractions and tagging occurs properly. To troubleshoot this, you will have to take a look at the raw event logs, see what sourcetype they are assigned to and find the Technology Addon that formats/parses that data. Make sure that the appropriate Technology Add on has field extractions configured in props.conf and transforms.conf, if needed, you can customize these under the /local directory of the Technology Addon. (or create your own Technology Addon if it is a custom datasource, there is a decent elearning module on splunk.com that explains what goes into creating a Technology Addon)
Could you please provide more detail? Is that the description of a notable event in the Incident Review dashboard? If you view the event that triggered it, are the CIM fields correct? (ie. not "unknown, "unknown", etc.)
yes, that description is from the notable event in the IR dash. The CIM tags don't have unknown.?.? Would love to make this work in my environment! Wicked cool idea.....
The Incident Review "description" is generated by this code in SA-ThreatIntelligence/appserver/static/js/components/incident_review/eventsviewer/table/body/row/IREventFields.js
<%= data.autoLink(data.getFieldValue(data.m, mv_field)) %>
But, I'm unsure about where the 'data' object above is coming from..
I suspect that although ES has the ability to support third-party correlation searches, its default.meta import argument prevent third-party apps' correlation searches from being entirely "visible" to ES. Given this is the first third-party correlation search on Spunkbase (that I'm aware of) , it's uncharted territory and ES is a complex collection of inter-dependant components. I'll raise this with some folks to see if we can get an ES developer to advise.
Hmm, seems that the tokens aren't populating. I'll have a look at it tomorrow and get back to you; I'm currently in the middle of maintenance upgrading 30 Splunk servers.. 🙂