All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

ES/third man user is being picked up as unknown?

cdupuis123
Path Finder
‎08-19-2015 06:07 AM

Description:

User unknown successfully authenticated to unknown from unknown via unknown, which is unusual and likely indicates a compromised account

0 Karma
Reply

splunk-support0
Explorer
‎03-29-2016 06:21 PM

Version 2.0.1 is now available. Please upgrade from Splunkbase: https://splunkbase.splunk.com/app/2830/

N.B. The correlation search is now in its own app - please see the documentation for more details.

0 Karma
Reply

tskinnerivsec
Contributor
‎08-19-2015 06:42 AM

This is typically a symptom of automated field extractions not being applied to sourcetypes correctly before they get mapped into the datamodels that Enterprise Security uses. This is part of the tuning process when you install/configure enterprise security. Make sure that all your authentication related events are sourcetyped correctly so that the field extractions and tagging occurs properly. To troubleshoot this, you will have to take a look at the raw event logs, see what sourcetype they are assigned to and find the Technology Addon that formats/parses that data. Make sure that the appropriate Technology Add on has field extractions configured in props.conf and transforms.conf, if needed, you can customize these under the /local directory of the Technology Addon. (or create your own Technology Addon if it is a custom datasource, there is a decent elearning module on splunk.com that explains what goes into creating a Technology Addon)

0 Karma
Reply

doksu
Contributor
‎08-19-2015 06:17 AM

Could you please provide more detail? Is that the description of a notable event in the Incident Review dashboard? If you view the event that triggered it, are the CIM fields correct? (ie. not "unknown, "unknown", etc.)

0 Karma
Reply

cdupuis123
Path Finder
‎08-19-2015 06:33 AM

yes, that description is from the notable event in the IR dash. The CIM tags don't have unknown.?.? Would love to make this work in my environment! Wicked cool idea.....

0 Karma
Reply

doksu
Contributor
‎09-02-2015 05:01 PM

The Incident Review "description" is generated by this code in SA-ThreatIntelligence/appserver/static/js/components/incident_review/eventsviewer/table/body/row/IREventFields.js

<%= data.autoLink(data.getFieldValue(data.m, mv_field)) %>

But, I'm unsure about where the 'data' object above is coming from..

I suspect that although ES has the ability to support third-party correlation searches, its default.meta import argument prevent third-party apps' correlation searches from being entirely "visible" to ES. Given this is the first third-party correlation search on Spunkbase (that I'm aware of) , it's uncharted territory and ES is a complex collection of inter-dependant components. I'll raise this with some folks to see if we can get an ES developer to advise.

0 Karma
Reply

doksu
Contributor
‎08-19-2015 06:55 AM

Hmm, seems that the tokens aren't populating. I'll have a look at it tomorrow and get back to you; I'm currently in the middle of maintenance upgrading 30 Splunk servers.. 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...