All Apps and Add-ons

Field EventDescription and Splunk Add-on for Sysmon

altink
Builder

Dear Support

I have downloaded Splunk Add-on for Sysmon.
I am also using Sysmon App for Splunk - which requires the prior.

My sysmon data are stored on an index named os_sysmon.

Some dashboards of Sysmon App for Splunk show empty, because they rely on a field named EventDescription.

I did check deployment of Splunk Add-on for Sysmon, under folder lookups, and did find there a file named microsoft_sysmon_eventcode.csv just as doc:
Lookups for the Splunk Add-on for Sysmon 
... says

The file is populated with 28 entries and has two fields:
EventCode and EventDescription 

when I search my index:
index = os_sysmon

I do get field EventCode, but not the EventDescription 
(the same is for lookup file microsoft_sysmon_record_type.csv - I do have record_type but not the record_type_name)

Now,  the Sysmon App for Splunk has only one macro - named sysmon - with an original sourcetype=....., which I changed to index=sysmon.

No try to derivate any EventDescription  field from EventCode via the lookup file.

Seems strange that developers of Sysmon App for Splunk forgot to create (eval) used field EventDescription  from EventCode (via lookup) in their only macro.

Should I do it myself there, or is it something to fix at Splunk Add-on for Sysmon - and how?

best regards
Altin

Labels (1)
Tags (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

This is not Splunk Support. This is a community-driven forum.

0 Karma

_JP
Contributor

The lookup can be there, but it might not be defined as an Automatic Lookup.  Take a look at your lookup configurations for the Sysmon app - an automatic lookup could be defined there and disabled.  You can also define your own. 

0 Karma

unionub
Loves-to-Learn

Hi @_JP 

There are two automatic lookups (for the two csv-s) under Splunk Add-on for Sysmon.
Both are enabled.

The one I am interested in looks like this:
lookup.jpg

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...