Hello Splunkers,
Not sure if "enriching" is the right term to use but I'm hoping someone can point me in the direction of some documentation that will help me get more information into, and out of, a dashboard panel.
The "Infosec app for Splunk" has an "All Authentications" dashboard. (Infosec app>Continuous Monitoring>All Authentications) On that dashboard there is a panel that is titled "Authentication Attempts by Application"
The search powering the panel is
| tstats summariesonly=true allow_old_summaries=true count from datamodel=Authentication.Authentication where Authentication.app="*" Authentication.action=* by Authentication.app
| rename "Authentication.*" as "*"
The results I get look like this:
app and count
win:local 690
win:remote 8328
win:unknown 8784
Is there any way I can get this to identify the actual app?
Looking through the settings I see that the "Authentication.app" field is calculated using an eval expression (below), by the Authentication data model.
if(isnull(app) OR app="",sourcetype,app)
I'm not sure if this is what needs to be adjusted and I'm terrible with eval expressions and regex so rather then mess something up I thought I would ask here first. Any help is greatly appreciated.
System details:
Stand-alone Splunk Enterprise
Version: 7.3.0
Build: 657388c7a488
CIM: 4.14.0
Some of the installed Add-ons/Apps:
Microsoft Sysmon Add-on
Microsoft Windows DHCP add-on for Splunk
Splunk Add-on for Microsoft Windows
Splunk Add-on for Microsoft Windows DNS
Splunk Add-on for PowerShell
Splunk App for Windows Infrastructure
Splunk Supporting Add-on for Active Directory
Sysmon App for Splunk
Hi @eliasit, this may help:
win:unknown
is taken by InfoSec from the accelerated data model called Authenticationapp
field of your datawin:local
, win:remote
and win:unknown
in the app
field. Most of those come from Windows Security logs handled by the Add-on for Windows. app
field by running a search like this: index=* tag=authentication | stats count by app
. You've likely figured out all of the above steps on your own. Now you can decide what kind of app info you want to see in your authentication data and whether that data actually exists in your raw authentication events. If the data exists, you can create a calculated field.
If you have a suggestion, please share what kind of app info you would like to see from your data sources.
I don't know why searching "windows data enrichment" doesn't find this Best Practice guide but anyway...
For anyone looking for more ways to enrich your Windows data this guide is fantastic.
"What are the Splunk apps and add-ons for Microsoft technologies, and what do I use them for?"
https://answers.splunk.com/answers/722418/what-are-the-splunk-apps-and-add-ons-for-microsoft.html
Hi @eliasit, this may help:
win:unknown
is taken by InfoSec from the accelerated data model called Authenticationapp
field of your datawin:local
, win:remote
and win:unknown
in the app
field. Most of those come from Windows Security logs handled by the Add-on for Windows. app
field by running a search like this: index=* tag=authentication | stats count by app
. You've likely figured out all of the above steps on your own. Now you can decide what kind of app info you want to see in your authentication data and whether that data actually exists in your raw authentication events. If the data exists, you can create a calculated field.
If you have a suggestion, please share what kind of app info you would like to see from your data sources.
Hi @igifrin
Thanks for the info. Running the search returned only the win:xxx values. Using the info you provided I found the lookup file (see below) used to populate this field and the various lookups that use it. Now I just need to modify the lookup. Because I was in the Infosec app I never would have thought to check the Windows add-ons.
Thanks again!
In case anyone else is looking, this is where I found it.