Not sure if "enriching" is the right term to use but I'm hoping someone can point me in the direction of some documentation that will help me get more information into, and out of, a dashboard panel.
The "Infosec app for Splunk" has an "All Authentications" dashboard. (Infosec app>Continuous Monitoring>All Authentications) On that dashboard there is a panel that is titled "Authentication Attempts by Application"
The search powering the panel is
| tstats summariesonly=true allow_old_summaries=true count from datamodel=Authentication.Authentication where Authentication.app="*" Authentication.action=* by Authentication.app | rename "Authentication.*" as "*"
The results I get look like this:
app and count
Is there any way I can get this to identify the actual app?
Looking through the settings I see that the "Authentication.app" field is calculated using an eval expression (below), by the Authentication data model.
if(isnull(app) OR app="",sourcetype,app)
I'm not sure if this is what needs to be adjusted and I'm terrible with eval expressions and regex so rather then mess something up I thought I would ask here first. Any help is greatly appreciated.
Stand-alone Splunk Enterprise
Some of the installed Add-ons/Apps:
Microsoft Sysmon Add-on
Microsoft Windows DHCP add-on for Splunk
Splunk Add-on for Microsoft Windows
Splunk Add-on for Microsoft Windows DNS
Splunk Add-on for PowerShell
Splunk App for Windows Infrastructure
Splunk Supporting Add-on for Active Directory
Sysmon App for Splunk
Hi @eliasit, this may help:
win:unknownis taken by InfoSec from the accelerated data model called Authentication
appfield of your data
appfield. Most of those come from Windows Security logs handled by the Add-on for Windows.
appfield by running a search like this:
index=* tag=authentication | stats count by app.
You've likely figured out all of the above steps on your own. Now you can decide what kind of app info you want to see in your authentication data and whether that data actually exists in your raw authentication events. If the data exists, you can create a calculated field.
If you have a suggestion, please share what kind of app info you would like to see from your data sources.
Thanks for the info. Running the search returned only the win:xxx values. Using the info you provided I found the lookup file (see below) used to populate this field and the various lookups that use it. Now I just need to modify the lookup. Because I was in the Infosec app I never would have thought to check the Windows add-ons.
In case anyone else is looking, this is where I found it.
I don't know why searching "windows data enrichment" doesn't find this Best Practice guide but anyway...
For anyone looking for more ways to enrich your Windows data this guide is fantastic.
"What are the Splunk apps and add-ons for Microsoft technologies, and what do I use them for?"