All Apps and Add-ons

How can I enrich data for Infosec app for splunk?

Path Finder

Hello Splunkers,
Not sure if "enriching" is the right term to use but I'm hoping someone can point me in the direction of some documentation that will help me get more information into, and out of, a dashboard panel.

The "Infosec app for Splunk" has an "All Authentications" dashboard. (Infosec app>Continuous Monitoring>All Authentications) On that dashboard there is a panel that is titled "Authentication Attempts by Application"
The search powering the panel is

| tstats summariesonly=true allow_old_summaries=true count from datamodel=Authentication.Authentication where"*" Authentication.action=* by 
| rename "Authentication.*" as "*"

The results I get look like this:
app and count
win:local 690
win:remote 8328
win:unknown 8784

Is there any way I can get this to identify the actual app?

Looking through the settings I see that the "" field is calculated using an eval expression (below), by the Authentication data model.

if(isnull(app) OR app="",sourcetype,app)

I'm not sure if this is what needs to be adjusted and I'm terrible with eval expressions and regex so rather then mess something up I thought I would ask here first. Any help is greatly appreciated.

System details:
Stand-alone Splunk Enterprise
Version: 7.3.0
Build: 657388c7a488
CIM: 4.14.0

Some of the installed Add-ons/Apps:
Microsoft Sysmon Add-on
Microsoft Windows DHCP add-on for Splunk
Splunk Add-on for Microsoft Windows
Splunk Add-on for Microsoft Windows DNS
Splunk Add-on for PowerShell
Splunk App for Windows Infrastructure
Splunk Supporting Add-on for Active Directory
Sysmon App for Splunk


Re: How can I enrich data for Infosec app for splunk?

Path Finder

Hi @eliasit, this may help:

  • what you see under the app data like win:unknown is taken by InfoSec from the accelerated data model called Authentication
  • The data model just takes what's in the app field of your data
  • The add-on(s) you are using put(s) things like win:local, win:remote and win:unknown in the app field. Most of those come from Windows Security logs handled by the Add-on for Windows.
  • You can simply see what to expect from your authentication data app field by running a search like this: index=* tag=authentication | stats count by app.

You've likely figured out all of the above steps on your own. Now you can decide what kind of app info you want to see in your authentication data and whether that data actually exists in your raw authentication events. If the data exists, you can create a calculated field.

If you have a suggestion, please share what kind of app info you would like to see from your data sources.

View solution in original post


Re: How can I enrich data for Infosec app for splunk?

Path Finder

Hi @igifrin
Thanks for the info. Running the search returned only the win:xxx values. Using the info you provided I found the lookup file (see below) used to populate this field and the various lookups that use it. Now I just need to modify the lookup. Because I was in the Infosec app I never would have thought to check the Windows add-ons.
Thanks again!

In case anyone else is looking, this is where I found it.



Re: How can I enrich data for Infosec app for splunk?

Path Finder

I don't know why searching "windows data enrichment" doesn't find this Best Practice guide but anyway...

For anyone looking for more ways to enrich your Windows data this guide is fantastic.
"What are the Splunk apps and add-ons for Microsoft technologies, and what do I use them for?"

Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.