All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How come I'm not seeing data in the InfoSec App for Splunk?

fbatalla
Engager
‎12-17-2018 08:35 AM

I have the InfoSec App installed, but I'm having trouble having the app read some of my data sources.

I’m sending data from a Cisco ASA by listening on a TCP port.

I’m sending security event log info from Active Directory via Remote event log connection in Data inputs.
They are both in separate indexes.

The data from both sources is searchable in Search and Reporting, and I can also see the ASA data in the Firegen Cisco App.

In the InfoSec app, I'm able to see some hits under Continous Monitoring > Windows Access Changes > Privelege Escalations. However, I don't see any hits for the rest of the counters (Successful/Failed Authentications).

The installation is a single Splunk instance.

Reply
1 Solution
Solved! Jump to solution
Solution

igifrin_splunk
Splunk Employee
Splunk Employee
‎12-17-2018 09:21 AM

If you only see Privileges Escalations report but not the rest of Windows reports on the Windows Access and Changes dashboard, that is likely because you either don't have the CIM Add-on installed or the Authentication data model in not accelerated.

  • CIM Add-on: https://splunkbase.splunk.com/app/1621/
  • Data model acceleration (must have rights to perform this operation): Settings>Data Models>Edit (for Authentication data model)>Edit Acceleration

The list of required add-ons and data models that need to be accelerated is in the prerequisites here: https://splunkbase.splunk.com/app/4240/#/details

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

igifrin_splunk
Splunk Employee
Splunk Employee
‎12-17-2018 09:21 AM

If you only see Privileges Escalations report but not the rest of Windows reports on the Windows Access and Changes dashboard, that is likely because you either don't have the CIM Add-on installed or the Authentication data model in not accelerated.

  • CIM Add-on: https://splunkbase.splunk.com/app/1621/
  • Data model acceleration (must have rights to perform this operation): Settings>Data Models>Edit (for Authentication data model)>Edit Acceleration

The list of required add-ons and data models that need to be accelerated is in the prerequisites here: https://splunkbase.splunk.com/app/4240/#/details

0 Karma
Reply
Solved! Jump to solution

fbatalla
Engager
‎12-17-2018 01:26 PM

I have the following acceleration settings enabled for the authentication data model in CIM:

https://imgur.com/a/feiOCCO

0 Karma
Reply
Solved! Jump to solution

igifrin_splunk
Splunk Employee
Splunk Employee
‎12-17-2018 02:00 PM

The parameters for data model acceleration look good. Thanks for posting the details.

Are you using Windows Add-on to bring Windows data in? Do you have it installed on your Splunk server? If you don't, you'll need it to have the data model data populated properly.

If you do, do the following searches return any results?

index=* app="win*"  action=success  tag=authentication
index=*  action=success  tag=authentication

If the searches come back empty, that is likely a problem with the Windows Add-on configuration.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...