All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How come I'm not seeing data in the InfoSec App for Splunk?

fbatalla
Engager
‎12-17-2018 08:35 AM

I have the InfoSec App installed, but I'm having trouble having the app read some of my data sources.

I’m sending data from a Cisco ASA by listening on a TCP port.

I’m sending security event log info from Active Directory via Remote event log connection in Data inputs.
They are both in separate indexes.

The data from both sources is searchable in Search and Reporting, and I can also see the ASA data in the Firegen Cisco App.

In the InfoSec app, I'm able to see some hits under Continous Monitoring > Windows Access Changes > Privelege Escalations. However, I don't see any hits for the rest of the counters (Successful/Failed Authentications).

The installation is a single Splunk instance.

Reply
1 Solution
Solved! Jump to solution
Solution

igifrin_splunk
Splunk Employee
Splunk Employee
‎12-17-2018 09:21 AM

If you only see Privileges Escalations report but not the rest of Windows reports on the Windows Access and Changes dashboard, that is likely because you either don't have the CIM Add-on installed or the Authentication data model in not accelerated.

  • CIM Add-on: https://splunkbase.splunk.com/app/1621/
  • Data model acceleration (must have rights to perform this operation): Settings>Data Models>Edit (for Authentication data model)>Edit Acceleration

The list of required add-ons and data models that need to be accelerated is in the prerequisites here: https://splunkbase.splunk.com/app/4240/#/details

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

igifrin_splunk
Splunk Employee
Splunk Employee
‎12-17-2018 09:21 AM

If you only see Privileges Escalations report but not the rest of Windows reports on the Windows Access and Changes dashboard, that is likely because you either don't have the CIM Add-on installed or the Authentication data model in not accelerated.

  • CIM Add-on: https://splunkbase.splunk.com/app/1621/
  • Data model acceleration (must have rights to perform this operation): Settings>Data Models>Edit (for Authentication data model)>Edit Acceleration

The list of required add-ons and data models that need to be accelerated is in the prerequisites here: https://splunkbase.splunk.com/app/4240/#/details

0 Karma
Reply
Solved! Jump to solution

fbatalla
Engager
‎12-17-2018 01:26 PM

I have the following acceleration settings enabled for the authentication data model in CIM:

https://imgur.com/a/feiOCCO

0 Karma
Reply
Solved! Jump to solution

igifrin_splunk
Splunk Employee
Splunk Employee
‎12-17-2018 02:00 PM

The parameters for data model acceleration look good. Thanks for posting the details.

Are you using Windows Add-on to bring Windows data in? Do you have it installed on your Splunk server? If you don't, you'll need it to have the data model data populated properly.

If you do, do the following searches return any results?

index=* app="win*"  action=success  tag=authentication
index=*  action=success  tag=authentication

If the searches come back empty, that is likely a problem with the Windows Add-on configuration.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...
Top