All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How come I'm not seeing data in the InfoSec App for Splunk?

fbatalla
Engager
‎12-17-2018 08:35 AM

I have the InfoSec App installed, but I'm having trouble having the app read some of my data sources.

I’m sending data from a Cisco ASA by listening on a TCP port.

I’m sending security event log info from Active Directory via Remote event log connection in Data inputs.
They are both in separate indexes.

The data from both sources is searchable in Search and Reporting, and I can also see the ASA data in the Firegen Cisco App.

In the InfoSec app, I'm able to see some hits under Continous Monitoring > Windows Access Changes > Privelege Escalations. However, I don't see any hits for the rest of the counters (Successful/Failed Authentications).

The installation is a single Splunk instance.

Reply
1 Solution
Solved! Jump to solution
Solution

igifrin_splunk
Splunk Employee
Splunk Employee
‎12-17-2018 09:21 AM

If you only see Privileges Escalations report but not the rest of Windows reports on the Windows Access and Changes dashboard, that is likely because you either don't have the CIM Add-on installed or the Authentication data model in not accelerated.

  • CIM Add-on: https://splunkbase.splunk.com/app/1621/
  • Data model acceleration (must have rights to perform this operation): Settings>Data Models>Edit (for Authentication data model)>Edit Acceleration

The list of required add-ons and data models that need to be accelerated is in the prerequisites here: https://splunkbase.splunk.com/app/4240/#/details

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

igifrin_splunk
Splunk Employee
Splunk Employee
‎12-17-2018 09:21 AM

If you only see Privileges Escalations report but not the rest of Windows reports on the Windows Access and Changes dashboard, that is likely because you either don't have the CIM Add-on installed or the Authentication data model in not accelerated.

  • CIM Add-on: https://splunkbase.splunk.com/app/1621/
  • Data model acceleration (must have rights to perform this operation): Settings>Data Models>Edit (for Authentication data model)>Edit Acceleration

The list of required add-ons and data models that need to be accelerated is in the prerequisites here: https://splunkbase.splunk.com/app/4240/#/details

0 Karma
Reply
Solved! Jump to solution

fbatalla
Engager
‎12-17-2018 01:26 PM

I have the following acceleration settings enabled for the authentication data model in CIM:

https://imgur.com/a/feiOCCO

0 Karma
Reply
Solved! Jump to solution

igifrin_splunk
Splunk Employee
Splunk Employee
‎12-17-2018 02:00 PM

The parameters for data model acceleration look good. Thanks for posting the details.

Are you using Windows Add-on to bring Windows data in? Do you have it installed on your Splunk server? If you don't, you'll need it to have the data model data populated properly.

If you do, do the following searches return any results?

index=* app="win*"  action=success  tag=authentication
index=*  action=success  tag=authentication

If the searches come back empty, that is likely a problem with the Windows Add-on configuration.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...