All Apps and Add-ons

No CIM aligned fields for TA-WIndows-Defender

mattcosa
Explorer

Hi, I'm having trouble with the Windows Defender TA.

I have the package distributed to my UF, and it's pulling logs into the correct index. The TA is also installed on my single instance search head/indexer.

sourcetype is XmlWinEventLog
source is XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational

There seems to be a stack of fields extracted. None are CIM aligned.

It does not seem to be observing any of the tags.conf, or props.conf.

Has anyone got any ideas?

Cheers!

0 Karma

QuintonS
Path Finder

Having the same issue, did you manage to find a solution?

0 Karma

mattcosa
Explorer

Sorry Quinton - still stuck.

0 Karma

QuintonS
Path Finder

Hi,

Found the issue. the props, eventypes and tags were not working because the sourcetype was being renamed by the "Splunk add-on for Microsoft windows". We modified the app a little by changing the props.conf to use the "source::" and not the sourcetype, and also changed the search for the eventtypes to use the index and the source. This solved the issue and we now have all the extractions working and the tags are firing as expected.

Hope this helps?

0 Karma

mattcosa
Explorer

Just confirming - this is my conf which seems to be working.

[source::XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational]

and eventtypes.conf

[ms-windefender-operation]
search = source="XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1000" OR EventCode="1001" OR EventCode="1002" OR EventCode="1005" OR EventCode="1150" OR EventCode="2*" OR EventCode="3*" OR EventCode="5*")

[ms-windefender-attack]
search = source="XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1116" OR EventCode="1117" OR EventCode="1119" OR EventCode="1120")

Cheers.

0 Karma

QuintonS
Path Finder

Yup, the only difference is i specified the index as well in my eventtypes.conf, but that should work as well.

0 Karma

lenbriannn
Observer

Hello,

I am very sorry to grave dig like this but I am experiencing similar issues and I am unable to decipher what you're saying exactly. 

I have the TA installed but I am not having the eval statements working / tagging / etc.

I am working out of the /apps/TA-microsoft-windefender/local/* folder

eventtypes.conf

[ms-windefender-operation]
search = source="WinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1000" OR EventCode="1001" OR EventCode="1002" OR EventCode="1005" OR EventCode="1150" OR EventCode="2*" OR EventCode="3*" OR EventCode="5*")

[ms-windefender-attack]
search =  source="WinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1116" OR EventCode="1117" OR EventCode="1119" OR EventCode="1120")

inputs.conf

[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
index = len_windefender
disabled = 0
renderXml = 1

props.conf

[source::XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational]

 

I do also have the windows TA installed, is there something I need to look for in there?

0 Karma

lenbriannn
Observer

I did modify my files to closely reflect what you've stated, after re-reading what you posted.. The logs come in but the EVAL statements do not work.

eventtypes.conf

[ms-windefender-operation]
search = source="XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1000" OR EventCode="1001" OR EventCode="1002" OR EventCode="1005" OR EventCode="1150" OR EventCode="2*" OR EventCode="3*" OR EventCode="5*")

[ms-windefender-attack]
search =  source="XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1116" OR EventCode="1117" OR EventCode="1119" OR EventCode="1120")

inputs.conf

[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
index = len_windefender
disabled = 0
renderXml = 1

props.conf

[source::XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational]

0 Karma

mbjerkeland_spl
Splunk Employee
Splunk Employee

I just submitted a pull request to the original add-on with the changes you highlighted. I am hoping the original author includes it and gets a new version uploaded to Splunkbase.

https://github.com/pdoconnell/TA-microsoft-windefender/pull/4

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...