All Apps and Add-ons

No CIM aligned fields for TA-WIndows-Defender

mattcosa
Explorer

Hi, I'm having trouble with the Windows Defender TA.

I have the package distributed to my UF, and it's pulling logs into the correct index. The TA is also installed on my single instance search head/indexer.

sourcetype is XmlWinEventLog
source is XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational

There seems to be a stack of fields extracted. None are CIM aligned.

It does not seem to be observing any of the tags.conf, or props.conf.

Has anyone got any ideas?

Cheers!

0 Karma

QuintonS
Path Finder

Having the same issue, did you manage to find a solution?

0 Karma

mattcosa
Explorer

Sorry Quinton - still stuck.

0 Karma

QuintonS
Path Finder

Hi,

Found the issue. the props, eventypes and tags were not working because the sourcetype was being renamed by the "Splunk add-on for Microsoft windows". We modified the app a little by changing the props.conf to use the "source::" and not the sourcetype, and also changed the search for the eventtypes to use the index and the source. This solved the issue and we now have all the extractions working and the tags are firing as expected.

Hope this helps?

0 Karma

mattcosa
Explorer

Just confirming - this is my conf which seems to be working.

[source::XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational]

and eventtypes.conf

[ms-windefender-operation]
search = source="XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1000" OR EventCode="1001" OR EventCode="1002" OR EventCode="1005" OR EventCode="1150" OR EventCode="2*" OR EventCode="3*" OR EventCode="5*")

[ms-windefender-attack]
search = source="XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1116" OR EventCode="1117" OR EventCode="1119" OR EventCode="1120")

Cheers.

0 Karma

QuintonS
Path Finder

Yup, the only difference is i specified the index as well in my eventtypes.conf, but that should work as well.

0 Karma

lenbriannn
Observer

Hello,

I am very sorry to grave dig like this but I am experiencing similar issues and I am unable to decipher what you're saying exactly. 

I have the TA installed but I am not having the eval statements working / tagging / etc.

I am working out of the /apps/TA-microsoft-windefender/local/* folder

eventtypes.conf

[ms-windefender-operation]
search = source="WinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1000" OR EventCode="1001" OR EventCode="1002" OR EventCode="1005" OR EventCode="1150" OR EventCode="2*" OR EventCode="3*" OR EventCode="5*")

[ms-windefender-attack]
search =  source="WinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1116" OR EventCode="1117" OR EventCode="1119" OR EventCode="1120")

inputs.conf

[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
index = len_windefender
disabled = 0
renderXml = 1

props.conf

[source::XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational]

 

I do also have the windows TA installed, is there something I need to look for in there?

0 Karma

lenbriannn
Observer

I did modify my files to closely reflect what you've stated, after re-reading what you posted.. The logs come in but the EVAL statements do not work.

eventtypes.conf

[ms-windefender-operation]
search = source="XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1000" OR EventCode="1001" OR EventCode="1002" OR EventCode="1005" OR EventCode="1150" OR EventCode="2*" OR EventCode="3*" OR EventCode="5*")

[ms-windefender-attack]
search =  source="XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1116" OR EventCode="1117" OR EventCode="1119" OR EventCode="1120")

inputs.conf

[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
index = len_windefender
disabled = 0
renderXml = 1

props.conf

[source::XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational]

0 Karma

mbjerkeland_spl
Splunk Employee
Splunk Employee

I just submitted a pull request to the original add-on with the changes you highlighted. I am hoping the original author includes it and gets a new version uploaded to Splunkbase.

https://github.com/pdoconnell/TA-microsoft-windefender/pull/4

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...