- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: No CIM aligned fields for TA-WIndows-Defender
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No CIM aligned fields for TA-WIndows-Defender
Hi, I'm having trouble with the Windows Defender TA.
I have the package distributed to my UF, and it's pulling logs into the correct index. The TA is also installed on my single instance search head/indexer.
sourcetype is XmlWinEventLog
source is XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational
There seems to be a stack of fields extracted. None are CIM aligned.
It does not seem to be observing any of the tags.conf, or props.conf.
Has anyone got any ideas?
Cheers!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Having the same issue, did you manage to find a solution?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry Quinton - still stuck.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Found the issue. the props, eventypes and tags were not working because the sourcetype was being renamed by the "Splunk add-on for Microsoft windows". We modified the app a little by changing the props.conf to use the "source::" and not the sourcetype, and also changed the search for the eventtypes to use the index and the source. This solved the issue and we now have all the extractions working and the tags are firing as expected.
Hope this helps?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just confirming - this is my conf which seems to be working.
[source::XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational]
and eventtypes.conf
[ms-windefender-operation]
search = source="XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1000" OR EventCode="1001" OR EventCode="1002" OR EventCode="1005" OR EventCode="1150" OR EventCode="2*" OR EventCode="3*" OR EventCode="5*")
[ms-windefender-attack]
search = source="XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1116" OR EventCode="1117" OR EventCode="1119" OR EventCode="1120")
Cheers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yup, the only difference is i specified the index as well in my eventtypes.conf, but that should work as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am very sorry to grave dig like this but I am experiencing similar issues and I am unable to decipher what you're saying exactly.
I have the TA installed but I am not having the eval statements working / tagging / etc.
I am working out of the /apps/TA-microsoft-windefender/local/* folder
eventtypes.conf
[ms-windefender-operation]
search = source="WinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1000" OR EventCode="1001" OR EventCode="1002" OR EventCode="1005" OR EventCode="1150" OR EventCode="2*" OR EventCode="3*" OR EventCode="5*")
[ms-windefender-attack]
search = source="WinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1116" OR EventCode="1117" OR EventCode="1119" OR EventCode="1120")
inputs.conf
[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
index = len_windefender
disabled = 0
renderXml = 1
props.conf
[source::XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational]
I do also have the windows TA installed, is there something I need to look for in there?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did modify my files to closely reflect what you've stated, after re-reading what you posted.. The logs come in but the EVAL statements do not work.
eventtypes.conf
[ms-windefender-operation]
search = source="XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1000" OR EventCode="1001" OR EventCode="1002" OR EventCode="1005" OR EventCode="1150" OR EventCode="2*" OR EventCode="3*" OR EventCode="5*")
[ms-windefender-attack]
search = source="XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1116" OR EventCode="1117" OR EventCode="1119" OR EventCode="1120")
inputs.conf
[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
index = len_windefender
disabled = 0
renderXml = 1
props.conf
[source::XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just submitted a pull request to the original add-on with the changes you highlighted. I am hoping the original author includes it and gets a new version uploaded to Splunkbase.
https://github.com/pdoconnell/TA-microsoft-windefender/pull/4
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
