All Apps and Add-ons

Splunk 5.x App for Microsoft Windows: What is this "app=win:unknown" being captured in 63% of Windows security logs in Splunk?

mohammed7860
Explorer

Hi Splunkers

I am getting this value of field app=win:unknown being captured in 63% of Windows security logs in Splunk. What does it mean?

Other values for app fields are :

win:remote
win:local

Thanks,
Mohammed

Richfez
SplunkTrust
SplunkTrust

Is there any way you could paste in one of those events here?

0 Karma

mwarvi
Explorer

This is how we got it working thanks to help from PS:

In the Splunk_TA_Windows\lookups\windows_apps.csv, you'll have to manually add any Windows event codes and what type of app you want it to show up as. Here's a small snippet from our's:

4674,,,,,win:security
4957,,,,,win:firewall
4768,,,,,win:kerberos
4958,,,,,win:useless
4793,,,,,win:security
4611,,,,,win:auth
4702,,,,,win:schedule
4932,,,,,win:adsync

jbillings
SplunkTrust
SplunkTrust

I believe the windows_apps.csv changes would be overwritten when you update the Splunk_TA_Windows.

0 Karma

tomasmoser
Contributor

Hi mwarvi,

Can you please share your csv with me? I stumbled upon the same issue. Thank you so much.

tomas.moser@alef.com

Best regards,
Tomas

0 Karma

Anonymous
Not applicable

Hi I am also having this same issue.
Would it be possible to get a complete listing for this csv file?

0 Karma

mwarvi
Explorer

Here's another snippet with the headers in it, The app is just plain test that we decided on here so you can call it whatever you want. The file should already be there as I believe the app iitself uses it.

It's a very manual process where you just have to go through each event code you want and make up an app for it.

EventCode,Source_Network_Address,Target_Server_Name,Logon_Type,sourcetype,app
552,,,,,win:remote
4648,,,,,win:remote
4663,,,,,win:fileaccess
5157,,,,,win:firewall
5145,,,,,win:fileaccess
4656,,,,,win:fileaccess
5158,,,,,win:firewall
4690,,,,,win:fileaccess
4776,,,,,win:auth
4672,,,,,win:auth
5152,,,,,win:firewall
5156,,,,,win:firewall
5447,,,,,win:firewall

0 Karma

AskhatA
New Member

Is here any solution for decribed problem?
We had the same and + action=unknown, user=unknown.
Tried to solve problem by adding field aliases, but didn't found filed aliases for action and "win:unknown".

0 Karma

akyz
Explorer

Manual intervention. Need lookup the Event ID's that are showing as win:uknown and correlate them with their respective category. Once you look up the Event ID/Category you add them manually to windows_apps.csv. 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...