All Apps and Add-ons

Stream Splunk_SSLActivity - no common name

johnansett
Communicator

Hello! I have deployed Splunk Stream v7.1.3 and configured to collect Splunk_SSLActivity.

Events are coming through but the SSL Activity Informational Dashboards do not work.

Other dashboards/events are fine (e.g. HTTP, DNS), but when I look at the Splunk_SSLActivity data there is no common name/domain name.
I do have a field "ssl_subject" which sometimes contains CN = *.site.com OR CN = SplunkDefaultCert. In some events there is just "CN":

C = US, postalCode = 90000, ST = California, L = Newport, street = 1 PCH, O = Splunk, OU = Information Security, OU = Issued through Splunk, OU = InstantSSL Pro, CN

It looks like the app is expecting a field which isn't extracted, although both TA and App is installed (this is SplunkCloud) and the data is forwarded directly from Win and Linux hosts UF -> SplunkCloud.

I'm not sure if I can totally trust the data and while I can extract the field to match dashboard I am more concerned about WHY it's not working.

Any tips would be greatly appreciated!!

Thanks

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...