All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

TA-microsoft-sysmon bugged extraction User_as_user

mhessel
Path Finder
‎11-20-2020 08:19 AM

After figuring out what was going on, I figured I would feed this back up.

The current package has a bug in the extraction User_as_user.  The REPORT pointing to the extraction cannot work, as all of the transforms have to be lower case.  As a result, this REPORT in props doesn't work, and the resulting user field is essentially returning the same thing as if there was a FIELDALIAS instead linking User to user, including any "domain name\username" format.

Props.conf has:

REPORT-user_for_sysmon = User_as_user

and in Transforms.conf

[User_as_user]
SOURCE_KEY = User
REGEX = (?:[^\\]+\\)?(.+)
FORMAT = user::"$1"

To fix this, change User_as_user --> user_as_user in both places:

Props.conf:

REPORT-user_for_sysmon = user_as_user

and in Transforms.conf

[user_as_user]
SOURCE_KEY = User
REGEX = (?:[^\\]+\\)?(.+)
FORMAT = user::"$1"

Labels (1)
Labels
Tags (2)
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...