- Community
- :
- Splunk Answers
- :
- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: ta_windows_action
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi. I'm getting the Windows Infrastructure App up and running and in one of the events, I am getting a failure on ta_windows_action. The event was a process creation that showed success. Is there some sort of documentation (searched here and on Google) that explains what that field is (or others...basically a reference.) Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have noticed the same thing, but in the Splunk_TA_windows app. I guess the same logic applies to the Infra as well. There is an EVAL in props.conf that sets the field ta_windows_action based on the value of Status. And if there is no match a default value of "failure" is set. So the meaning of "failure" is basically "failure to set a proper value in this field ". Which, in my opinion, is confusing. It should say "unknown" or just leave it blank. Also the coverage of this field in the logs seems very low so a lot of the events has this field set to failure.
This is the EVAL statement in the Windows-app:
props.conf
EVAL-ta_windows_action = case(upper(Status) == "0XC000006F", "denied", upper(Status) == "0XC0000070", "denied", upper(Status) == "0XC000015B", "denied", upper(Status) == "0XC0000234", "denied", upper(Status) == "0XC0000064", "unknown", upper(Status) == "0XC0000133", "error", upper(Status) == "0XC0000225", "error", 1=1 , "failure")
My way forward is to create an override of this and changing the text "failure" to "unknown" instead.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have noticed the same thing, but in the Splunk_TA_windows app. I guess the same logic applies to the Infra as well. There is an EVAL in props.conf that sets the field ta_windows_action based on the value of Status. And if there is no match a default value of "failure" is set. So the meaning of "failure" is basically "failure to set a proper value in this field ". Which, in my opinion, is confusing. It should say "unknown" or just leave it blank. Also the coverage of this field in the logs seems very low so a lot of the events has this field set to failure.
This is the EVAL statement in the Windows-app:
props.conf
EVAL-ta_windows_action = case(upper(Status) == "0XC000006F", "denied", upper(Status) == "0XC0000070", "denied", upper(Status) == "0XC000015B", "denied", upper(Status) == "0XC0000234", "denied", upper(Status) == "0XC0000064", "unknown", upper(Status) == "0XC0000133", "error", upper(Status) == "0XC0000225", "error", 1=1 , "failure")
My way forward is to create an override of this and changing the text "failure" to "unknown" instead.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a ton for your response..!
Unify Your SecOps with Splunk Mission Control
Data Preparation Made Easy: SPL2 for Edge Processor
Introducing Edge Processor: Next Gen Data Transformation
