Re: windows ta addon not extracting action

Chiranjeev · ‎07-08-2024

I am having issues with action extraction on my windows addon . for example the eventcode 4624 should have an action value of success ,but nothing is being extracted and this eventcode constitutes majority of the data .the status is being extracted correctly as success.does anyone know how action is being extracted for this eventcode.

gcusello · ‎07-08-2024

Hi @Chiranjeev ,

did you enabled inputs in the add-on? by default they are disabled.

Ciao.

Giuseppe

Chiranjeev · ‎07-08-2024

inputs are enabled for system,app,security logs ,its just action field is not being correctly extracted for event codes

gcusello · ‎07-08-2024

Hi @Chiranjeev ,

what's the format of your logs?

it's the standard windows or a different one?

I experienced many issues using a concentrator for windows logs.

If the format is different, you shuld reparse them.

Ciao.

Giuseppe

PickleRick · ‎07-08-2024

There is something wrong.

But seriously - you haven't shown us anything regarding your data and your configuration. You haven't told us what your architecture is and where this addon is installed.

My glass orb is undergoing annual maintenance...

Chiranjeev · ‎07-08-2024

we have a centralized collector via WEF for our windows logs where a uf with windows addon is sending logs to splunkcloud,where also we have a ta addon .

PickleRick · ‎07-08-2024

OK. Show us one of your 4624 events found in verbose mode (blur sensitive data if needed).

BTW, looking at my 4624 events I don't see anything that should yield action=success extraction.

windows ta addon not extracting action

authentication

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

Preparing your Splunk Environment for OpenSSL3

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation