Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Authentication CIM tags and mapping

gwes77
Explorer
‎12-03-2019 08:40 AM

Hello all,

I need help manually mapping a log source that has no supported add on. I entered in two event types with tags to ID which log is a failed login and which is a successful login. They are listed below.

Search: index=index sourcetype=logsource LoginSuccessful=0 Tags: authentication, failure
Search: index=index sourcetype=logsource LoginSuccessful=1 Tags: authentication, success

But in the Auth DM fields, it is showing every event as Authentication.is_Failed_Authentication and every event as Authentication.is_Successful_Authentication. Can someone send me the link to the right mapping doc in Splunk or describe what I am missing here. Do I need to enter a field alias as well?

Thank you

0 Karma
Reply

meetmshah
SplunkTrust
SplunkTrust
‎07-31-2023 01:16 PM

Hello @gwes77, Can you please confirm what's the value of the action field? Because both, success and failed authentication does have "(`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$)" in common but not action. Below screenshots for your reference - 

 

meetmshah_0-1690834570644.png

 

meetmshah_1-1690834579469.png

 

0 Karma
Reply

javierg
New Member
‎07-24-2023 08:37 PM

Hi bro sorry for the late reply went to go make dinner for four years.

If I understand your issue correctly, you are having issues finding your authentication CIM via data model search.

In order to map your authentication logs to authentication CIM, you can add the following lines into your tags.conf file (located in TA):
[eventtype=[..]]
authentication = enabled

If you are unsure of your eventtype, you should also have eventtypes.conf where you can map the sourcetype to eventtype.

Hope this clarifies your doubts, I will go eat my dinner now.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...