Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Authentication CIM tags and mapping

gwes77
Explorer
‎12-03-2019 08:40 AM

Hello all,

I need help manually mapping a log source that has no supported add on. I entered in two event types with tags to ID which log is a failed login and which is a successful login. They are listed below.

Search: index=index sourcetype=logsource LoginSuccessful=0 Tags: authentication, failure
Search: index=index sourcetype=logsource LoginSuccessful=1 Tags: authentication, success

But in the Auth DM fields, it is showing every event as Authentication.is_Failed_Authentication and every event as Authentication.is_Successful_Authentication. Can someone send me the link to the right mapping doc in Splunk or describe what I am missing here. Do I need to enter a field alias as well?

Thank you

0 Karma
Reply

meetmshah
Builder
‎07-31-2023 01:16 PM

Hello @gwes77, Can you please confirm what's the value of the action field? Because both, success and failed authentication does have "(`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$)" in common but not action. Below screenshots for your reference - 

 

meetmshah_0-1690834570644.png

 

meetmshah_1-1690834579469.png

 

0 Karma
Reply

javierg
New Member
‎07-24-2023 08:37 PM

Hi bro sorry for the late reply went to go make dinner for four years.

If I understand your issue correctly, you are having issues finding your authentication CIM via data model search.

In order to map your authentication logs to authentication CIM, you can add the following lines into your tags.conf file (located in TA):
[eventtype=[..]]
authentication = enabled

If you are unsure of your eventtype, you should also have eventtypes.conf where you can map the sourcetype to eventtype.

Hope this clarifies your doubts, I will go eat my dinner now.

0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...