Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Authentication CIM tags and mapping

gwes77
Explorer
‎12-03-2019 08:40 AM

Hello all,

I need help manually mapping a log source that has no supported add on. I entered in two event types with tags to ID which log is a failed login and which is a successful login. They are listed below.

Search: index=index sourcetype=logsource LoginSuccessful=0 Tags: authentication, failure
Search: index=index sourcetype=logsource LoginSuccessful=1 Tags: authentication, success

But in the Auth DM fields, it is showing every event as Authentication.is_Failed_Authentication and every event as Authentication.is_Successful_Authentication. Can someone send me the link to the right mapping doc in Splunk or describe what I am missing here. Do I need to enter a field alias as well?

Thank you

0 Karma
Reply

meetmshah
Builder
‎07-31-2023 01:16 PM

Hello @gwes77, Can you please confirm what's the value of the action field? Because both, success and failed authentication does have "(`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$)" in common but not action. Below screenshots for your reference - 

 

meetmshah_0-1690834570644.png

 

meetmshah_1-1690834579469.png

 

0 Karma
Reply

javierg
New Member
‎07-24-2023 08:37 PM

Hi bro sorry for the late reply went to go make dinner for four years.

If I understand your issue correctly, you are having issues finding your authentication CIM via data model search.

In order to map your authentication logs to authentication CIM, you can add the following lines into your tags.conf file (located in TA):
[eventtype=[..]]
authentication = enabled

If you are unsure of your eventtype, you should also have eventtypes.conf where you can map the sourcetype to eventtype.

Hope this clarifies your doubts, I will go eat my dinner now.

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...