I'm developing a compliance app, the intention is to make it the more CIM compliant as possible, but here is the problem, no CIM fields cover windows sessions for example (which starts with event 4264 and finish with 4647). I can make my sessions panel out of the accelerated datamodel, but I think the best idea is to accomodate a few fields to respect the cim and don't interfere with the Authentication datamodel, even if I use the 4624 in another panels of my dashboards.
So, i'm planning of doing it with Change, for example:
result_id would be a fieldalias of logonID
and action would be action=session_started for 4624, action=session_finished for 4647
after that I would make transactions with the result_id's inside my dashbord's panel search. Before doing that, I would like to know
A. If you have a better Idea for doing this respecting the CIM
B. how flexible is the "action" field? I mean, it's valid to Eval session_started and session_finished?
I mean, the action field in Change table is restricted to only 9 options (acl_,modified, cleared, created, deleted, modified, read, stopped, updated), can I make extra actions? My objective is to isolate the actions and the panels the more I can, I mean, I have no other use to these sessions other than that panel.
I do not think the Change data model sounds like an appropriate match based on the "action" field value listing you provided. It might be that the Network Session model is more appropriate, but I haven't looked at it closely.
The Authentication data model seems the most appropriate. Here is what I would alias to:
action = "success" or "failure"
signature_id = 4624, etc
signature = "An account was successfully logged on", etc
The only thing you really need to perform the transaction is the signature_id. The "session_started" and "finished" that you want to use in the action field you don't really need. If you want those values you can just add them as evals for each event/EventCode and place them into any field you want like "description" or "message".
You may not even need to worry about the data model. If you are only using this in a single dashboard panel and not building an entire app or data model on that work then you could just alias the fields to the most appropriate CIM field and use those fields to build your panel. If you need the acceleration, you could use an accelerated report just for this panel without a data model, or you could build to an existing model, or create your own data model as mentioned previously.
I suspect, because of the sheer volume of 4624 log events, that acceleration is a significant consideration.
Thanks for your answer, if I go for Network Sessions, my actions should be added / blocked? or can I use started / stopped? or added/blocked apply?
Should I use Session_Start / Session_End datasets?
I think ill go for that approach. Thanks!
Others might have more to add, but yes you can add new fields to the action field if you like. However there will be no search that uses the DMA that will know what to do with your field.
I think what you are doing overall sounds OK to me. You could also consider using a new data model that you create yourself for the data if it isn't a good fit for an existing one. If you are planning to release this app on Splunkbase then you should be extra careful that its a good fit for the data model.
All the best,