- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Enterprise Security: Why is signature a recommended field according to the cim validator?
The cim validator shows the signature field as a recommended field for the Authentication datamodel while the following query doesn't -
| rest splunk_server=local count=0 /services/data/models/Authentication
| rename title as model,eai:data as data
| spath input=data output=objects path=objects{}
| mvexpand objects
| spath input=objects output=object_name path=objectName
| spath input=objects output=fields path=fields{}
| appendpipe
[| spath input=objects output=fields path=calculations{}.outputFields{}]
| mvexpand fields
| spath input=fields output=field_name path=fieldName
| spath input=fields output=recommended path=comment.recommended
| table model,object_name,field_name,recommended
| sort model,object_name,field_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got IT. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is actually an easy answer and is best explained from Windows and Linux.
In WIndows there are a many different authentication events/"event codes" including 680/681, 4768, etc. These values should be stored in the "signature_id" field. The "signature" field is a description of these so would have something like:
for 680, "older Windows login failure"
for 681, "older Windows login success", etc.
See the Windows TA for details.
In linux there is not really a "signature_id" but there are definitely different types of logins so the strings from the audit logs are stored in "signature" so that the different types can be distinguished from one-another.
See the *NIX TA for details.
