Re: Enterprise Security: Why is signature a recomm...

danielbb · ‎10-22-2019

The cim validator shows the signature field as a recommended field for the Authentication datamodel while the following query doesn't -

| rest splunk_server=local count=0 /services/data/models/Authentication
| rename title as model,eai:data as data 
| spath input=data output=objects path=objects{} 
| mvexpand objects 
| spath input=objects output=object_name path=objectName 
| spath input=objects output=fields path=fields{} 
| appendpipe 
    [| spath input=objects output=fields path=calculations{}.outputFields{}] 
| mvexpand fields 
| spath input=fields output=field_name path=fieldName 
| spath input=fields output=recommended path=comment.recommended 
| table model,object_name,field_name,recommended 
| sort model,object_name,field_name

tomasmoser · ‎02-12-2020

Got IT. Thanks.

woodcock · ‎02-12-2020

This is actually an easy answer and is best explained from Windows and Linux.

In WIndows there are a many different authentication events/"event codes" including 680/681, 4768, etc. These values should be stored in the "signature_id" field. The "signature" field is a description of these so would have something like:
for 680, "older Windows login failure"
for 681, "older Windows login success", etc.
See the Windows TA for details.

In linux there is not really a "signature_id" but there are definitely different types of logins so the strings from the audit logs are stored in "signature" so that the different types can be distinguished from one-another.
See the *NIX TA for details.

Enterprise Security: Why is signature a recommended field according to the cim validator?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor