Splunk Enterprise Security

Enterprise Security: Why is signature a recommended field according to the cim validator?

Motivator

The cim validator shows the signature field as a recommended field for the Authentication datamodel while the following query doesn't -

| rest splunk_server=local count=0 /services/data/models/Authentication
| rename title as model,eai:data as data 
| spath input=data output=objects path=objects{} 
| mvexpand objects 
| spath input=objects output=object_name path=objectName 
| spath input=objects output=fields path=fields{} 
| appendpipe 
    [| spath input=objects output=fields path=calculations{}.outputFields{}] 
| mvexpand fields 
| spath input=fields output=field_name path=fieldName 
| spath input=fields output=recommended path=comment.recommended 
| table model,object_name,field_name,recommended 
| sort model,object_name,field_name
Tags (1)

Contributor

Got IT. Thanks.

0 Karma

Esteemed Legend

This is actually an easy answer and is best explained from Windows and Linux.

In WIndows there are a many different authentication events/"event codes" including 680/681, 4768, etc.  These values should be stored in the "signature_id" field.  The "signature" field is a description of these so would have something like:
for 680, "older Windows login failure"
for 681, "older Windows login success", etc.
See the Windows TA for details.

In linux there is not really a "signature_id" but there are definitely different types of logins so the strings from the audit logs are stored in "signature" so that the different types can be distinguished from one-another.
See the *NIX TA for details.