Splunk Enterprise Security

How to make Stream logs CIM compliant

akhalfan
Engager

I've used Splunk Stream app to get DNS logs from a Windows DNS server. I got the logs to a Search Head instance that has the Enterprise Security app. However, I can't seem to the data, which is in json format CIM compliant.

Below is a sample message raw log:

What would be the best way to make the query field CIM compliant with the query field in the DNS as mentioned here:

https://docs.splunk.com/Documentation/CIM/4.15.0/User/NetworkResolutionDNS
{"endtime":"2020-03-04T16:13:55.892181Z","timestamp":"2020-03-04T16:13:55.886950Z","bytes":237,"bytes_in":35,"bytes_out":202,"dest_ip":"8.8.8.8","dest_mac":"00:15:5D:FA:54:6B","dest_port":53,"flow_id":"d53fcb9a-ea29-4761-ac1a-de6ca66d31e4","host_addr":["104.115.41.252"],"hostname":["www.microsoft.com-c-3.edgekey.net","www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net","e1367...}

0 Karma
1 Solution

zacharychristen
Path Finder

The Splunk Stream Add-on automatically extracts the query field.

Run the following search in your dns index and verify that the "dns, network, and resolution" tags appear:

index=<YOUR DNS INDEX> sourcetype="stream:dns" | stats count by tag

If not, verify that you have the Splunk Stream Add-on installed: Navigate to Apps > Manage apps. The Splunk Stream Add-on is in the same packaged app as the Splunk Stream app but sometimes the add-on does not properly install.

If you have the Add-on installed and the tags are showing up, verify that you have your DNS index whitelisted in the CIM setup. This can be done in Enterprise Security by Navigating to Configure > CIM Setup. Click the Network Resolution Data Model and verify the DNS index is whitelisted.

View solution in original post

zacharychristen
Path Finder

The Splunk Stream Add-on automatically extracts the query field.

Run the following search in your dns index and verify that the "dns, network, and resolution" tags appear:

index=<YOUR DNS INDEX> sourcetype="stream:dns" | stats count by tag

If not, verify that you have the Splunk Stream Add-on installed: Navigate to Apps > Manage apps. The Splunk Stream Add-on is in the same packaged app as the Splunk Stream app but sometimes the add-on does not properly install.

If you have the Add-on installed and the tags are showing up, verify that you have your DNS index whitelisted in the CIM setup. This can be done in Enterprise Security by Navigating to Configure > CIM Setup. Click the Network Resolution Data Model and verify the DNS index is whitelisted.

mokuso
Explorer

I had a similar issue. The results of the above query only returned the "communicate" and "network" tags. 

It appears that the default/eventtypes.conf is ignoring "stream:Splunk_*" which excludes  "stream:Splunk_DNS*" events:

 

[stream_dns]
search = sourcetype=stream:dns NOT source=stream:Splunk_*

 

 

I added the following to local/eventtypes.conf  and it resolved the issue:

 

[stream_dns]
search = sourcetype=stream:dns

 

 

 Now the dns events return all 4 tags: communicate, dns, network, resolution

 

0 Karma

akhalfan
Engager

For this query
index= sourcetype="stream:dns" | stats count by tag
only the DNS tag appears (makes sense since it is the only one I actually tagged in the event types.

The index is whitelisted. However, I noticed that the following searh:

index=<dns_index> datamodel=Network_Resolution.DNS  where DNS.message_type=QUERY

I get "no results found"

0 Karma

zacharychristen
Path Finder

When you look at your installed apps do you see the Splunk Stream Add-on or do you just see the App?

0 Karma

akhalfan
Engager

installing the add-on fixed it, I don't need to install the app
thanks

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...