Splunk Enterprise Security

How to properly map windows Endpoint DataModel with Windows logs?

sr_dhinesh
Path Finder

Hello team: i am working on Splunk Endpoint Data Model and i have windows audit logs in splunk.
My concern is if i were to use the Splunk Endpoint Data Model with Windows logs how do i properly map windows

Process_Names vs New_Process_Name Vs Object_Name Vs Caller_Process_Name vs Target_Process_Name fields to that of what the Endpoint DataModel is expecting like

parent_process_exec, parent_process_path, process_current_directory, process_exec, process_path. apart from these there are eval expressed fields like process, process_name by default from CIM App

My understanding is Endpoint is expecting sysmon fields to be matched. However i am trying to see how i can map my windows default fields to Endpoint Data Model expected fields. IF so how do i map parent_process and child_process, is there any mapping that i can rely on. Or is there any standard that someone else is following.

0 Karma
1 Solution

sr_dhinesh
Path Finder

Hi Lakshman, Thanks for the quick response.
Sysmon the management wouldnt want to proceed because of the utilization that it can incur.
However for my situation above, we are using ES with content update corelation searches, am sure the windows audit logs also would be mapped to the respective processes and processname logs with the generic data model. Do you have a standard or reference to map so that i can map the windows audit logs to it.

OR the only option is to have sysmon or create a new data model altogether instead with windows extracted fields but eventually we will have to recreate all the corelations and need to figure out which field will go where. Hope you got my concern

View solution in original post

0 Karma

riccardo_spl
Explorer

Hello, did you find a method to map the CommandLine attribute of Windows events?

0 Karma

Kz
Engager

Windows Event 4688 + tick the Command Line logging

wineventlog : EVAL-parent_process_id

parent_process_id

Creator_Process_ID

wineventlog : EVAL-parent_process_name

parent_process_name

case(EventCode=="4688", replace(Creator_Process_Name,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""))

wineventlog : EVAL-parent_process_path

parent_process_path

Creator_Process_Name

wineventlog : EVAL-process_command_line

process_command_line

Process_Command_Line

wineventlog : EVAL-process_id

process_id

New_Process_ID

wineventlog : EVAL-process_name

process_name

case(EventCode=="4688",replace(New_Process_Name,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),1==1,"")

wineventlog : EVAL-process_path

process_path

case(EventCode=="4688",New_Process_Name)

sr_dhinesh
Path Finder

Hi Lakshman, Thanks for the quick response.
Sysmon the management wouldnt want to proceed because of the utilization that it can incur.
However for my situation above, we are using ES with content update corelation searches, am sure the windows audit logs also would be mapped to the respective processes and processname logs with the generic data model. Do you have a standard or reference to map so that i can map the windows audit logs to it.

OR the only option is to have sysmon or create a new data model altogether instead with windows extracted fields but eventually we will have to recreate all the corelations and need to figure out which field will go where. Hope you got my concern

0 Karma

lakshman239
SplunkTrust
SplunkTrust

windows audit logs have process name and command line arguments (EventCode 4688), but you wouldn't be able to get parent process id. As far as I know, using just windows logs, it very difficult/not possible to link child to parent process. you would need solutions like sysmon. If you look at content update app, for some of the use case it will suggest tools like crowdsrike, falcon, carbon black etc.. which can provide additional logs, where using windows events alone will not meet some use cases.

0 Karma

sr_dhinesh
Path Finder

Hi Lakshman, thanks for the clarification, last question, how would we map the rest of the datasets like filesystem or ports to map it correctly to windows event log. Shouldnt the standard windows TA pickup the information. However i find the tags to be different and not populating any event, Your assistance would be much appricated. Thanks

0 Karma

lakshman239
SplunkTrust
SplunkTrust

Generally, the TA could support ports and filesystem monitoring, but its best to you check against your version and release notes. Looking at https://docs.splunk.com/Documentation/WindowsAddOn/6.0.0/User/SourcetypesandCIMdatamodelinfo, I couldn't see Endpoint, but if you look at the default/tags.conf file within the TA, it does support ports [ listening and ports]. So, pls review that and if you onboard/monitor filesystem change, if you don't see an eventtype and tags, you can create one and associate to your events and map to the Endpoint datamodel

0 Karma

sr_dhinesh
Path Finder

Thanks Lakshman, for all your suggestions

0 Karma

lakshman239
SplunkTrust
SplunkTrust

If you are using Windows security logs /audit logs, you wouldn't have parent process in the logs and hence you wouldn't be able to map them. As you said, you may need sysmon or other products to provide you that.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...