Solved: How to properly map windows Endpoint DataModel wit...

sr_dhinesh · ‎04-24-2019

Hello team: i am working on Splunk Endpoint Data Model and i have windows audit logs in splunk.
My concern is if i were to use the Splunk Endpoint Data Model with Windows logs how do i properly map windows

Process_Names vs New_Process_Name Vs Object_Name Vs Caller_Process_Name vs Target_Process_Name fields to that of what the Endpoint DataModel is expecting like

parent_process_exec, parent_process_path, process_current_directory, process_exec, process_path. apart from these there are eval expressed fields like process, process_name by default from CIM App

My understanding is Endpoint is expecting sysmon fields to be matched. However i am trying to see how i can map my windows default fields to Endpoint Data Model expected fields. IF so how do i map parent_process and child_process, is there any mapping that i can rely on. Or is there any standard that someone else is following.

sr_dhinesh · ‎04-24-2019

Hi Lakshman, Thanks for the quick response.
Sysmon the management wouldnt want to proceed because of the utilization that it can incur.
However for my situation above, we are using ES with content update corelation searches, am sure the windows audit logs also would be mapped to the respective processes and processname logs with the generic data model. Do you have a standard or reference to map so that i can map the windows audit logs to it.

OR the only option is to have sysmon or create a new data model altogether instead with windows extracted fields but eventually we will have to recreate all the corelations and need to figure out which field will go where. Hope you got my concern

View solution in original post

riccardo_spl · ‎08-11-2022

Hello, did you find a method to map the CommandLine attribute of Windows events?

Kz · ‎05-23-2021

Windows Event 4688 + tick the Command Line logging

wineventlog : EVAL-parent_process_id	parent_process_id	Creator_Process_ID
wineventlog : EVAL-parent_process_name	parent_process_name	case(EventCode=="4688", replace(Creator_Process_Name,"(.\\\)(?=.(\.\w*)$\|(\w+)$)",""))
wineventlog : EVAL-parent_process_path	parent_process_path	Creator_Process_Name
wineventlog : EVAL-process_command_line	process_command_line	Process_Command_Line
wineventlog : EVAL-process_id	process_id	New_Process_ID
wineventlog : EVAL-process_name	process_name	case(EventCode=="4688",replace(New_Process_Name,"(.\\\)(?=.(\.\w*)$\|(\w+)$)",""),1==1,"")
wineventlog : EVAL-process_path	process_path	case(EventCode=="4688",New_Process_Name)

sr_dhinesh · ‎04-24-2019

Hi Lakshman, Thanks for the quick response.
Sysmon the management wouldnt want to proceed because of the utilization that it can incur.
However for my situation above, we are using ES with content update corelation searches, am sure the windows audit logs also would be mapped to the respective processes and processname logs with the generic data model. Do you have a standard or reference to map so that i can map the windows audit logs to it.

OR the only option is to have sysmon or create a new data model altogether instead with windows extracted fields but eventually we will have to recreate all the corelations and need to figure out which field will go where. Hope you got my concern

lakshman239 · ‎04-26-2019

windows audit logs have process name and command line arguments (EventCode 4688), but you wouldn't be able to get parent process id. As far as I know, using just windows logs, it very difficult/not possible to link child to parent process. you would need solutions like sysmon. If you look at content update app, for some of the use case it will suggest tools like crowdsrike, falcon, carbon black etc.. which can provide additional logs, where using windows events alone will not meet some use cases.

sr_dhinesh · ‎04-28-2019

Hi Lakshman, thanks for the clarification, last question, how would we map the rest of the datasets like filesystem or ports to map it correctly to windows event log. Shouldnt the standard windows TA pickup the information. However i find the tags to be different and not populating any event, Your assistance would be much appricated. Thanks

lakshman239 · ‎04-29-2019

Generally, the TA could support ports and filesystem monitoring, but its best to you check against your version and release notes. Looking at https://docs.splunk.com/Documentation/WindowsAddOn/6.0.0/User/SourcetypesandCIMdatamodelinfo, I couldn't see Endpoint, but if you look at the default/tags.conf file within the TA, it does support ports [ listening and ports]. So, pls review that and if you onboard/monitor filesystem change, if you don't see an eventtype and tags, you can create one and associate to your events and map to the Endpoint datamodel

sr_dhinesh · ‎04-29-2019

Thanks Lakshman, for all your suggestions

lakshman239 · ‎04-24-2019

If you are using Windows security logs /audit logs, you wouldn't have parent process in the logs and hence you wouldn't be able to map them. As you said, you may need sysmon or other products to provide you that.

How to properly map windows Endpoint DataModel with Windows logs?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?