Splunk Enterprise Security

Splunk Add-on for Windows v6 - Transition Experiences Requested

dstaulcu
Builder

Our team just transitioned from Splunk Add-on for windows v4 to v5. Changing references to sourcetypes among knowledge objects (KOs) (savedsearches, dashboards, data models, and notables) was a hassle but we got through it with a little bit of automation. The idea of moving to Splunk app for windows v6 is daunting due to requirements to change references to field names among those same KO types where field names to replace are far less predictable. Our search heads have over 1000 KOs which reference the xmlWinEventLog sourcetype.

Has anyone made the transition to Splunk Add-on for Windows v6? If so:
- What are some benefits of the change to get excited about?

- Approximately how many knowledge objects did you have to adjust to support the new schema?
- What was your strategy to prepare knowledge objects for the change?
- Did you experience search time performance degradation due to increased number of lookups and XML-based search time field extraction?

Aside from the transition headache, i'm excited that search results for XML-based windows security logs will have less ambiguous field names. For example, instead of "Account_Name" being a multi-value field, the XML-based output will have field names with improved context such as SubjectUserName and TargetUserName. Having consistency in field name extraction for such important events/fields will enable more innovation in modeling and monitoring and in turn improve incident response and overall security.

0 Karma

richardphung
Communicator

I am in the process of planning a v5 to v6 upgrade and have similar questions.
The key differences (and main sticking point) is that v6 has the MSAD v1 inputs built-in. So you essentially combine any input stanzas into your local and shut-down one TA in favor of a bundled TA. A good friend from the Splunk team also recommended disabling XML rendering due to performance degradation, but that this may change in the future.
*Following this thread.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...