So it appears that the built-in tagging and field enrichment for the Splunk App for Enterprise Security is poorly configured.
For the Change Analysis CIM, I was pleased to see Windows events being tagged on ES
http://docs.splunk.com/Documentation/CIM/4.2.0/User/ChangeAnalysis
However, the field enrichment is totally off.
Pay particular attention to
user - The user or entity performing the change (can be UID or PID).
object - Name of the affected object on the resource (such as a router interface, user account, or server volume).
object_category - Generic name for the class of the updated resource object. Expected values may be specific to an App.
src_user - The resource where the change was originated. May be aliased from more specific fields, such as src_host, src_ip, or src_name.
When this Windows event arrives where:
ad_jus = the admin user creating the user
JSMITH = the user being created
09/10/2015 12:09:45 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4720
EventType=0
Type=Information
ComputerName=ADSVR1.production.prod
TaskCategory=User Account Management
OpCode=Info
RecordNumber=2472352
Keywords=Audit Success
Message=A user account was created.
Subject:
Security ID: PROD\ad_jus
Account Name: ad_jus
Account Domain: PRODUCTION
Logon ID: 0x3ff7132B5B
New Account:
Security ID: PROD\JSMITH
Account Name: JSMITH
Account Domain: PRODUCTION
Attributes:
SAM Account Name: JSMITH
Display Name: John Smith
User Principal Name: JSMITH@production.prod
Home Directory: \\production.prod\fsroot\UserData\JSMITH
Home Drive: H:
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
Allowed To Delegate To: -
Old UAC Value: 0x0
New UAC Value: 0x11
User Account Control:
Account Disabled
'Normal Account' - Enabled
User Parameters: -
SID History: -
Logon Hours: <value not set>
Additional Information:
Privileges
In Enterprise Security the fields are extracted as follows:
user = JSMITH
object = WinEventLog:Security
object_category = user
src_user = ad_jus
Seems to me, based on the CIM, it should be:
user = ad_jus
object = JSMITH
object_category = user
src_user = ad_jus
Ideally I could try having custom local props and transforms in Splunk_TA_windows to fix this issue, but seeing as Splunk ES is a paid product, I would have thought it should probably be fixed for all customers. I am not sure if this affects other EventCodes related to Windows user management, but it likely does.
I am posting this here so support can have a reference to the issue.
If anyone knows of a good quick solution please let me know.
Using
Enterprise Security Deployments always need tuning and tweaking. This tuning is usually a major portion of a professional services engagement when they are deploying Enterprise Security app. Most of the technology add-ons that are put out by splunk are pretty good, but they all usually require some customization at deployment time. I would validate that the version of the TA that you are using is the most recent. Sometimes the version that is bundled with Enterprise Security isn't the latest and greatest and you will find an updated version out on splunkbase. Other times, you may have to add a local/props.conf with an alias or an extract statement etc.
Also it appears that the field 'result' from the CIM should be aliased to Message.
'result' is absent in the field extractions.