Splunk Enterprise Security

Splunk App for Enterprise Security tag=change for WinEventLog incorrect


So it appears that the built-in tagging and field enrichment for the Splunk App for Enterprise Security is poorly configured.

For the Change Analysis CIM, I was pleased to see Windows events being tagged on ES

However, the field enrichment is totally off.

Pay particular attention to

user - The user or entity performing the change (can be UID or PID).    
object - Name of the affected object on the resource (such as a router interface, user account, or server volume).
object_category - Generic name for the class of the updated resource object. Expected values may be specific to an App.
src_user - The resource where the change was originated. May be aliased from more specific fields, such as src_host, src_ip, or src_name.

When this Windows event arrives where:

ad_jus = the admin user creating the user
JSMITH = the user being created

09/10/2015 12:09:45 PM
SourceName=Microsoft Windows security auditing.
TaskCategory=User Account Management
Keywords=Audit Success
Message=A user account was created.

                Security ID:                         PROD\ad_jus
                Account Name:                 ad_jus
                Account Domain:                             PRODUCTION
                Logon ID:                             0x3ff7132B5B

New Account:
                Security ID:                         PROD\JSMITH
                Account Name:                 JSMITH
                Account Domain:                             PRODUCTION

                SAM Account Name:      JSMITH
                Display Name:                   John Smith
                User Principal Name:      JSMITH@production.prod
                Home Directory:                               \\production.prod\fsroot\UserData\JSMITH
                Home Drive:                       H:
                Script Path:                         -
                Profile Path:                       -
                User Workstations:         -
                Password Last Set:          <never>
                Account Expires:                              <never>
                Primary Group ID:            513
                Allowed To Delegate To:               -
                Old UAC Value:                 0x0
                New UAC Value:                              0x11
                User Account Control:  
                                Account Disabled
                                'Normal Account' - Enabled
                User Parameters:            -
                SID History:                         -
                Logon Hours:                     <value not set>

Additional Information:

In Enterprise Security the fields are extracted as follows:

user = JSMITH
object = WinEventLog:Security
object_category = user
src_user = ad_jus

Seems to me, based on the CIM, it should be:

user = ad_jus
object = JSMITH
object_category = user
src_user = ad_jus

Ideally I could try having custom local props and transforms in Splunk_TA_windows to fix this issue, but seeing as Splunk ES is a paid product, I would have thought it should probably be fixed for all customers. I am not sure if this affects other EventCodes related to Windows user management, but it likely does.

I am posting this here so support can have a reference to the issue.

If anyone knows of a good quick solution please let me know.


  • Splunk TA Windows Build 261729
  • Splunk ES version 3.3.0


Enterprise Security Deployments always need tuning and tweaking. This tuning is usually a major portion of a professional services engagement when they are deploying Enterprise Security app. Most of the technology add-ons that are put out by splunk are pretty good, but they all usually require some customization at deployment time. I would validate that the version of the TA that you are using is the most recent. Sometimes the version that is bundled with Enterprise Security isn't the latest and greatest and you will find an updated version out on splunkbase. Other times, you may have to add a local/props.conf with an alias or an extract statement etc.


Also it appears that the field 'result' from the CIM should be aliased to Message.

'result' is absent in the field extractions.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...