Splunk Enterprise Security
Highlighted

Splunk App for Enterprise Security tag=change for WinEventLog incorrect

So it appears that the built-in tagging and field enrichment for the Splunk App for Enterprise Security is poorly configured.

For the Change Analysis CIM, I was pleased to see Windows events being tagged on ES
http://docs.splunk.com/Documentation/CIM/4.2.0/User/ChangeAnalysis

However, the field enrichment is totally off.

Pay particular attention to

user - The user or entity performing the change (can be UID or PID).    
object - Name of the affected object on the resource (such as a router interface, user account, or server volume).
object_category - Generic name for the class of the updated resource object. Expected values may be specific to an App.
src_user - The resource where the change was originated. May be aliased from more specific fields, such as src_host, src_ip, or src_name.

When this Windows event arrives where:

ad_jus = the admin user creating the user
JSMITH = the user being created

09/10/2015 12:09:45 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4720
EventType=0
Type=Information
ComputerName=ADSVR1.production.prod
TaskCategory=User Account Management
OpCode=Info
RecordNumber=2472352
Keywords=Audit Success
Message=A user account was created.

Subject:
                Security ID:                         PROD\ad_jus
                Account Name:                 ad_jus
                Account Domain:                             PRODUCTION
                Logon ID:                             0x3ff7132B5B

New Account:
                Security ID:                         PROD\JSMITH
                Account Name:                 JSMITH
                Account Domain:                             PRODUCTION

Attributes:
                SAM Account Name:      JSMITH
                Display Name:                   John Smith
                User Principal Name:      JSMITH@production.prod
                Home Directory:                               \\production.prod\fsroot\UserData\JSMITH
                Home Drive:                       H:
                Script Path:                         -
                Profile Path:                       -
                User Workstations:         -
                Password Last Set:          <never>
                Account Expires:                              <never>
                Primary Group ID:            513
                Allowed To Delegate To:               -
                Old UAC Value:                 0x0
                New UAC Value:                              0x11
                User Account Control:  
                                Account Disabled
                                'Normal Account' - Enabled
                User Parameters:            -
                SID History:                         -
                Logon Hours:                     <value not set>

Additional Information:
                Privileges            

In Enterprise Security the fields are extracted as follows:

user = JSMITH
object = WinEventLog:Security
object_category = user
src_user = ad_jus

Seems to me, based on the CIM, it should be:

user = ad_jus
object = JSMITH
object_category = user
src_user = ad_jus

Ideally I could try having custom local props and transforms in SplunkTAwindows to fix this issue, but seeing as Splunk ES is a paid product, I would have thought it should probably be fixed for all customers. I am not sure if this affects other EventCodes related to Windows user management, but it likely does.

I am posting this here so support can have a reference to the issue.

If anyone knows of a good quick solution please let me know.

Using

  • Splunk TA Windows Build 261729
  • Splunk ES version 3.3.0
Highlighted

Re: Splunk App for Enterprise Security tag=change for WinEventLog incorrect

Also it appears that the field 'result' from the CIM should be aliased to Message.

'result' is absent in the field extractions.

0 Karma
Highlighted

Re: Splunk App for Enterprise Security tag=change for WinEventLog incorrect

Contributor

Enterprise Security Deployments always need tuning and tweaking. This tuning is usually a major portion of a professional services engagement when they are deploying Enterprise Security app. Most of the technology add-ons that are put out by splunk are pretty good, but they all usually require some customization at deployment time. I would validate that the version of the TA that you are using is the most recent. Sometimes the version that is bundled with Enterprise Security isn't the latest and greatest and you will find an updated version out on splunkbase. Other times, you may have to add a local/props.conf with an alias or an extract statement etc.